As a tumultuous year draws to a close, many in the West – and beyond – will be wondering what the two rival superpowers have planned for 2023. Ever a fraught alliance, the partnership between Russia and China could see both countries pool expertise in the cyber realm, as each one vies to stake its claim on the global stage.
In a recently published study of both nations, whimsically titled The Bear and the Dragon, global cybersecurity analyst Cybersixgill highlights an increased tendency for independent threat actors – that is to say, ones not working for partisan groups such as Killnet or Dragonbridge – to share expertise.
“While these two ecosystems have historically remained separate, recently, the Russian and Chinese cybercriminal worlds seem to have collided,” said Cybersixgill. “Late last year, a limited-access Russian-speaking cybercriminal forum resurfaced on the underground after a turbulent shutdown in October – this time, with a notable Chinese presence.”
It cited apparent efforts by the forum’s administrators “to enlist Chinese threat actors to their underground community, making sweeping changes to the forum’s interface to make it more accessible to both Mandarin- and English-speaking users.”
Chinese recruits to the dark web platform were encouraged “to participate in conversations, share tips, and collaborate with Russian counterparts on future attacks.”
It added: “This unique forum has emerged as a dedicated platform for unrestricted, cross-country cybercriminal collaboration and community-building, potentially indicating toward a nascent Russian-Chinese cybercriminal alliance in the face of increasing international efforts to tackle the scourge of ransomware.”
‘Script kiddie’ patriots
Cybernews reached out to geopolitical analyst and national security lawyer Irina Tsukerman, who despite being banned from Twitter for allegedly spreading disinformation on the platform - claims she strenuously denies - remains outspoken on foreign affairs and information operations. She shares the concerns expressed in the report.
“What it is pointing to is the trend of China increasingly pressuring or incentivizing the independent APTs [advanced persistent threats] to either follow the broad pro-state rhetoric or to increasingly recruit them to assist with intelligence-gathering missions,” she said. “This development is completely in line with China's general geopolitical trajectory, pushing nationalist rhetoric in every avenue and centralizing the role of the state.”
"We love the country and we love the party. China is unique, it is most independent. Friends, stand up and join us! It's time to do our part for our wonderful country."Patriotic dark web posting on hacker forum, translated from Chinese by cybersecurity analyst Cybersixgill
So pervasive has this patriotic narrative become that it appears to have filtered down even to individual hackers from the People’s Republic, including the less experienced novices or ‘script kiddies.’
“We create value with technology and contribute to society,” reads one dark web post translated by Cybersixgill from a Chinese forum. “We are a group of good, young, energetic and patriotic people who love the internet. This team has given us the opportunity to meet, to learn. It has given us new goals – study! We want to move forward. We love the country and we love the party. China is unique, it is most independent. Friends, stand up and join us! It’s time to do something, to do our part for our wonderful country.”
Script kiddies are encouraged to join the forum so they can improve their skills: “If you fear your technique is not good enough, if you fear you are not popular enough, if, if… If there is no if and even if you have many ifs, we will still accept you and help you,” the post urges. “This team will help you to get on your feet, and reminds you – always remain loyal to the country and her people. Always remember that the national interest must be above all else.”
Gadgets and playbooks
But while the report describes China as pre-eminent in the field of technological expertise – whether that be developed on its own merits or acquired from Western adversaries via espionage – it names Russia as taking the lead in cybercriminal activity.
Tsukerman agrees that any partnership between the two superpowers is likely to see China take the lead in one area while Russia points the way in the other.
“China has more money to spend on weapons improvement and building up its navy, air force, and so on,” she said. “However, Russia has decades more experience in intelligence operations [that] reflect the same principles its old Soviet forerunners had written for all of their allies and ‘frenemies’ before cyber threats became a real issue. Russia is a top exporter of hackers in the world at this moment. China is clearly looking to make its mark in this area, but both its general intelligence and cyber capabilities are far behind Russia.
"When it comes to planning covert or clandestine operations, Russia's playbook is the one that is used, because Russia has the most experience in it, and it works every time."Irina Tsukerman, geopolitics pundit and lawyer
“When it comes to planning covert or clandestine operations, Russia's playbook is the one that is used, because Russia has the most experience in it, and it works every time. From planning political scandals that can last for years or even decades, to spreading disinformation, conspiracy theories, and increasing political distrust and divisions, to identifying and infiltrating vulnerabilities in technical structures, Russia's abilities are unparalleled. China may have the better gadgets, but Russia still has the upper hand on the skills it takes to put them to best use.”
