The Attribution Problem: Is Blaming China for Cyberattacks Political, Factual — or Both?

A Critical Analysis of CrowdStrike's 2026 Technology Threat Report and the Deeper Question of Who Gets Named in Cyber Conflict

June 11, 2026

Introduction: The Number That Travels

"China-linked hacking groups accounted for more than 58% of all state-sponsored cyberattacks targeting the technology sector."

That figure — from CrowdStrike's 2026 Technology Threat Landscape Report — will be cited in boardrooms, congressional hearings, news headlines, and policy papers for months. It is a clean, authoritative, alarming number. And it raises a question that most coverage will skip entirely: How do we actually know?

The attribution problem in cybersecurity is one of the most consequential and underexamined issues in technology policy. It sits at the intersection of technical forensics, geopolitical interest, commercial incentive, and legal standards — and yet public discourse routinely treats attribution claims as settled fact when the underlying methodology is far more contested. This article examines what the CrowdStrike report establishes, what it cannot establish, and whether the pattern of naming China is political, factual, or an uncomfortable hybrid of both.

What CrowdStrike Actually Found (And How It Found It)

CrowdStrike's report names five Chinese threat groups — MURKY PANDA, MUSTANG PANDA, OVERCAST PANDA, SUNRISE PANDA, and WARP PANDA — as the most active actors against the technology sector. The named activities are specific: MURKY PANDA conducted a large-scale password-spraying campaign that reportedly impacted more than 340 US-based entities; WARP PANDA repeatedly targeted North American technology organisations; SUNRISE PANDA focused on mail infrastructure at East and Southeast Asian tech firms.

The report frames this as a "strategic effort by Beijing to steal AI capabilities it cannot develop domestically at the pace required." It is worth pausing here to note what this framing does: it moves from observed technical behaviour (intrusion patterns, toolkits, network activity) to strategic motivation (Beijing's industrial policy gaps). That leap is significant, and it is where the attribution debate begins.

How Attribution Actually Works

Cybersecurity firms attribute attacks through a layered process that draws on several types of evidence:

Technical indicators — malware code, command-and-control infrastructure, exploited vulnerabilities, network routing patterns, and TTPs (tactics, techniques, and procedures). A known malware family or toolset can link an intrusion to a previously identified threat actor.

Linguistic and cultural artefacts — language embedded in code, time-zone metadata suggesting working hours, keyboard configurations, and commenting styles within scripts.

Targeting patterns — which industries, which countries, which types of data. When an actor consistently targets defence contractors the week before Chinese government procurement decisions, the pattern carries analytical weight.

Intelligence corroboration — the most reliable attributions layer private-sector forensics on top of classified intelligence held by governments. Companies like CrowdStrike have deep relationships with US government agencies; their "named" threat actors often reflect shared intelligence assessments, not just public-facing technical analysis.

When all these signals align, attribution confidence is high. But the signals do not always align, and the most sophisticated adversaries know precisely how to muddy them.

The Technical Case Against Certainty

False Flag Operations Are Real and Documented

The attribution of cyber attacks is often neglected. A serious problem which has not received appropriate research attention is false flag campaigns — cyber attacks which apply covert tactics to deceive or misguide attribution attempts, either to hide traces or to blame others.

This is not a theoretical concern. Nation-state actors — including those in the West — have demonstrated the capability and willingness to spoof origin indicators. The Vault 7 CIA leaks revealed tools specifically designed to plant artefacts from other countries' intelligence services into attack code. In 2018, the so-called "Olympic Destroyer" attack targeting the Pyeongchang Winter Olympics contained deliberate false flags pointing to multiple different nations simultaneously — an operation of spectacular deceptive sophistication.

Cyber attribution is not without challenges, the biggest one being raising false flags. Technical attribution is a laborious, meticulous process, which partly explains why cybersecurity vendors are so cautious about the claims they make. "We can make mistakes," one Trend Micro analyst admitted. Nation-states can make mistakes too, which typically have much more serious consequences. The adversaries are aware of that, and willing to do all they can to drive both private vendors and intelligence agencies into a corner.

Code Is Not Identity

One of the most basic attribution problems is that code is not identity. Malware families, scripts, and tradecraft elements can be reused across multiple actors — leaked, sold, repurposed, or intentionally copied. A familiar tool may point toward a known group, but it does not prove that the same actor is behind the latest campaign. Tools are clues, not signatures of nationality.

This is a critical point. The "PANDA" family of named Chinese groups is a nomenclature that CrowdStrike itself developed and applies internally. When a new intrusion uses tools previously associated with MURKY PANDA, the default analytical move is to attribute it to the same group. But that assumption can be exploited: a third party that acquires or reverse-engineers the same toolset can conduct operations that will be attributed to China simply by using familiar instruments.

