China Geopolitical Update — March 2026

Executive Summary

China's formal adoption of the 15th Five-Year Plan in March 2026 codifies the state's commitment to technological sovereignty, with a minimum 7% annual R&D spending increase [14] and a concurrent 7% defense budget increase that will sustain funding for offensive and defensive cyber capabilities[10]. Simultaneously, at least five distinct PRC-attributed intrusion clusters are operating against Western and regional infrastructure, with Salt Typhoon still not fully remediated, and FBI officials confirming at least 200 companies worldwide were compromised [6][7]. Newly disclosed campaigns (UNC2814/GRIDTIDE, UAT-8837, Warp Panda/BRICKSTORM) are expanding the known attack surface across dozens of sectors [1][2][3]. Leaked "Expedition Cloud" documents provide the first direct evidence of PRC offensive cyber ranges purpose-built to rehearse attacks on neighbors' critical infrastructure, confirming what Western intelligence has long assessed about pre-conflict disruption preparation [4].

1. 15th Five-Year Plan Formally Adopted, Codifying Tech Sovereignty Goals

• What happened: Nearly 3,000 delegates at the National People's Congress approved the 15th Five-Year Plan on March 12, setting China's economic and strategic roadmap for 2026 to 2030 [13]. The plan projects annual R&D spending growth of at least 7% and targets raising the value added of core digital economy industries to 12.5% of GDP [14]. Xi Jinping described the plan as an "important bridging role" toward "basically realizing socialist modernization" by 2035 [14].
• Cyber implications: The plan's emphasis on AI, quantum computing, semiconductors, and digital economy will almost certainly sustain and intensify state-sponsored espionage targeting of Western firms holding IP in these domains. The 7% defense budget increase[10] provides sustained funding for military modernization, including the PLA's cyber and intelligence capabilities. MSS cyber operations, which are funded separately from the declared defense budget, are also likely to benefit from increased overall state investment in technology.
• Sectors at risk: AI research, semiconductor design and manufacturing, quantum computing, biotechnology, 6G/telecommunications, advanced materials
• Confidence: Moderate
• Sources:, [10], [13], [14]

2. Five-Plus PRC APT Clusters Operating Simultaneously Against Global Infrastructure

• What happened: Google and Mandiant disclosed the disruption of UNC2814, a PRC-nexus group that breached 53 organizations across 42 countries using a novel backdoor called GRIDTIDE, which abuses the Google Sheets API for command-and-control [1]. Separately, CISA updated its advisory on BRICKSTORM malware targeting VMware vCenter environments, attributed to multiple PRC actors including Warp Panda [2]. Cisco Talos disclosed UAT-8837, assessed with medium confidence as a China-nexus group, exploiting a critical Sitecore zero-day (CVE-2025-53690) against North American critical infrastructure [3]. Google's annual zero-day tracking found China-linked groups remained the most prolific state users of zero-day exploits in 2025, with enterprise networking and security appliances comprising nearly half of all enterprise-targeted zero-days.
• Cyber implications: The operational tempo and diversity of tooling across these clusters indicate a deliberate strategy of parallel campaigns, making attribution and defense coordination harder. GRIDTIDE's abuse of legitimate SaaS platforms for C2 bypasses traditional network monitoring, forcing defenders to inspect API-layer traffic.
• Sectors at risk: Telecommunications, government, IT, legal, manufacturing, critical infrastructure operators
• Confidence: Moderate
• Sources: [1],, [2],,, [3]

3. Salt Typhoon Persists in Global Telecom Networks

• What happened: Senator Cantwell cited expert testimony warning that Salt Typhoon has not been fully remediated from telecommunications networks. Both AT&T and Verizon have declined to cooperate with Senate inquiries into the breach [6]. FBI officials confirmed at least 200 companies worldwide were compromised [7]. Czech cybersecurity officials reported related incidents in Finland and Poland, confirming European exposure [7]. A Tier 4 source reported suspicious activity in an FBI surveillance network in February 2026, with investigators suspecting a link to PRC cyber espionage campaigns [5].
• Cyber implications: The confirmed persistence of Salt Typhoon inside major telecom networks, combined with the possible targeting of law enforcement surveillance systems, suggests the campaign's scope may still be growing. Surveillance metadata has enormous counterintelligence value even if intercepted communications content was not accessed. Note: Major telecoms have claimed remediation (AT&T stated it detected no current nation-state activity; Verizon claimed containment), but both have refused to provide supporting documentation to the Senate [6].
• Sectors at risk: Telecommunications, internet service providers, law enforcement, intelligence community
• Confidence: Moderate (for telecom persistence); Low (for FBI network breach, based on Tier 4 sourcing)
• Sources: [5], [6], [7]