One respect in which China outstrips Russia is in sheer weight of numbers. According to Cybersixgill, its 1.3 billion web users make up a staggering fifth of the entire global total. Statista puts the figure lower, at 1.05 billion, although even that represents a formidable recruiting pool for prospective cyber agents, and perhaps more than anything, explains growing US fears that China will soon become its chief adversary in the digital realm.
“Hundreds of Chinese spies are being apprehended in the US alone annually,” said Tsukerman. “Most of them are still conventional intelligence operatives – however, China with its sheer number of human resources in cyber and its aggressive efforts to catch up to Russia in knowhow, is indeed a growing concern. China is far more aggressive in using cyber intelligence to steal intellectual property.”
Citing National Security Agency (NSA) reports, Tsukerman also believes that “though the bulk of cyber infiltrations is still attributable to Russia, China is becoming increasingly centered on spreading disinformation and engaging APTs.”
If previous research by Mandiant is anything to go by, that would seem to be the case – although the US-based cyber threat analyst also stresses that up until now at least, information operations conducted by the likes of China affiliate Dragonbridge have substituted effort for any real skill or impact.
A patient game
But Tsukerman reckons patience and humble origins could be virtues that end up paying off for Chinese-affiliated threat groups.
“While Russia has gainfully employed criminal actors who perform services while making money on the side, and generally target significant US and private company targets, China's APTs seem to gravitate to smaller firms and home offices, and are more interested in gathering private data on users than the national security or business type of information,” she said.
“Chinese APTs are less flashy and take longer in terms of being embedded and gathering information. They have also been successful in breaching telecommunications, but due to the war in Ukraine, Russian hackers are getting more attention and are more aggressive overall.”
Peter Warmka, a former CIA operative-turned-cybersecurity analyst who published a book about his experiences as a spy for the US government, agrees that China, while less ‘flashy’ in its attempts to wreak havoc in the digital sphere, is more of a long-term threat.
“If you want to compare China to Russia, I think Russia is that more disruptive,” he told Cybernews. “You know, we'll hit something just to kind of scare you.”
He also agrees with Cybersixgill’s contention that Chinese threat groups have to work around tougher sanctions at home, saying that this feeds into their playing a longer game than Russia. There, the authorities have conventionally turned a blind eye to cybercriminal gangs that do not target regimes, for instance ,from the post-Soviet Commonwealth of Independent States, that it is allied to.
However, Warmka thinks any predictions of increased cooperation between Russia and China should be read with a due amount of skepticism.
“I'm not denying that there's this sort of dialogue taking place between Russian and Chinese hackers, but it's a little bit off, I think,” he says of the Cybersixgill report. “I think we're going to continue to see Russia and China focusing more on separate strategies. We've seen that Russia pretty much allows cybercriminals free rein, at least up until recently, as long as they're not targeting Russians and targets of interest to Russia.”
Citing cases of cyber espionage in recent years that were linked back to the Asian superpower, such as the Marriott and Equifax breaches in 2014 and 2017, Warmka warns that though the Chinese might buzz under the radar more than Russia, their long-term strategy is potentially far more damaging to Western interests.
"China is building this gigantic database of individuals that they can later target for intelligence operations. They're looking at individuals who have security clearances and access to tremendous amounts of important, sensitive information."Peter Warmka, former CIA operative
“China is building this gigantic database, if you want to call it that, of individuals that they can later target for intelligence operations,” he said. “They're looking at individuals who have security clearances and access to tremendous amounts of important, sensitive information who, if they are compromised, can be moved into positions of access that the Chinese would want. We're not aware of Russia doing this.”
This is not a new policy of informational attrition either, says Warmka, referring to the cyberattack on US federal bureau of the Office of Personnel Management (OPM) nearly a decade ago.
“That is the holding for a lot of information that employees and contractors to the federal government have, especially those that have security clearances,” he said. “Back in 2013 and 2014, there were back-to-back breaches of OPM by the Chinese. Initially it wasn't announced who did it [but] people speculated it was China.”
Later on, he recalls, the US government issued a statement claiming the suspicions were true: China had allegedly stolen data on 22 million workers who had security clearances.
“Now, think about that,” says Warmka. “My background was with the CIA. The US government said it didn't affect CIA employees because their clearances are held separately. But I received a letter from OPM saying that they believed information was hacked, including my personal information. If it was completely separate, I'm thinking, then why should it be concerned? But they sent this letter out to everybody with security clearances.”