The Infrastructure Problem

State-linked operators rarely launch operations from infrastructure that cleanly reveals their origin. They use compromised devices, rented servers, anonymising paths, cloud services, and multi-country relay points to hide where activity truly begins.

An intrusion that appears to originate from a server in Shanghai may be routed through compromised devices in six other countries. IP geolocation is a starting point, not a conclusion.

Legal Standards vs. Intelligence Standards

In terms of international law, some have called for setting a clear evidentiary standard for attribution. Publicly attributing offensive cyber operations to specific states without clear evidence could set a precedent and potentially undermine the norms and principles of international law. The absence of universally binding norms and enforcement mechanisms in cyberspace continues to hinder consistent application of such penalties.

The gap between what a cybersecurity firm publishes in a threat report and what would hold up in an international court — or even a diplomatic dispute — is vast. "Likely originating from China" is an intelligence assessment. It is not proof beyond reasonable doubt. It is not even proof on the balance of probabilities in the legal sense. Yet it circulates with the authority of fact.

The Case FOR the Attribution Claims

Before the sceptical analysis tips into reflexive contrarianism, it is important to acknowledge the substantive evidence that makes China-focused attribution credible — and frequently accurate.

The Pattern-Strategic Alignment

Western cybersecurity firms and government agencies agree that China's targeting of industries for hacking has aligned with the strategic priorities in its Five-Year Plans. This is not a minor point. When intrusions cluster around the exact sectors that Beijing has publicly identified as national development priorities — semiconductors, AI, biotechnology, aerospace — the convergence between stated industrial policy and observed cyber behaviour is analytically meaningful. The alignment is too consistent, across too many years, to be entirely coincidental.

The iSoon Leak: A Rare Window Inside

In February 2024, a leak on GitHub exposed internal documents belonging to iSoon, a Shanghai-based company that openly advertised "APT service system," "target penetration services," and "battle support services" on behalf of Beijing. This was not an inference — it was documentary evidence of a contractor ecosystem supporting Chinese state-sponsored cyber operations. Chinese cyber operations often rely on private service providers. The iSoon leak exposed internal documents showing the company supports hacking operations on behalf of Beijing. This confirmed what analysts had long inferred from technical evidence.

Multi-Government Consensus

China's attribution is not solely an American commercial claim. In May 2025, the Czech Ministry of Foreign Affairs stated it was targeted by APT31, saying such behaviour "undermines the credibility of the People's Republic of China and contradicts its public declarations." In March 2026, the EU imposed sanctions on China-based Integrity Technology Group and Anxun Information Technology for cyberattacks on multiple EU member states, including critical infrastructure. When the EU, Czech Republic, Denmark, Germany, and the Five Eyes intelligence alliance independently reach similar conclusions — using separate forensic chains and intelligence streams — the convergence of assessments substantially raises the credibility of attribution.

North Korea and the FAMOUS CHOLLIMA Finding

It is worth noting that the CrowdStrike report also assigns significant attribution to North Korea — FAMOUS CHOLLIMA accounted for 47% of state-sponsored hands-on-keyboard operations against the tech sector. If the report were simply a political document designed to target China, why include a North Korea finding that is equally damning? The inclusion of multiple named state actors with specific, differentiated TTPs adds analytical credibility to the methodology.

The Commercial Dimension: CrowdStrike's Interests

This is where the most legitimate structural critique lives, and it deserves direct treatment rather than being buried in qualifications.

CrowdStrike is a publicly traded company (NASDAQ: CRWD) with a market capitalisation of approximately $167 billion. Its entire business model — which generated over $5.25 billion in ending Annual Recurring Revenue as of fiscal year 2026 — depends on enterprises and governments believing they face serious, sophisticated, and persistent cyber threats. The more alarming the threat landscape, the stronger the commercial case for buying CrowdStrike's platform.

This is not an accusation of fabrication. It is an observation about structural incentive. The same company that publishes the threat report also sells the solution to the threat the report describes. Its stock rose 1.6% the day after the Technology Threat Landscape Report was released. CrowdStrike's Q1 FY2027 earnings call explicitly framed the moment as "the Mythos moment," directly invoking AI security fears to describe its growth opportunity.

This does not mean the findings are wrong. It means they should be read with the same critical awareness one would apply to a pharmaceutical company's clinical trial of its own drug. The conflict of interest is structural, not necessarily corrupting — but it exists, and it shapes what gets emphasised, how findings are framed, and which numbers lead the press release.

