Press Release
Updated statement regarding LockBit claims
We have completed a thorough security investigation following yesterday’s tweets by LockBit claiming they had compromised Darktrace’s internal systems. We can confirm that there has been no compromise of our systems or any of our affiliate systems. Our service to our customers remains uninterrupted and is operating as normal and no further action is required.
Press Release
Statement regarding LockBit claims
Earlier this morning we became aware of tweets from LockBit, the cyber-criminal gang, claiming that they had compromised Darktrace’s internal security systems and had accessed our data. Our security teams have run a full review of our internal systems and can see no evidence of compromise. None of the LockBit social media posts link to any compromised Darktrace data. We will continue to monitor the situation extremely closely, but based on our current investigations we are confident that our systems remain secure and all customer data is fully protected.
Press Release
New Darktrace Research Shows Evolution of Chinese-Nexus Cyber Operations into Long-Term Strategic Statecraft, Centered on Critical Infrastructure
- 88% of observed incidents targeted organizations in critical infrastructure sectors, including transportation, telecommunications, healthcare, and manufacturing.
- Nearly 63% of compromises began with exploitation of internet-facing systems, reinforcing the risk of exposed digital infrastructure.
- Over half of observed activity impacted Western economies, with the U.S. alone accounting for 22.5% of cases.
Darktrace, a global leader in AI for cybersecurity, today announced the findings of its new research report, Crimson Echo: Understanding Chinese-nexus Cyber Tradecraft Through Behavioral Analysis. Based on an analysis of three years’ worth of data across its customer base, the report provides a data-driven analysis of how Chinese-nexus cyber activity[1] operates in practice and how it is evolving.
Darktrace’s research reveals a fundamental shift in how cyber risk should be understood. Rather than discrete incidents or short-term breaches, most nation-state operations are designed to establish persistent access to strategically important systems, positioning cyber activity as a form of long-term strategic statecraft.
Cyber Access as a Strategic Objective
Analysis of behavioral data from July 2022 to September 2025 shows that, in many cases, gaining and maintaining access, instead of immediate disruption or data theft, is the primary objective of Chinese-nexus intrusions.
This reflects a broader evolution in cyber operations, where access to digital environments provides ongoing visibility into supply chains, industrial processes, and critical infrastructure. The findings challenge traditional security models that focus on incidents and breach response. Instead, they point to cyber risk as a continuous, structural exposure that must be managed over time.
“Many cyber operations are no longer just about breaking in and stealing data or causing short-term disruptions, they are about staying in,” said Nathaniel Jones, VP of Security & AI Strategy at Darktrace. “What we’re seeing is a shift toward persistent access as a strategic asset. Defenders need to move beyond incident response and focus on detecting subtle behavioral changes that could indicate a long-term compromise.”
Two Distinct Operational Models
The report identifies two consistent operational models used by Chinese-nexus actors:
1. “Smash and Grab” (Short-Horizon Operations):
Fast, opportunistic intrusions optimized for speed and scale. These operations often exploit internet-facing systems and prioritize rapid data access or intelligence gathering, with median dwell times of around 10 days and data exfiltration often occurring within 48 hours.
2. “Low and Slow” (Long-Horizon Operations):
More covert campaigns focused on persistence and strategic positioning. These intrusions prioritize identity control, legitimate administrative tools, and long periods of dormancy, sometimes lasting months or years within critical infrastructure environments.
While most observed cases fell into the short-horizon category, the long-horizon operations were often concentrated in high-value targets such as telecommunications, transportation, and digital infrastructure—suggesting a focus on strategic leverage over time.
The same operational ecosystem can employ both models concurrently, selecting the appropriate model based on target value, urgency, and intended access. The observation of a “Smash and Grab” model should not be solely interpreted as a failure of tradecraft, but instead an operational choice likely aligned with objectives. Where “Low and Slow” operations are optimized for patience, “Smash and Grab” is optimized for speed; both seemingly are deliberate operational choices, not necessarily indicators of capability.
Critical Infrastructure in Focus
The data shows a clear concentration of activity in sectors that underpin critical national infrastructure across the US and Europe:
- 88% of observed intrusions involved organizations classified as critical infrastructure, as defined by CISA.
- Key sectors included transportation, telecommunications, critical manufacturing, healthcare, and IT services.
These targeting patterns align with broader geopolitical and economic priorities, suggesting that cyber operations are increasingly integrated into long-term strategic competition.
The report also highlights that Western economies are a primary focus, with more than half (55%) of observed cases occurring in the U.S. and major European countries (Germany, Italy, Spain and the UK).