4. Expedition Cloud Leak Confirms PRC Offensive Cyber Rehearsals

• What happened: Leaked internal documents described a PRC training platform called "Expedition Cloud," designed to allow operatives to practice hacking replicas of real network environments belonging to China's "main operational opponents in the South China Sea and Indochina directions" [4]. The platform simulates attacks on power, energy transmission, transport, and smart home infrastructure, with a significant role for AI in orchestrating attacks [4].
• Cyber implications: This is the first time foreign analysts have seen explicit Chinese documentation describing an offensive cyber range targeting foreign critical infrastructure [4]. It validates Western assessments of PRC pre-positioning intent and confirms that energy and transport sectors in Southeast Asia face direct and rehearsed threats.
• Sectors at risk: Power/energy, energy transmission, transport, smart infrastructure (primarily South China Sea and Indochina region)
• Confidence: Low (documents are leaked and not independently verified by government sources)
• Sources: [4]

5. Taiwan Cross-Strait Pressure and Tenfold Cyber Surge

• What happened: Taiwan's NSB recorded over 960 million cyber intrusion attempts against critical infrastructure in 2025, with the energy sector seeing a tenfold increase compared to the prior year [8]. Emergency rescue entities and hospitals saw a 54% rise [8]. Attacks peaked during politically sensitive dates, particularly around the anniversary of President Lai Ching-te's inauguration [8]. Simultaneously, China Coast Guard ships conducted an eight-hour patrol through Taiwan's Pratas Island contiguous zone, and Taiwan reportedly faces a March 15 deadline on U.S. arms packages that domestic political gridlock may cause it to miss.
• Cyber implications: The correlation between political events and cyber surge activity is a clear indicator of operationally timed campaigns. Based on established patterns, the arms sales deadline on March 15 is assessed as a potential trigger for retaliatory cyber operations against both Taiwan and U.S. defense-adjacent organizations.
• Sectors at risk: Energy, emergency services, healthcare, defense industrial base (Taiwan and U.S.)
• Confidence: Moderate
• Sources: [8],

Strategic Context

• National strategy: The 15th Five-Year Plan (2026-2030), formally adopted in March 2026, sets the strategic direction for all state activity including cyber operations [B1][13]. Its priorities center on AI and emerging technology, semiconductor self-sufficiency, military-civil fusion, defense modernization, and digital infrastructure [B1][14]. Current research confirms the plan projects at least 7% annual R&D growth and targets 12.5% of GDP from core digital economy industries [14]. The concurrent 7% defense budget increase, with the Pentagon assessing actual spending is probably 32-63% higher than declared [10], ensures sustained funding for offensive cyber capabilities[10]. China's economic growth target was lowered to 4.5-5%, the lowest in nearly 30 years [13]. This likely increases pressure on the state to achieve technological breakthroughs through both domestic innovation and foreign acquisition.

• Key actors and mandates: China's cyber operations are conducted primarily through PLA cyber and information warfare forces (which have undergone recent organizational restructuring) and the Ministry of State Security (MSS), with the Military-Civil Fusion (MCF) doctrine [B2] ensuring coordination between military cyber units and the civilian technology sector. This doctrine drives systematic IP theft targeting. Ongoing PLA purges (36 senior officers have lost their seats since the 20th Party Congress) [11] have created temporary command deficiencies, but the IISS assessed these as "likely to be a temporary disturbance" that won't slow the overall military and cyber buildup [12]. MSS-directed operations (including those outsourced to contractors) appear unaffected by the PLA leadership turbulence.

• Ongoing strategic objectives: China's cyber operations serve three interlocking goals. First, technology acquisition: the chip shortage driven by U.S. export controls is pushing both cyber and human espionage targeting of AI and semiconductor IP, as demonstrated by the landmark Ding conviction [9]. Second, pre-conflict preparation: the Expedition Cloud leak [4] and Taiwan cyber surge data [8] confirm that PRC units are actively rehearsing infrastructure disruption against regional adversaries. Third, strategic influence: China's facilitation of sanctions evasion for Russia, Iran, and North Korea [18] creates a networked adversary ecosystem where cyber tools, intelligence, and operational support may flow between allied states, compounding the threat to Western defenders. Belt and Road Initiative (BRI) partner nations [B5] and South China Sea claimants [B6] continue to face targeting as China expands regional influence, with the Philippines' arrest of three defense personnel for spying for Beijing [15] and the emerging Indonesia-Philippines-Vietnam maritime security triangle [16] likely expanding the target set further.