Furthermore, CrowdStrike has deep institutional ties to the US government and defence establishment. It was one of the firms that conducted forensic analysis of the DNC server breach in 2016 — a role that drew criticism and scrutiny at the time. Being a launch partner in both Anthropic's Project Glasswing and OpenAI's Trusted Access for Cyber programme places CrowdStrike at the centre of an AI-security ecosystem with strong Western government alignment. That alignment serves legitimate purposes — but it also means CrowdStrike's geopolitical framing is unlikely to challenge the prevailing Washington consensus on China.

Is the Attribution Political, Factual — or Both?

This is the question the article set out to answer, and the honest answer is: both, in ways that are not easily separated.

It is factual in its technical foundation. The TTPs, the named groups, the infrastructure patterns, the targeted sectors — these reflect genuine forensic work conducted by skilled analysts. The convergence with Chinese industrial policy priorities, the iSoon leak, and the multi-government consensus provide corroborating layers that go well beyond guesswork. Dismissing all China-linked attribution as Western propaganda is intellectually dishonest and factually wrong.

It is political in its framing and function. The decision to publish a sector-specific report focused on the technology industry, naming Chinese groups with vivid labels, and contextualising findings through the lens of US-China strategic competition is a framing choice, not a forensic necessity. The report arrives "amid heightened US-China tensions over technology competition" and "is likely to intensify pressure on US policymakers" — as the original CrowdStrike coverage itself notes. The political utility of the findings is not incidental; it is built into the report's design.

It is commercially motivated in its distribution. The more alarming the China threat, the stronger the market for CrowdStrike's services. This does not make the data false, but it shapes what data gets published, how prominently, and with what narrative context.

There is a genuine epistemological problem. The 58% figure sounds precise. But it is a percentage of identified state-sponsored attacks against the technology sector — two variables that are themselves products of CrowdStrike's own detection methodology. The "true" denominator of all state-sponsored attacks globally is unknowable. The figure measures what CrowdStrike can see and has chosen to classify, not an objective census of cyber conflict.

What Fair Scrutiny Looks Like

None of this argues for ignoring the CrowdStrike report. It argues for reading it with the same critical framework one would apply to any document that combines genuine expertise, commercial interest, and geopolitical alignment.

What to take seriously: The named groups, their specific TTPs, the supply chain vectors, and the AI-infrastructure targeting patterns. These are operationally valuable, and their technical specificity gives them credibility.

What to interrogate: The confidence levels assigned to attribution. The framing of intent ("strategic effort by Beijing"). The completeness of the picture — who is not being reported on with equal rigour? What percentage of attacks by Five Eyes nations or Israel or private criminal groups are being named with equal specificity?

What to demand: An international standard for evidence in cyber attribution. Multiple scholars and policymakers have called for this, and it remains absent. Attributing responsibility for who perpetrated an attack against a state, and who ordered it, is a way to achieve cyber deterrence. However, establishing a legal baseline over which to build regulations is an important step. The question of how sure a state should be to attribute a cyberattack, and what the threshold for attribution should be, remains unresolved.

Conclusion: The Responsibility of the Named Number

The 58% figure will travel. It will become a citation in sanctions hearings, defence budget justifications, export control arguments, and diplomatic statements. It will shape policy decisions that affect billions of people and trillions of dollars in trade and investment.

The people making those decisions deserve to understand what the number represents — and what it does not. It represents the best available commercial intelligence assessment, with real technical foundations, genuine forensic rigour, legitimate corroboration, and also irreducible structural interests that shape what gets published, how.

China's cyber operations are real, extensive, and consequential. The evidence for this is substantial, multi-sourced, and has been confirmed by independent governments with no commercial stake in the conclusion. None of that changes the fact that the attribution problem is genuinely hard, that false flags exist, that commercial incentives shape threat intelligence, and that the absence of an internationally accepted evidentiary standard for cyber attribution creates a space where policy consequence can outrun analytical confidence.

The question is not whether to trust the data. It is whether we are reading it with the care it — and the stakes — demand.

Sources: CrowdStrike 2026 Technology Threat Landscape Report; CrowdStrike Q1 FY2027 Earnings (June 3, 2026); Springer/Cybersecurity Journal — "Under False Flag: Using Technical Artifacts for Cyber Attack Attribution"; Taylor & Francis — "Navigating Uncertainty in Cyber Conflict"; E-International Relations — "The Problem of Cyber Attribution Between States"; MERICS — "Here to Stay: Chinese State-Affiliated Hacking for Strategic Goals"; CybelAngel — Cyber Espionage and APTs 2026; Wikipedia — Cyberwarfare by China; CyberWarzone — "Top 10 Attribution Problems in State-Linked Cyber Operations."