China-linked threat actors utilize a coordinated ecosystem to acquire zero-day vulnerabilities, treating them as strategic resources. National regulations require that newly discovered vulnerabilities be reported to the government before vendors or the public are informed, creating an asymmetry that benefits state-linked actors. This centralized approach involves a large network of researchers, private companies, and contractors, contributing to a continuous flow of potential exploits. The exploit supply chain, which includes outsourcing to private contractors and “hack-for-hire” companies, allows for faster development and plausible deniability for state actors. While not all attacks rely on unknown flaws, many exploit newly disclosed vulnerabilities or reverse-engineer patches to target older software versions. China-linked actors often target edge devices and critical infrastructure, which provide broad access and are challenging to monitor. Defending against these attacks requires focusing on visibility, fast detection and response, containment, and layered security controls. Modern security platforms, such as extended detection and response (XDR) systems, can help detect suspicious behavior, correlate activity, and respond quickly to reduce attacker dwell time.
How do China-linked threat actors acquire zero-day vulnerabilities?