Sources: [B1], [B2], [B5], [B6], [4], [8], [9],,, [10], [11], [12], [13], [14], [15], [16], [18]

Outlook

The near-term threat picture is defined by three escalation triggers. First, Taiwan's March 15 deadline on U.S. arms packages: if signed, we assess with moderate confidence that PRC cyber operations against Taiwan's defense sector and U.S. defense contractors will intensify within days, consistent with established patterns of retaliatory cyber activity around arms sales. If the deal collapses due to Taiwan's domestic gridlock, Beijing may interpret this as successful coercive pressure, potentially emboldening further gray-zone operations. Second, the SCOTUS IEEPA ruling [17] has created legal uncertainty around U.S. tariff authorities, though the President has already imposed replacement tariffs under Section 122 of the Trade Act of 1974. If Congress moves to grant new tariff authority or the administration escalates Section 301 investigations, expect an escalation in trade tensions and correlated increases in PRC cyber activity against financial services and trade-policy organizations. Third, CISA's operational degradation creates a widening gap between the threat and the federal government's capacity to respond. If CISA's workforce and partnership losses continue, organizations (particularly state/local government and smaller critical infrastructure operators) will face PRC-level threats with reduced federal support. Watch for whether CISA receives emergency funding or staffing relief, as this will directly affect the U.S. defensive posture.

Sources:, [17],

Sources

• [1] "Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries" - The Hacker News, https://thehackernews.com/2026/02/google-disrupts-unc2814-gridtide.html
• [2] "CISA, NSA and Cyber Centre Warn Critical Infrastructure of BRICKSTORM Malware Used by People's Republic of China State-Sponsored Actors" - CISA, https://www.cisa.gov/news-events/news/cisa-nsa-and-cyber-centre-warn-critical-infrastructure-brickstorm-malware-used-peoples-republic
• [3] "China-Linked APT Exploited Sitecore Zero-Day in Critical Infrastructure Intrusion" - The Hacker News, https://thehackernews.com/2026/01/china-linked-apt-exploits-sitecore-zero.html
• [4] "Leaked technical documents show China rehearsing cyberattacks on neighbors' critical infrastructure" - The Record, https://therecord.media/leaked-china-documents-show-testing-cyber-neighbors
• [5] "Suspected Chinese Hackers Breach FBI Surveillance Network" - Computerbilities, https://www.computerbilities.com/fbi-surveillance-network-breach-chinese-hackers-2026/
• [6] "Cantwell Demands AT&T, Verizon CEOs Come Clean on Salt Typhoon Hacks" - U.S. Senate Commerce Committee, https://www.commerce.senate.gov/2026/2/cantwell-demands-at-t-verizon-ceos-come-clean-on-salt-typhoon-hacks-ongoing-network-security-risks
• [7] "Salt Typhoon is hacking the world's phone and internet giants" - TechCrunch, https://techcrunch.com/2026/03/09/salt-typhoon-china-who-has-been-hacked-global-telecom-giants/
• [8] "China intensifies Cyber-Attacks on Taiwan" - Infosecurity Magazine, https://www.infosecurity-magazine.com/news/china-intensifies-cyberattacks/
• [9] "Former Google Engineer Found Guilty of Economic Espionage and Theft of Confidential AI Technology" - U.S. Department of Justice, https://www.justice.gov/opa/pr/former-google-engineer-found-guilty-economic-espionage-and-theft-confidential-ai-technology
• [10] "China amps up its 2026 defense budget by 7% amid purge of generals" - Defense News, https://www.defensenews.com/global/asia-pacific/2026/03/10/china-amps-up-its-2026-defense-budget-by-7-amid-purge-of-generals/
• [11] "Xi Jinping Signaled More Military Purges at the 2026 Two Sessions" - Vision Times, https://www.visiontimes.com/2026/03/10/xi-jinping-signaled-more-military-purges-at-the-2026-two-sessions.html
• [12] "China's purges create military weakness—for now" - Newsweek, https://www.newsweek.com/chinas-purges-create-military-weakness-for-now-11579774
• [13] "China's key NPC meeting comes to a close as lower growth target set" - Al Jazeera, https://www.aljazeera.com/news/2026/3/12/chinas-key-npc-meeting-comes-to-a-close-as-lower-growth-target-set
• [14] "China 5 - March 13, 2026" - Asia Society, https://asiasociety.org/policy-institute/china-5-march-13-2026
• [15] "Philippines Arrests 3 Defense Personnel Over China Spy Claims" - The Diplomat, https://thediplomat.com/2026/03/philippines-arrests-3-defense-personnel-over-china-spy-claims/
• [16] "Indonesia, the Philippines, and Viet Nam Are Exploring a Maritime Security Triangle" - SEAsia.co, https://seasia.co/2026/03/09/indonesia-the-philippines-and-viet-nam-are-exploring-a-maritime-security-triangle-in-the-south-china-sea
• [17] "US Congressional Research Briefing on US-China tariffs" - Global Sanctions, https://globalsanctions.com/2026/03/us-congressional-research-briefing-on-us-china-tariffs/
• [18] "China's Facilitation of Sanctions and Export Control Evasion" - U.S.-China Economic and Security Review Commission, https://www.uscc.gov/research/chinas-facilitation-sanctions-and-export-control-evasion

Entity Relationships