By cross-referencing this data pool of knowledge built up over the years through cyberattacks with what is already available on social media platforms, China could, in Warmka’s opinion, bring vast amounts of leverage to bear on targets.
“And that's the fear, you know, it is huge,” he says. “If they decide to target them, they’ve got a tremendous amount of information. Just targeting people through social media, you can learn a lot about them already. But with that, you've got all this information that can be leveraged by the Chinese to go after specific individuals. So China is more in the long-term game – they're collecting technology IP [intellectual property]. They've been doing this for a long time, and they want to continue.”
Not all as it seems
If China appears less dangerous in the cyber sphere than it really is, Russia seems to have achieved the opposite, with the more widespread, Western-targeted digital onslaught predicted in the fallout of the Kremlin’s invasion of Ukraine failing to materialize.
However, other analysts Cybernews spoke to warn that Russia’s apparent failure to live up to fearful expectations will not stop it from trying again next year.
“Russia’s attacks are likely to continue against Ukraine, including operational disruption, cyber espionage, and disinformation campaigns,” said Tyler Farrar, CISO at cybersecurity company Exabeam. “It would be unsurprising for the attacks to expand beyond Ukraine too, as Russia's leader attempts to prove Russia is not weak.”
When I ask him to elaborate on this, Farrar claims Russia is not nearly as formidable as it hoped to be, motivated in 2023 by pride rather than pragmatism in its desire to prove to its chief rival – the US, not Ukraine – that it is still a force to be reckoned with.
"It was evident even before the start of the Ukraine war that Russia's economic potential and useful raw materials are completely overshadowed by the United States. The country's leader has a suite of cheap, asymmetric tools at his disposal to execute his foreign policy. These will be utilized across multiple domains to sow discord and division within the United States in an attempt to prove that the country is weak."Tyler Farrar, CISO at cybersecurity firm Exabeam
Referring to what he describes as the “grand strategy” of president-cum-dictator Vladimir Putin, Farrar says: "Russia's leader seeks to solidify the nation's position as a global power. It was evident even before the start of the Ukraine war that Russia’s economic potential and useful raw materials are completely overshadowed by the United States. They cannot utilize these mechanisms of power to overtake Russia’s top competitor on the geopolitical stage.”
Farrar does not elaborate on why Russia, estimated by Statista to have the world’s largest share of natural resources, has lagged behind the US in this regard, but believes that cyberattacks are an inexpensive and available means for it to prosecute this geopolitical struggle against American global hegemony, chiefly by playing on the superpower’s homegrown internal strife.
“The country's leader has a suite of cheap, asymmetric tools at his disposal to execute his foreign policy,” he said. “These tools will be utilized across multiple domains to sow discord and division within the United States in an attempt to prove that the country is weak.”
As for China, Farrar sees it doubling down on its efforts towards technological supremacy by way of espionage and agrees with Cybersixgill that the boundaries between nation-state and individual threat actors are blurring within the Asian superpower.
“Cyber espionage is a key tactic in China’s strategy for global influence and territorial supremacy, and I think we can expect these operations to increase, particularly across private-sector companies,” he said.
Urging cybersecurity teams “to remain flexible” when deciding which threat actors might be behind what attacks, Farrar predicts that in 2023 “state policies will directly influence cybercriminal and hacktivist communities to obfuscate sources and methods, increasingly blurring the lines between nation-states, cybercriminals, and hacktivists.”
Warmka believes that China’s long-term ambitions will make it keep individual threat actors on a tight leash.
“I think the Chinese government's going to be very careful in what they allow criminal groups to do, because that will go against their image and what they're trying to do in the long term. Russia, they don't really care from that standpoint. If we look at what's been done in social media over the last few years, Russia seems to be more trying to destabilize governments, interfere in elections. China, on the other hand, doesn't seem to get involved so much in manipulating the politics of governments per se. They seem to want to work with whatever administration is in power, to develop a strong relationship with them.”
If Russia is motivated by its militaristic ambitions, he continues, China appears more focused on its materialistic aspirations.
“A lot of it begins with the economy, whatever they invest in,” he said. “If you look at the Third World, they have good relationships with almost every single country there, providing them with economic support and investments in infrastructure – that's how they think they're going to bring in a lot of goodwill from countries across the world. They're looking at this long term.”
NB: This article was amended on January 24. Previously it had incorrectly referred to Tyler Faro of Exobeam, and not Tyler Farrar of Exabeam, as is actually the case.
More from Cybernews:
Subscribe to our newsletter