How China-linked threat actors obtain zero-day vulnerabilities

What security leaders should know about zero-day acquisition, exploit supply chains and state-linked cyberthreats

Takeaways

• China-linked threat actors use a coordinated ecosystem to obtain zero-day vulnerabilities, not just individual discoveries.
• National regulations can require vulnerabilities to be reported to the government before vendors or the public are notified.
• A large network of researchers, private companies and contractors feeds vulnerability discovery and exploit development.
• Many attacks rely on rapid exploitation of newly disclosed or reverse-engineered flaws, not just true zero-days.
• Defending against zero-day attacks depends less on prevention and more on detection, visibility and containment.

What is a zero-day vulnerability?

A zero-day vulnerability is a previously unknown software flaw that has no available patch at the time it is exploited.

That is what makes zero-day attacks so effective. There is no signature to detect and no fix to apply. Attackers can move quickly, often gaining access before you’re even aware the vulnerability exists.

China-linked threat actors have consistently been among the most active users of zero-day exploits in espionage campaigns, particularly against enterprise software and network infrastructure. According to reporting based on Google threat intelligence data, these groups remain a major presence in state-sponsored zero-day activity.

In this post we’ll focus less on how these threat actors leverage vulnerabilities and more on how they get them in the first place.

How China’s vulnerability pipeline works

China’s approach to vulnerabilities is structured and centralized. Research indicates that vulnerabilities are treated as strategic resources, with laws, institutions and incentives designed to feed discoveries into government-controlled systems.

This creates a pipeline with three key characteristics:

• Continuous input from researchers and organizations
• Centralized collection and prioritization
• Rapid transition from discovery to operational use

For attackers, that pipeline shortens the gap between finding a flaw and exploiting it. And for IT security professionals like you, it ramps up risk.

Mandatory vulnerability reporting creates early access

One of the most important inputs into that pipeline is regulation. Under China’s vulnerability disclosure rules, organizations and researchers must report newly discovered vulnerabilities to government authorities within a short timeframe.

Public disclosure is restricted until a fix is available or approval is granted. And in this case, “public” can include the vendors who provide the vulnerable software.

This creates an asymmetry that benefits state-linked actors:

• Government agencies may gain early insight into critical vulnerabilities
• Vendors and global defenders may not yet be aware of them
• Exploitation can begin before patches are widely deployed

According to analysis of these rules, vulnerability data is routed through government channels that can support both defensive and offensive operations.

A large ecosystem of researchers and contractors

The pipeline is not limited to government agencies. It extends into the private sector and academia.

China’s cyber strategy relies on collaboration between state entities, research institutions and private companies. Analysts describe this as a coordinated ecosystem in which different actors contribute to cyber operations under government direction.

This ecosystem includes:

• Academic researchers discovering new flaws
• Private cybersecurity firms reporting vulnerabilities
• Contractors developing exploits and tooling

Large numbers of organizations and researchers contribute vulnerability discoveries each year, creating a steady flow of potential exploits.

That scale helps explain how China-linked actors can maintain a consistent pace of zero-day and near-zero-day activity. And it shows why it’s critical for you to address the growing risk of exploits with advanced monitoring and response capabilities.

The role of the exploit supply chain

Another key factor is outsourcing. China-linked cyber operations often rely on private contractors and “hack-for-hire” companies to conduct or support offensive activity.

More broadly, analysts have described how the People’s Republic of China has shaped regional markets for vulnerabilities into a funnel that supports government needs.

This exploit supply chain allows for:

• Faster development of working exploits
• Specialization across different platforms and technologies
• Plausible deniability for state actors

In effect, the capability to launch zero-day attacks has become a distributed function rather than a single team’s responsibility.

Why many attacks don’t start as true zero-days

Not every successful attack actually depends on a previously unknown flaw. In many cases, China-linked threat actors rely on:

• Rapid exploitation of newly disclosed vulnerabilities
• Reverse engineering of patches to identify weaknesses in earlier versions
• Scanning for exposed and unpatched systems at scale

Security researchers have observed actors studying vendor patches to uncover ways to exploit older versions of software. From your perspective as a defender, the difference between a zero-day attack and a quickly exploited known vulnerability is often academic. The result is still an initial compromise that lays the groundwork for a potentially very costly breach.

Why edge devices and critical infrastructure are frequent targets

China-linked threat actors tend to focus on systems that provide broad access and are difficult to monitor. These include:

• Firewalls
• VPNs and remote access systems
• Network appliances and edge devices

According to multiple threat reports, this focus helps attackers establish persistent access and move laterally inside networks, particularly in critical infrastructure environments.

These systems are attractive targets because:

• They often sit at the perimeter.
• They may lack strong endpoint visibility.
• They provide high-value access once compromised.

How to defend against zero-day attacks linked to nation-state threat actors

If China-linked threat actors can obtain and weaponize vulnerabilities at scale, what can defenders like you realistically do? While it’s not realistic to try to prevent every exploit, there are steps you can take to reduce your organization’s exposure, improve your ability to detect intrusions and limit the impact of a breach.

In practical terms, that means focusing on:

• Visibility across your environment so unusual activity stands out early
• Fast detection and response to stop attacks before they spread
• Containment and segmentation to limit lateral movement
• Layered security controls that do not depend on a single point of defense

Ultimately, what makes an attack successful is not only the exploitation of an unknown vulnerability, but the time it takes you to detect the attack and respond effectively.

The role of modern security platforms

Security platforms that combine detection, response and continuous monitoring can help close these gaps.

Extended detection and response (XDR) platforms and managed detection services are designed to:

• Identify suspicious behavior even without known signatures
• Correlate activity across endpoints, networks and cloud environments
• Respond quickly to reduce attacker dwell time

Services like Barracuda Managed XDR take this approach further by combining automated response with human analysis. The goal is to detect early indicators of compromise, investigate efficiently and contain threats before they escalate.

That matters because when attackers have a pipeline for finding vulnerabilities, defense becomes less about stopping every entry point and more about shrinking the window of opportunity after one is found.