THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-2026-06-09-F4
CYBER · state actors · 2026-06-09SCOOP 60

CrowdStrike: China-nexus actors drove 58% of state-sponsored intrusions against tech sector

CrowdStrike published its 2026 Technology Threat Landscape Report on June 9, finding China-nexus adversaries drove 58% of state-sponsored targeted intrusions against the technology sector — now the most-targeted industry.

·FILED ISSUE 2026-06-09·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

At a glance

  • CrowdStrike's 2026 Technology Threat Landscape Report, published June 9, 2026, covers April 1, 2025 to March 31, 2026
  • China-nexus adversaries drove 58% of state-sponsored targeted intrusions against the technology sector, the most-targeted industry globally
  • MURKY PANDA password-spraying campaign impacted more than 340 U.S.-based entities
  • DPRK-linked FAMOUS CHOLLIMA accounted for 47% of state-sponsored interactive intrusions
  • STARDUST CHOLLIMA compromised the Axios npm package, downloaded about 100 million times per week

VERDICT — CONFIRMED

high confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
CrowdStrike: China-nexus actors drove 58% of state-sponsored intrusions against tech secto
via CrowdStrike

CrowdStrike published its 2026 Technology Threat Landscape Report on June 9, finding China-nexus adversaries drove 58% of state-sponsored targeted intrusions against the technology sector — now the most-targeted industry globally — over the report's April 1, 2025 to March 31, 2026 window, with campaigns focused on stealing AI capabilities and intellectual property. Adam Meyers, CrowdStrike's head of counter adversary operations, said 'China runs cyber espionage as industrial policy to close the AI innovation gap,' telling Reuters that 'there is an AI arms race occurring between the U.S. and China, and China intends to achieve global dominance by 2030.' Key findings include: MURKY PANDA password-spraying affecting more than 340 U.S.-based entities; North Korea's FAMOUS CHOLLIMA accounting for 47% of state-sponsored interactive intrusions, largely via fraudulent IT-worker schemes funneling salaries to Pyongyang; STARDUST CHOLLIMA's compromise of the Axios npm package, downloaded roughly 100 million times per week; initial access brokers advertising access to 277 technology organizations, a nearly 30% increase; and 572 technology entities named on ransomware leak sites for extortion.

Financially motivated attacks comprised 65% of all interactive operations, and 350 GitHub repositories were compromised before the Glassworm botnet disruption. Reuters carried the findings on June 10.

Why it matters

the report quantifies state-directed AI-model and IP theft as the dominant espionage driver, hardening the evidentiary base for U.S. policy responses after the White House's April accusation of 'industrial-scale' model distillation by China-based entities.

Update log · verification desk

2026-07-02Press release states 'more than 58%' of state-sponsored targeted intrusions, not exactly 58%
2026-07-02Adam Meyers quote is slightly paraphrased; the original reads: 'China runs cyberespionage as industrial policy to try to close the AI innovation gap, demonstrating that AI capabilities are the prize adversaries are after'

Key facts on file

  • CrowdStrike's 2026 Technology Threat Landscape Report, published June 9, 2026, covers April 1, 2025 to March 31, 2026
  • China-nexus adversaries drove 58% of state-sponsored targeted intrusions against the technology sector, the most-targeted industry globally
  • MURKY PANDA password-spraying campaign impacted more than 340 U.S.-based entities
  • DPRK-linked FAMOUS CHOLLIMA accounted for 47% of state-sponsored interactive intrusions
  • STARDUST CHOLLIMA compromised the Axios npm package, downloaded about 100 million times per week
  • Initial access brokers advertised access to 277 technology organizations (up nearly 30%); 572 tech entities named on extortion leak sites
  • Adam Meyers: 'China runs cyber espionage as industrial policy to close the AI innovation gap'

OFFICIAL RECORD

CrowdStrike
— CrowdStrike (2026-06-09) · fetched at filing · archived at publication

Sources · two-source rule

PRIMARY · DOCCrowdStrike— CrowdStrike (2026-06-09)
CORROB.Reuters (via Claims Journal)— AJ Vicens (2026-06-10)
CORROB.CXOToday— (2026-06-10)
Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-2026-06-09-f4 · filed 2026-06-09 · https://thedwire.com/wire/cyb-2026-06-09-f4-crowdstrike-china-nexus-actors-drove-58-of-state-sponsored.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
Qilin affiliate exploited Check Point VPN zero-day since early May; CISA gives a
Help Net Security
CYBER · SCOOP 74

Qilin affiliate exploited Check Point VPN zero-day since early May; CISA gives agencies three days to patch

Check Point confirmed on June 8 that attackers are exploiting CVE-2026-50751, a critical (CVSS 9.3) authentication bypass in the deprecated IKEv1 key exchange used by its Remote Access VPN, Mobile Access/SSL VPN and Quantum Spark firewalls, and released an emergency hotfix. The logic flaw in certificate validation allows attackers to esta

✓ verifiednewSOURCE ↗
READ THE FILE ›
ShinyHunters Dumps 234 GB From DentaQuest, Exposing PII/PHI of ~2.6 Million in &
Security Affairs
CYBER · SCOOP 64

ShinyHunters Dumps 234 GB From DentaQuest, Exposing PII/PHI of ~2.6 Million in 'Pay-or-Leak' Extortion

The extortion group ShinyHunters published approximately 234 GB of data stolen from dental-benefits administrator DentaQuest, a subsidiary of Sun Life Financial, in a 'pay-or-leak' scheme, impacting roughly 2.6 million individuals. ShinyHunters posted DentaQuest to its Tor leak site in May 2026 and released the data after negotiations rep

✓ verified
READ THE FILE ›
CISA orders agencies to patch SolarWinds Serv-U flaw being exploited to crash fi
Cybersecurity News
CYBER · SCOOP 56

CISA orders agencies to patch SolarWinds Serv-U flaw being exploited to crash file-transfer servers

CISA added CVE-2026-28318, a SolarWinds Serv-U denial-of-service flaw under active exploitation, to its Known Exploited Vulnerabilities catalog late Friday, ordering federal civilian agencies to remediate by June 19 under Binding Operational Directive 22-01 as coverage spread through the weekend. The uncontrolled resource consumption bug

✓ verifiednewSOURCE ↗
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.