To defend systems, one must first pinpoint the source of malicious activity. Most cyber threat intelligence (CTI) firms focus on tactical and operational attribution: tactical attribution identifies and clusters technical details such as malware used, attack methods, or indicators of compromise, while operational attribution uses characteristics of activity clusters to infer group profiles and assigns labels like “APT” or “UNC.”1 Strategic attribution goes further by identifying the real-world individuals or entities behind an intrusion.

Some CTI experts debate the conditions under which strategic attribution is appropriate, while others highlight the technical challenges of identifying threat actors, the political motivations behind public disclosure, and the legal standards required to assign responsibility. The Natto Team and other researchers believe that – compared to “cluster-based” tactical and operational attribution – the strategic identification of real-world individuals and organizations is uniquely valuable for understanding:

• The wider ecosystem around intrusions: the government units, companies, universities, and informal hacker networks that build and circulate capabilities and enable operational tasking;

• The humans behind the keyboard: not only their tradecraft but also the motivations, self-image and habits, and cultural context in which they undertake malicious activity.

In China’s case, many government disclosures by the U.S. and other Western countries have pointed to APT groups and individual operators allegedly linked to provincial bureaus of the Ministry of State Security (MSS), China’s premier civilian intelligence agency. These bureaus function as the operational nerve centres of China’s cyber apparatus. The MSS is not a monolith: it is highly provincialized, with bureaus that cultivate their own bureaucratic interests, talent pipelines, and trusted ecosystems of companies and individual professionals and researchers.

Focusing on the provincial level therefore provides a clearer view of command and control, as well as intent and capabilities, behind Chinese state cyber operations. In this post, we analyze publicly identified cases of provincial MSS bureaus allegedly linked to cyber intrusion activities to ask: What roles do provincial MSS bureaus play in cyber operations? And do they exhibit identifiable patterns of regional specialization?