Security breach

Cyber attacks from Chinese IPs aimed at NATO countries surge 116%

Check Point Research has observed an increase in cyber-attacks sourced from Chinese IP addresses since the outbreak of the Russia-Ukraine war
Image: Shutterstock

22 March 2022

Cyber attacks from Chinese IPs on NATO countries jumped 116% after Russia’s invasion into Ukraine, and 72% world-wide. This is according to Check Point Research (CPR), which last week observed an increase in cyber-attacks aimed at NATO countries that were sourced from Chinese IP addresses.

CPR cannot attribute the cyber-attacks to the Chinese entities or to any known Chinese threat actor. The observation indicates a trend that hackers, likely within China and abroad, are increasingly using Chinese IPs as a resource to launch cyber-attacks after the advent of the Russia-Ukraine war.  

Last week, the weekly average of worldwide attacks originating from China per organization was 72% higher than before the invasion and 60% higher than the first three weeks of the conflict. Meanwhile, the weekly average of cyber-attacks sourced from China on NATO corporate networks was 116% higher than before the invasion, and 86% higher than the first three weeks of the war.




CPR said the increase is significantly higher than the overall global increase in cyber-attacks seen during the same timeframes.

“As the Russia-Ukraine conflict intensifies, we grew curious around cyber-attacks originating from China,” said Omer Dembinsky, data group manager at CPR. “We’re seeing significant increases in cyber-attacks that originate from Chinese IP addresses. It’s important to underscore that we cannot make an attribution to the Chinese entities, as it is difficult to determine attribution in cyber security without more evidence. But what is clear is that hackers are using Chinese IPs to launch cyber-attacks world-wide, especially NATO countries.

“The IPs are likely used by hackers within China and abroad. The trend can have many meanings. For example, the increase can indicate where it is now easy or cheap to set up and operate a service or where it is more opportune to hide the real origin of the attack.  It can also indicate how global cyber traffic is being routed at this moment in time. CPR will continue to dig deeper into this trending observation in the weeks ahead. For now, we’re only reporting information on what we see.”

TechCentral Reporters

Read More:

Comments are closed.

Back to Top ↑