Darktrace, a global leader in AI for cybersecurity, today announced the findings of its new research report, Crimson Echo: Understanding Chinese-nexus Cyber Tradecraft Through Behavioral Analysis. Based on an analysis of three years’ worth of data across its customer base, the report provides a data-driven analysis of how Chinese-nexus cyber activity[1] operates in practice and how it is evolving.

Darktrace’s research reveals a fundamental shift in how cyber risk should be understood. Rather than discrete incidents or short-term breaches, most nation-state operations are designed to establish persistent access to strategically important systems, positioning cyber activity as a form of long-term strategic statecraft.

Cyber Access as a Strategic Objective

Analysis of behavioral data from July 2022 to September 2025 shows that, in many cases, gaining and maintaining access, instead of immediate disruption or data theft, is the primary objective of Chinese-nexus intrusions.

This reflects a broader evolution in cyber operations, where access to digital environments provides ongoing visibility into supply chains, industrial processes, and critical infrastructure. The findings challenge traditional security models that focus on incidents and breach response. Instead, they point to cyber risk as a continuous, structural exposure that must be managed over time.

“Many cyber operations are no longer just about breaking in and stealing data or causing short-term disruptions, they are about staying in,” said Nathaniel Jones, VP of Security & AI Strategy at Darktrace. “What we’re seeing is a shift toward persistent access as a strategic asset. Defenders need to move beyond incident response and focus on detecting subtle behavioral changes that could indicate a long-term compromise.”

Two Distinct Operational Models

The report identifies two consistent operational models used by Chinese-nexus actors:

1. “Smash and Grab” (Short-Horizon Operations):

Fast, opportunistic intrusions optimized for speed and scale. These operations often exploit internet-facing systems and prioritize rapid data access or intelligence gathering, with median dwell times of around 10 days and data exfiltration often occurring within 48 hours.

2. “Low and Slow” (Long-Horizon Operations):

More covert campaigns focused on persistence and strategic positioning. These intrusions prioritize identity control, legitimate administrative tools, and long periods of dormancy, sometimes lasting months or years within critical infrastructure environments.

While most observed cases fell into the short-horizon category, the long-horizon operations were often concentrated in high-value targets such as telecommunications, transportation, and digital infrastructure—suggesting a focus on strategic leverage over time.

The same operational ecosystem can employ both models concurrently, selecting the appropriate model based on target value, urgency, and intended access. The observation of a “Smash and Grab” model should not be solely interpreted as a failure of tradecraft, but instead an operational choice likely aligned with objectives. Where “Low and Slow” operations are optimized for patience, “Smash and Grab” is optimized for speed; both seemingly are deliberate operational choices, not necessarily indicators of capability.

Critical Infrastructure in Focus

The data shows a clear concentration of activity in sectors that underpin critical national infrastructure across the US and Europe:

• 88% of observed intrusions involved organizations classified as critical infrastructure, as defined by CISA.
• Key sectors included transportation, telecommunications, critical manufacturing, healthcare, and IT services.

These targeting patterns align with broader geopolitical and economic priorities, suggesting that cyber operations are increasingly integrated into long-term strategic competition.

The report also highlights that Western economies are a primary focus, with more than half (55%) of observed cases occurring in the U.S. and major European countries (Germany, Italy, Spain and the UK).

Internet-Facing Systems Remain the Front Door

Across the dataset, nearly two-thirds (~63%) of compromises began with the exploitation of internet-facing infrastructure.

Entry points such as edge devices, enterprise/SaaS applications, and exposed services continue to provide attackers with scalable access into organizations. Once inside, actors frequently rely on legitimate administrative tools and “living-off-the-land” techniques to move laterally and maintain persistence while avoiding detection.

This combination of external exposure and internal stealth makes detection particularly challenging for traditional security tools.

“Organizations need to rethink what risk looks like,” Jones added. “It’s not just about preventing breaches, it’s about understanding who may already have access, how long they’ve had it, and what that access enables over time.”

A Behavioral Approach to Detection

A key differentiator of the Crimson Echo research is its focus on behavioral analysis rather than individual threat groups or malware families. By examining patterns across multiple intrusions—including attack tempo, access methods, and kill-chain sequences—Darktrace’s Threat Research team identified consistent operational behaviors that persist even as tools, threat actors, and infrastructure change.

Additional Resources

• Download the full Crimson Echo report here and the executive summary here.

About the Research

Crimson Echo is based on a three-year retrospective analysis of data from July 2022 to September 2025 conducted by Darktrace’s Threat Research team, examining anomalous activity and intrusion patterns across its global customer base. The research combines behavioral AI detections, structured threat hunting, and a multi-pillar attribution framework to identify medium- to high-confidence cases of Chinese-nexus cyber activity. A full methodology and copy of the Darktrace Cybersecurity Attribution Framework can be found in the Appendix section of the full report.

[1] Chinese-nexus refers to cyber activity that shows strong alignment with operational patterns historically associated with Chinese APTs or state-linked cyber ecosystems, but direct government direction may not be definitively established.