Darktrace has released new research suggesting that Chinese-nexus cyber operations are evolving from event-driven breaches into longer-term campaigns aimed at establishing persistent access to strategically important systems.
In the company’s report, Crimson Echo: Understanding Chinese-nexus Cyber Tradecraft Through Behavioral Analysis, Darktrace frames cyber activity not primarily as short, disruptive intrusions, but as a form of sustained “long-term strategic statecraft”.
The findings are based on Darktrace’s analysis of three years of data across its customer base, covering activity from July 2022 to September 2025. Darktrace reports that 88% of observed incidents targeted organisations in critical infrastructure sectors, including transportation, telecommunications, healthcare and manufacturing.
The report also states that nearly 63% of compromises began with exploitation of internet-facing systems, reinforcing the idea that exposed digital infrastructure continues to serve as a common entry point.
According to Darktrace, a key change in how cyber risk should be understood is that many operations appear designed to remain inside. “Many cyber operations are no longer just about breaking in and stealing data or causing short-term disruptions, they are about staying in,” said Nathaniel Jones, vice president of security & AI strategy at Darktrace.
He added that defenders must “move beyond incident response and focus on detecting subtle behavioral changes that could indicate a long-term compromise.”
Darktrace describes two operational models that Chinese-nexus actors reportedly use. The first, dubbed “Smash and Grab”, is characterised as a short-horizon approach: fast intrusions optimised for speed and scale, with a median dwell time of around 10 days and exfiltration often occurring within 48 hours.
The second, “Low and Slow”, is positioned as a long-horizon method, emphasising covert persistence, identity control, legitimate administrative tooling, and dormancy that can last months or even years in critical infrastructure environments.
Importantly, Darktrace argues that the two models are not mutually exclusive. It suggests the same operational ecosystem may employ both tactics depending on target value, urgency and the intended access—meaning that observing short-horizon behaviour does not automatically indicate a lack of tradecraft capability.
The report also highlights the geographic emphasis on Western economies, stating that over half of observed activity affected the U.S. and major European countries, with the U.S. accounting for 22.5% of cases.
Darktrace’s overall message is that risk management should shift from focusing solely on preventing breaches to understanding what access may already exist, how long it has been present, and what it enables over time.
“Organisations need to rethink what risk looks like,” Jones added. “It’s not just about preventing breaches, it’s about understanding who may already have access, how long they’ve had it, and what that access enables over time.”
