ArchiveOODA Original

Chinese Cyber Espionage Against Russia Is About Keeping Tabs and Learning

Since the start of the year, a Chinese advanced persistent threat (APT) actor group dubbed TA428 has been aggressively targeting industrial plants, research institutes, and government ministries, among others, in several countries to include Belarus, Russia, and Ukraine, according to threat researchers from Kaspersky.  The actors penetrated dozens of organizations and were even able to hijack the IT infrastructure of some of their targets, although the researchers did not specify what entities these were or where they were located.  Additionally, the attacks implemented a series of stealthy backdoors into systems of interest, a tactic to ensure access to control infected hosts should one be discovered and remediated.  These redundant channels would certainly facilitate ongoing cyber espionage, surveillance, and information theft activities, depending on the purpose of that particular intrusion.

Chinese state-sponsored cyber espionage is nothing notable as Beijing has been long engaged in the most expansive cyber-enabled data theft operation for the past decade.  However, its recent activities targeting Russia’s military industries is rather novel and not widespread.  What’s more, this is not the first Chinese APT actor that has brazenly targeted its close ally.  In May 2022, just a couple of months after Russia invaded Ukraine, another Chinese state-sponsored group dubbed Twisted Panda targeted Russian research institutes belonging to the Russian state-owned defense organization Rostec Corporation.  Earlier in April 2022, another group known as Mustang Panda conducted a cyber espionage campaign against Russian officials using European Union documents about the possibility of sanctioning Belarus to entice recipients to click on weaponized attachments.

While China and Russia have enjoyed genuinely positive relations and have similar geopolitical interests, the fact that increased targeting of Russian organizations during the ongoing Ukraine conflict is not coincidental. China and Russia have both signed a mutual “no hack” pact, though some contend that this agreement likely focused on both governments’ understanding that they would not executive disruptive cyber attacks against one another, while cyber espionage would be tolerated.  This is an important point to understand when framing China’s seemingly ramped up cyber spying against Russian assets.

Judging from the timeline, TA428’s stealthy attacks started in January 2022 prior to Russia’s invasion of Ukraine, raising the question of whether or not Beijing had advanced information of the impending offensive.  As of this writing, it is not clear what, if any, data was taken from Russia’s military industries, so it is difficult to ascertain if cyber espionage was focused on taking intellectual property or merely a means to monitor the activities of these industries.  However, having insight into key industries and military-related entities would provide a more accurate narrative than one being reported on in open press channels, or the one that Russian officials may be telling their Chinese counterparts.  Even allies don’t show each other their hole cards until absolutely necessary, and when it comes to the China-Russia relationship, trust has long been an issue.

China is a voracious consumer of both publicly available and illicitly retrieved information, and thus it makes sense that it gets an understanding of Russia’s miliary operations, and by extension, the ground truth of what is involved in sustaining an invasion.  Russia has been involved in several instances of trying to annex territory it held under the former Soviet Union. While some of these endeavors have proven more successful than others, Beijing is cognizant they at least provide modern-day examples that can be studied should it feel inclined to attempt something similar against Taiwan. Therefore, understanding Russia’s logistical thinking in terms of personnel and material resource allocation, preparing supply chains, and assessing the adversary’s capabilities are telling regardless of whether Russia ultimately wins or loses in Ukraine.  Beijing will have had a contemporary real-world example to study, and although the Russia-Ukraine, China-Taiwan situations are not equal comparisons and one that Beijing likely would like to avoid, the lessons to be learned here are not lost on Beijing, particularly as Ukraine has highlighted that a capable country defending its territory stands a good chance withstanding such attacks, particularly if other nations get involved.

Even if Russia did not detect China’s cyber espionage against it, there have been enough published accounts of them not to be blindsided by their revelation.  The fact that Russia has not responded to or commented on them may be indication that Moscow understands that it is in a vulnerable position and needs its neighbor’s political and economic support.  It is suspected that Russia believed that invading Ukraine would involve less effort than what has transpired, a surprise to Moscow’s financial and military preparation. Regional and global response to Russian aggression has further squeezed Moscow, pushing it toward China for assistance. According to recent statistics, in July 2022, Russia obtained USD 6.7 billion of goods from China (an increase of more than a third from June) while China’s imports from Russia rose only slightly, showing that China is enjoying the lion’s share of the trade relationship.  Moscow may have to continue to tolerate Chinese cyber activities, among other economic and diplomatic considerations, for as long as the current geopolitical conflict perseveres.

From this perspective, it appears that China’s cyber espionage appears to be more focused on information gathering for situational and strategic understanding than stealing intellectual property for replication.  Russia’s activities have certainly caused substantial turbulence and understanding its true intent and position with respect to Ukraine is important for China on so many levels.  China’s goals of regional and global supremacy are well known and using cyber spying to keep tabs on the activities of the government its looking to supplant makes sense. Even though China has taken some hits for walking a diplomatic tight rope and not trying to alienate Russia or the West, Beijing is poised to come out of the Ukraine situation as the government everyone will have to deal with politically, economically, and militarily.

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.