Cyber Attacks from Chinese IPs on NATO Countries Surge by 116%


Last week, Check Point Research (CPR) observed an increase in cyber attacks aimed for NATO countries that were sourced from Chinese IP addresses. CPR examined the trend before and after Russia’s invasion into Ukraine, learning that cyber attacks from Chinese IPs jumped by 116% on NATO countries, and 72% world-wide. CPR can not attribute the cyber attacks to the Chinese entities or to any known Chinese threat actor. The observation indicates a trend that hackers, likely within China and abroad, are increasingly using Chinese IPs as a resource to launch cyber attacks after the advent of the Russia-Ukraine conflict.  

Check Point Research (CPR) sees an increase in cyber attacks sourced from Chinese IP addresses throughout the current Russia-Ukraine conflict.

  • Last week, the weekly average of worldwide attacks originating from China per organization was 72% higher than before the invasion and 60% higher than the first three weeks of the conflict
  • Last week, the weekly average of cyber-attacks sourced from China on NATO corporate networks was 116% higher than before the invasion, and 86% higher than the first three weeks of the conflict
  • The increase is significantly higher than the overall global increase in cyber attacks seen during the same timeframes

As the Russia-Ukraine conflict intensifies, we grew curious around cyber attacks originating from China. We’re seeing significant increases in cyber attacks that originate from Chinese IP addresses. It’s important to underscore that we cannot make an attribution to the Chinese entities, as it is difficult to determine attribution in cyber security without more evidence. But what is clear is that hackers are using Chinese IPs to launch cyber attacks world-wide, especially NATO countries. The IPs are likely used by hackers within China and abroad. The trend can have many meanings. For example, the increase can indicate where it is now easy or cheap to set up and operate a service or where it is more opportune to hide the real origin of the attack.  It can also indicate how global cyber traffic is being routed at this moment in time. CPR will continue to dig deeper into this trending observation in the weeks ahead. For now, we’re only informing on what we see.


Country Last week vs. before the invasion Last week vs. first 3 weeks of the invasion
Belgium 109% 123%
Canada 43% 25%
Czech Republic 226% 133%
Denmark 281% 241%
France 122% 129%
Germany 134% 120%
Greece 86% 72%
Italy 112% 89%
Netherlands 109% 97%
Norway 50% 49%
Poland 112% 110%
Portugal 127% 85%
Spain 120% 124%
United Kingdom 126% 129%
United States 23% 27%