Internet-Facing Systems Remain the Front Door
Across the dataset, nearly two-thirds (~63%) of compromises began with the exploitation of internet-facing infrastructure.
Entry points such as edge devices, enterprise/SaaS applications, and exposed services continue to provide attackers with scalable access into organizations. Once inside, actors frequently rely on legitimate administrative tools and “living-off-the-land” techniques to move laterally and maintain persistence while avoiding detection.
This combination of external exposure and internal stealth makes detection particularly challenging for traditional security tools.
“Organizations need to rethink what risk looks like,” Jones added. “It’s not just about preventing breaches, it’s about understanding who may already have access, how long they’ve had it, and what that access enables over time.”
A Behavioral Approach to Detection
A key differentiator of the Crimson Echo research is its focus on behavioral analysis rather than individual threat groups or malware families. By examining patterns across multiple intrusions—including attack tempo, access methods, and kill-chain sequences—Darktrace’s Threat Research team identified consistent operational behaviors that persist even as tools, threat actors, and infrastructure change.
Additional Resources
About the Research
Crimson Echo is based on a three-year retrospective analysis of data from July 2022 to September 2025 conducted by Darktrace’s Threat Research team, examining anomalous activity and intrusion patterns across its global customer base. The research combines behavioral AI detections, structured threat hunting, and a multi-pillar attribution framework to identify medium- to high-confidence cases of Chinese-nexus cyber activity. A full methodology and copy of the Darktrace Cybersecurity Attribution Framework can be found in the Appendix section of the full report.
About Darktrace
Darktrace is a global leader in AI for cybersecurity that keeps organizations ahead of the changing threat landscape every day. Founded in 2013, Darktrace provides the essential cybersecurity platform protecting organizations from unknown threats using its proprietary AI that learns from the unique patterns of life for each customer in real-time. The Darktrace ActiveAI Security Platform™ delivers a proactive approach to cyber resilience to secure the business across the entire digital estate – from network to cloud to email. It provides pre-emptive visibility into the customer’s security posture, transforms operations with a Cyber AI Analyst™, and detects and autonomously responds to threats in real-time. Breakthrough innovations from our R&D teams in Cambridge, UK, and The Hague, Netherlands have resulted in over 250 patent applications filed. Darktrace’s platform and services are supported by over 2,300 employees around the world who protect nearly 10,000 customers across all major industries globally.
[1] Chinese-nexus refers to cyber activity that shows strong alignment with operational patterns historically associated with Chinese APTs or state-linked cyber ecosystems, but direct government direction may not be definitively established.
New Darktrace Research Shows Evolution of Chinese-Nexus Cyber Operations into Long-Term Strategic Statecraft, Centered on Critical Infrastructure
cv
Darktrace named a Challenger in first Gartner® Magic Quadrant™ for Email Security Platforms · Evaluated on Completeness of Vision and Ability to Execute Darktrace, a global leader in AI for cybersecurity,today announces that Darktrace / EMAIL™, has been recognized in thefirst ever Gartner Magic Quadrant™ for Email Security Platforms (ESP) as a Challenger. Chris Kozup, Chief Marketing Officer, Darktrace, said of therecognition: “We are extremely proud to have been recognized in the first MagicQuadrant for ESP. We believe the factthat wehave seen such wide scale adoption is testament to the unique way in which wedevelop products to keep our customers safe from even the most sophisticated emailcompromises. We believe our placement reaffirms our dedication to deliveringexceptional customer service, and innovations that safeguard against the emailchallenges of today—and tomorrow.” Darktrace customers consistently acknowledge its exceptional customersupport, delivered by an award-winning[1]service team. Darktrace has the highest percentage of 5-star ratings with a 4.8rating on Gartner® Peer Insights™ out of 249 reviews as on[MW1] 19th December. We feel this unwavering commitment to customersatisfaction is evident in strong renewal rates and accelerated growth inDarktrace / EMAIL over the past few years, gaining almost 5,000 customers sinceits launch in 2019. Darktrace / EMAIL, one of the fastest-growing emailsecurity products on the market, is built on Darktrace’s unique Self-LearningAI, a multi-layered AI engine that leverages different types of AI includingNLP and behavioral analysis to detect threats, instead of traditional securitymeasures such as signatures and sandboxing. This approach enables Darktrace todetect and stop threats like business email compromise attacks and noveltechniques, including some 56% of which passed through customers’ other emailsecurity layers. This pioneering approach has enabled Darktrace to introduce industry-leadingcapabilities such as QR code analysis and automated incident investigations, alongsidedifferentiated functionality to help teams add new depth to their emailsecurity, including: Account