Lesson 1.1: Google Disrupts ‘Prolific’ and ‘Elusive’ China-Linked Global Hacking Campaign

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: Google Disrupts ‘Prolific’ and ‘Elusive’ China-Linked Global Hacking Campaign! Over the next 45 minutes, we will explore a sophisticated, state-linked cyber espionage operation, how it was uncovered, and the defensive lessons we can draw from its disruption.

But first, let me tell you about Marcus Webb.

It's 3:17 PM on a Tuesday in late June. Marcus Webb, a senior network engineer at a mid-sized defence contractor in Bristol, is reviewing firewall logs. The office is quiet, the hum of servers a constant background noise. He sips cold coffee, his eyes scanning rows of IP addresses and port numbers, looking for the anomaly that doesn't belong.

A series of outbound connections to an unfamiliar domain, 'update-global[.]net', catches his eye. The traffic is small, encrypted, and originates from a developer's workstation. It looks like legitimate update traffic, but the timing is odd—late at night, over several weekends. Marcus makes a note to ask the developer about it tomorrow. He logs the event as 'low priority' and moves on.

Two weeks later, the company's legal team receives a polite but firm inquiry from a major government partner. They ask if the company is aware of a potential data breach involving their shared project specifications. Marcus is called into an emergency meeting. When he pulls the full logs, he sees the 'update' traffic wasn't just from one workstation. It was a beacon. The data had already left the building.

This is the story of a Cyberattack. By the end of this lesson, you'll understand exactly why Marcus never stood a chance, and more importantly, what could have saved him.

Content Section 1: The Campaign: Velvet Ant and Bronze Riverside

Think of a burglar who doesn't break a window or pick a lock. Instead, they find a spare key hidden under a flowerpot, left there by a forgetful homeowner. This campaign, tracked as Velvet Ant and Bronze Riverside, operated on that principle for years, targeting a global list of victims.

Scope and Targets

Google's Threat Analysis Group (TAG) identified this as a China-linked group conducting cyber espionage. Their operations were global, not confined to one region or sector.

The group showed a clear interest in government organisations, defence contractors, and technology companies. Their goal appeared to be the theft of intellectual property and sensitive government information.

What made them 'elusive' was their method. They didn't rely on loud, destructive malware. Instead, they used living-off-the-land techniques and legitimate tools, making their activity blend in with normal network noise.

The Disruption

Google's disruption involved taking down domains the hackers were using for command and control. By seizing these internet addresses, Google cut the link between infected computers and the attackers' servers.

This action is a form of threat-led defence. It doesn't remove the malware from victim machines, but it stops the attackers from steering them or exfiltrating more data. It buys time for organisations to find and clean the infection.

DORA Article 5 DORA Article 5 requires financial entities to have a full ICT risk management framework. Understanding the tactics of state-linked groups like this is a direct input into that risk assessment process.

ISO A.5.1 ISO 27001 A.5.1 mandates that management provides direction and support for information security. This case shows why leadership must prioritise intelligence on advanced threats, not just basic hygiene.

Content Section 2: The Attack Chain: How They Stayed Hidden

Understanding their approach reveals why they were so effective. Let me show you exactly how an operator like Marcus Webb could miss them.

The Infection Path

Research suggests groups like this often start with a targeted phishing email, a 'spear-phish,' tailored to the victim. It might impersonate a colleague or a trusted partner.

The email would contain a link or a document that, when opened, runs a script. This script doesn't drop a obvious malware file. Instead, it uses built-in system tools like PowerShell to fetch the next stage of the attack.

This 'fileless' approach leaves very little evidence on the hard drive. The malicious activity happens in the computer's memory, which is often not monitored as closely.

Command and Control

Once inside, the malware needs to call home. It uses domains like the one Marcus saw, 'update-global[.]net'. These are designed to look harmless, mimicking software update servers or common cloud services.

The communication is often encrypted and kept to small, periodic 'beacons'—just a digital handshake to say 'I'm still here.' Large data exfiltration might happen slowly, over time, or during off-hours.

Why Traditional Defences Fail

Notice what all of these methods have in common. They rely on the attack looking abnormal. This group's strength was in appearing completely normal at every step.

Here’s how common security measures can be bypassed:

NIST ID.RA-1 NIST CSF ID.RA-1 is about identifying vulnerabilities. This attack chain shows that vulnerabilities aren't just software bugs—they include gaps in processes, like over-reliance on signature-based tools and lack of behavioural monitoring.

NIS2 Article 21 NIS2 Article 21 mandates risk management measures. Defending against this requires measures like network segmentation, strict application control, and monitoring for anomalous behaviour, not just perimeter defence.

