Ever since the war in Ukraine broke out, cyber crews with connections to Beijing have repeatedly hacked into Russian government agencies and private companies to steal sensitive military data, cybersecurity experts say.
The tempo of these cyber attacks started picking up in May 2022—mere months since Russia launched its invasion of Ukraine. In the face of public announcements of solidarity between Russian President Vladimir Putin and Chinese President Xi Jinping, observers indicate Beijing has taken advantage of this weakness on Moscow's part to engage in cyber espionage.
Taiwanese cybersecurity company TeamT5 indicated that in 2023, a Chinese-speaking group called "Sanyo" launched a simulation attack from the name of a well-known Russian engineering company to attempt to access information on nuclear submarines. Such an event indicates an outright inconsistency in the "strategic partnership" between the two countries.
Although China has vast economic resources and a strong domestic defense industry, military analysts note that Beijing does not have the on-the-ground combat experience Russia is gaining in Ukraine. Observers think China sees the war as a one-of-a-kind opportunity to gain intelligence about sophisticated warfare tactics, Western weaponry, and successful countermeasures.
"China probably wants to collect intelligence on Russia's moves, including on its Ukraine military operation, defense advancements and other geopolitical moves," TeamT5 researcher Che Chang said.
Though Russian authorities have not yet officially confirmed the violations, a leaked Russian Federal Security Service (FSB) document, sourced by The New York Times, allegedly indicates that Chinese espionage has deeply troubled Russian intelligence. The top-secret document, as cited, suggests that China is actively seeking Russian military experience and expertise from the war in Ukraine and even refers to China as an "enemy."
While diplomatically and economically isolated from the West, Russia has relied heavily on China for key wartime technology and oil revenues. While Xi and Putin tout a "no-limits" alliance, the FSB's internal estimates reveal a more tenuous and nuanced reality.
While spying by allies is not unheard of, the extent and ferocity of Chinese hacking operations targeting Russia indicate a high degree of mistrust. Analysts think the Kremlin is not ready to provide Beijing with all battlefield intelligence—especially about drone warfare and computer software systems, which are emphasized in the FSB report as areas of specific interest to the Chinese.
"The Ukraine war remade the intelligence environment for both nations," remarked Itay Cohen, a lead researcher at Palo Alto Networks, who has been monitoring Chinese cyber actors for years. He and others assert that China is keen to leverage Russia's wartime intelligence to equip itself for potential future conflicts—particularly a potential showdown over Taiwan.".
One of the Chinese state-sponsored actors reportedly targeted the Russian state defense giant Rostec, seeking information on satellite communications, electronic warfare, and radar technologies, Palo Alto Networks said. The other attempts were to hack Microsoft Word vulnerabilities and gain access to Russian aerospace and government offices.
Neither the Kremlin nor Moscow's Chinese Embassy commented on the requests.
While not every Chinese hacker group works on behalf of the government directly, cyber researchers often discover traces of state sponsorship. In 2023, Russian cybersecurity firm Positive Technologies said that a number of Russian industries—from aerospace to private security—had been attacked through the use of Deed RAT malware. This is used nearly universally by Chinese state hackers and does not appear on black markets, so it is a highly effective and hard-to-beat weapon.
While China's cyber-espionage campaigns have in the past had targets among institutions in the United States and Europe, scholars observed a discernible shift towards Russian targets following the February 2022 invasion of Ukraine.
TeamT5 has seen several cyberattacks against Russia by some of China's most prolific cyber groups, including Mustang Panda. While the group's inception remains shrouded in mystery, Mustang Panda is widely suspected to be working for China's Ministry of State Security. Its operations have reflected Beijing's interests on the geopolitical stage and have frequently tracked investment initiatives under the Belt and Road Initiative in countries such as Southeast Asia and West Africa.
Following the Ukraine invasion, Mustang Panda reportedly expanded its operations to infiltrate government systems in Russia and the European Union. In 2022, it allegedly targeted Russian border officials and military personnel near the Chinese border.
“The targeting we’ve observed tends to focus on gathering political and military intelligence,” said Rafe Pilling, director of threat intelligence at Sophos. “They are a major tool of the Chinese state for acquiring strategic information.”
Mustang Panda has also fallen under the microscope of U.S. law enforcement. In January, the Justice Department and FBI said the group's malware infected thousands of systems worldwide. While many of the targets were American, Chinese dissidents, European and Asian government agencies were targeted as well, a federal indictment said.
Chang said another group, known as Slime19, has also been continuously compromising Russian energy, defense, and government sectors.
Even though Russia and China made public promises in 2009 and again in 2015 not to use cyberattacks against each other, analysts have never taken those offers at face value. Chinese cyber activity even before the Ukraine conflict has targeted Russia. For instance, Russian submarine designers were apparently targeted by a cyberattack believed to be Chinese in 2021.
"The activity boost was nearly instant following the invasion," added Cohen. "In reality, there has been a very different story behind the public narrative of a robust alliance."
Read also| Watch| Pak Deputy PM's Shocking Claim: 'We Requested Ceasefire During Operation Sindoor'