take over and Lateral mail account compromise protection. Contributing yet another layer to the AI behavioural profile for each user, security teams can now spot early symptoms of account compromise or malicious insiders before a link or attachment payload is sent, and exfiltration occur Microsoft Teams security with advanced messaging analysis: Advancing beyond simple text analysis to behavioral and natural language content analysis that tracks context across both email and instant messaging to identify the approximately 38% of phishing, sophisticated social engineering and novel insider threats other solutions fail to capture · Drastically improveend user reporting with Cyber AI Analyst narratives: Real-time awareness training capabilities reduce falsepositives in phishing investigations by up to 60% by providing context specificanalysis of each received email to each employee as they interact with their mail.· MailboxSecurity Assistant to increase security team operational efficiency: All forms ofsecondary investigations can now automatically perform advanced behavioralbrowser analysis and stop malicious links within webpages, reducing manualeffort of security analysts to detecting phishing links, and allowing them to remediateup to 70% more malicious phishing links than before.· AI based,autonomous data loss prevention: to immediately protect organizations from misdirected emails,insider threats, and data loss—both classified and unclassified – using userbehavior and dynamic content analysis to determine sensitivity, removing administrativeoverhead from manual expressions and labeling.Marco Cavallo, IT Manager at Darktrace / EMAIL customer Arpa Industries comments:“During the POV, Darktrace / EMAIL showed how specific attacks weresurgically blocked. We realized that other tools wouldn’t have detected thesethreats.” Darktrace / EMAIL is part of Darktrace’s ActiveAI Security Platform™,offering network, cloud, endpoint, identity and operational technologyprotection from a single shared architecture, all built on Darktrace’s uniqueAI engine – providing a strong, integrated approach to threat prevention,detection and response across an organization’s entire digital footprint. Darktrace’s global presence supports a diverse and varied customer base,and adapts proactively to customer pain points of all kinds. Darktrace’sadaptability across all market segments, from SMBs to large enterprisessupports both first time email security buyers and mature email securitystacks. It is able to meet varied security needs with lower setuprequirements, includes capability for advanced depth in configuration and,particularly for mature organizations, can augment existing security providerswith additional protections. Download the fullMagic Quadrant for Email Security Platforms here Resources:· Read more onthe Darktrace Blog· Read more abouthow business email compromise attacks are evolving on The Inference Gartner disclaimersGartner, Magic Quadrant for EmailSecurity Platforms, Max Taggett, Nikul Patel, Franz Hinner, Deepak Mishra, 16December 2024 GARTNER is a registered trademarkand service mark of Gartner and Magic Quadrant and Peer Insights are aregistered trademark, of Gartner, Inc. and/or its affiliates in the U.S. andinternationally and are used herein with permission. All rights reserved.
Gartner Peer Insights content consists of the opinions of individual endusers based on their own experiences with the vendors listed on the platform,should not be construed as statements of fact, nor do they represent the viewsof Gartner or its affiliates. Gartner does not endorse any vendor, product orservice depicted in this content nor makes any warranties, expressed orimplied, with respect to this content, about its accuracy or completeness,including any warranties of merchantability or fitness for a particularpurpose. Gartner does not endorse any vendor,product or service depicted in its research publications and does not advisetechnology users to select only those vendors with the highest ratings or otherdesignation. Gartner research publications consist of the opinions of Gartner’sresearch organization and should not be construed as statements of fact.Gartner disclaims all warranties, expressed or implied, with respect to thisresearch, including any warranties of merchantability or fitness for aparticular purpose. About DarktraceDarktrace is a global leader in AI for cybersecurity that keepsorganizations ahead of the changing threat landscape every day. Founded in2013, Darktrace provides the essential cybersecurity platform protectingorganizations from unknown threats using its proprietary AI that learns fromthe unique patterns of life for each customer in real-time. The DarktraceActiveAI Security Platform™ delivers a proactive approach to cyber resiliencewith pre-emptive visibility into security posture, real-time threat detection,and autonomous response – securing the business across cloud, email,identities, operational technology, endpoints, and network. Breakthroughinnovations from our R&D teams in Cambridge, UK, and The Hague, Netherlandshave resulted in over 200 patent applications filed. Darktrace’s platform andservices are supported by over 2,400 employees around the world who protectnearly 10,000 customers across all major industries globally. To learn more,visit http://www.darktrace.com. ----
[1] Darktrace wins two Globeeawards for excellent customer service [PressRelease] [MW1]shouldthis be 'of'
About Darktrace