Content Section 3: Detection: Finding the Needle in the Haystack

Marcus's computer knew something was wrong. The network traffic was leaving his system. It just couldn't tell him in a way he understood. Here’s what to look for.

Network-Level Indicators

Look for connections to newly registered domains or domains with names that closely mimic real services (e.g., 'google-update[.]com', 'microsoftcdn[.]net').

Monitor for beaconing—consistent, timed connections from an internal host to an external domain at regular intervals, like every 10 minutes. This is the malware 'phoning home.'

Even with encryption, the size and timing of data flows can be a signal. Small, periodic packets are beacons. Large, sustained transfers outside business hours could be data exfiltration.

Endpoint-Level Indicators

Monitor for unusual process chains. For example, a Microsoft Office process (winword.exe) starting a PowerShell script, which then makes a network connection.

Look for PowerShell execution with hidden windows, unusual arguments, or connections to the internet. Legitimate admin use is common, but its context is key.

Unexplained scheduled tasks or new services created on a system can be persistence mechanisms set up by the attacker.

Identity and Behaviour Signals

A single user account accessing files or systems far outside their normal pattern. For example, a developer suddenly reading HR share drives or project folders from another division.

Multiple failed logon attempts followed by a success, especially on servers or from unusual geographic locations, can indicate credential compromise.

The use of compromised but legitimate user credentials is a major bypass for many controls. Monitoring for anomalous logins is therefore critical.

SOC2 CC6.1 SOC 2 CC6.1 requires logical access controls to protect assets. This threat shows that monitoring for anomalous use of legitimate access (behavioural analytics) is as important as the access controls themselves.

GDPR Article 32 GDPR Article 32 requires appropriate security for personal data. Detecting covert exfiltration channels, as used in this campaign, is a necessary technical measure to ensure data confidentiality.

Content Section 4: Building Your Defence and Evidence

Compliance documentation isn't just paperwork. In the wake of an incident like this, it's your evidence of due care. It's the answer to the question: 'What did you do to stop this?'

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5 auditors... For DORA auditors, you can now demonstrate that your ICT risk management framework considers advanced persistent threat (APT) tactics, specifically fileless techniques and domain-based command and control.

For ISO A.5.1 auditors... For ISO 27001 assessors, you can evidence that information security direction includes training on and defence against state-linked cyber espionage campaigns, moving beyond basic malware.

For NIST ID.RA-1 auditors... For NIST CSF reviewers, you can show you have identified a specific threat vector (living-off-the-land techniques) and are taking steps to detect it through behavioural monitoring.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed
• Time invested: approximately 45 minutes
• Key learnings in your own words
• Activity submission reference
• Follow-up actions identified

Conclusion

Let me tell you how Marcus's story ended.

The company lost the government contract. The investigation took six months and cost over £200,000 in consultancy fees and system rebuilds. Marcus wasn't fired, but his promotion was put on indefinite hold. The stress took a personal toll.

The organisation eventually hired a threat intelligence firm, implemented an Endpoint Detection and Response (EDR) system, and started regular threat hunting exercises. They learned the hard way that logging an event isn't enough—you have to understand what you're looking at.

But it doesn't have to be your story. That's why we're here.

You should now understand the hallmarks of a sophisticated, state-linked cyber espionage campaign. You understand why their use of fileless techniques and benign-looking infrastructure makes them so hard to spot. You know the key network, endpoint, and behavioural indicators that can reveal their presence. And you understand how to start building proactive hunting hypotheses to find them.

Next, we'll explore Next, we'll explore Lesson 1.2: Building a Threat-Informed Defence Programme. We'll take these indicators and build them into a continuous monitoring and improvement cycle for your organisation.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Summarise the key detection indicators for China-linked cyber espionage campaigns (beaconing, LOLBin usage, lookalike domains) and immediate network isolation steps on a single page.
• Compliance Mapping Worksheet - Map your organisation's controls for detecting fileless attacks and covert command and control to the specific DORA, NIST CSF, and ISO 27001 requirements covered in this lesson.
• Risk Assessment Template - Assess your organisation's exposure to living-off-the-land attack techniques based on your use of administrative tools like PowerShell and your current behavioural monitoring capabilities.
• Further reading - Links to Google's TAG blog posts on related disruptions and MITRE ATT&CK framework entries for techniques commonly used by state-linked groups (e.g., T1059 - Command and Scripting Interpreter).

Google Disrupts ‘Prolific’ and ‘Elusive’ China-Linked Global Hacking Campaign Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026