China's shadow over Russia: an updated analysis of the cyberwar and latent tensions

The full-scale invasion of Ukraine by Russia has radically transformed intelligence priorities for both countries, revealing a complex and contradictory reality in their relationship. Despite public rhetoric of a "no-limits partnership," Chinese state-sponsored cyber espionage against Russia has intensified significantly, exposing deep internal distrust and Beijing's strategic opportunism.

The escalating Chinese cyber espionage: motivations and tactics

As highlighted by Itay Cohen, a senior researcher at Palo Alto Networks, a cybersecurity firm that has long tracked Chinese hacker groups, China is actively exploiting the situation for its own strategic interests, particularly through military intelligence gathering. Beijing's primary goal is to learn from Russia's battlefield experience, refining its own military capabilities in preparation for future conflicts, with a specific focus on a potential escalation around Taiwan.

Concrete evidence of this strategy is manifested through the intensified Chinese cyber espionage activities against Russian government and defense sectors. A Chinese government-funded group, for instance, has targeted Rostec, the powerful Russian state defense conglomerate, seeking crucial information on satellite communications, radar, and electronic warfare technologies. Other attacks have employed sophisticated malware, often exploiting vulnerabilities in widely used software like Microsoft Word, to penetrate networks of targets in the Russian aerospace industry and state entities.

The revelation of an "enemy": The classified FSB document

A classified FSB document, obtained by the New York Times, sheds new light on this dynamic. This eight-page planning document, believed to have been drafted in late 2023 or early 2024, details extensive Chinese espionage activities against Russia, explicitly referring to Beijing as an "enemy." Its authenticity has been confirmed by intelligence officials from six Western countries.

According to the document, a previously undisclosed FSB unit accused Chinese hackers and agents of intensifying efforts to:

• Acquire military intelligence: China is particularly interested in drone warfare tactics, modernization methods, and countermeasures against Western weapons used in the Ukrainian conflict.

• Recruit key personnel: Chinese agents are actively seeking to recruit Russian scientists, defense officials, and businesspeople, often capitalizing on financial hardship or professional dissatisfaction.

• Infiltrate Russian information ecosystems: The FSB has ordered a "constant accumulation of information about users" on Chinese platforms, warning that these tools are being used for information penetration.

• Obtain sensitive defense technologies: Chinese state-owned defense firms and academic institutions have been present in Russia since shortly after the Ukraine invasion began, aiming to study the conflict and acquire relevant knowledge for modern warfare.

In response to these concerns, the FSB launched a counterintelligence operation dubbed "Entente-4" just days before Russia's full-scale invasion of Ukraine in February 2022.

The groups behind the attacks: Mustang Panda, Slime19, and others

Several Chinese hacker groups have been observed targeting Russia. Among the most active is Mustang Panda, a group whose activities have often accompanied China's "Belt and Road Initiative" (BRI). After Russia's invasion of Ukraine, Mustang Panda expanded its reach to hit government organizations in both Russia and the European Union, also targeting Russian military officials and border guard units near the Siberian border with China. Experts suspect the group is backed by the Chinese Ministry of State Security, China's primary intelligence agency. Mustang Panda is known for using malware like Deed RAT, which is considered proprietary and not available on the dark web, making defense difficult for adversaries.

Another observed group is Slime19, which consistently targets the Russian government, as well as the energy and defense sectors. More recently, in 2024, Kaspersky's "EastWind" campaign documented targeted attacks on Russian government organizations and IT companies, attributed to the well-known Chinese hacker groups APT31 and APT27, who have used updated variants of backdoors like CloudSorcerer and new backdoors such as PlugY.

Prior attacks and the escalating trend

Chinese hacking activity in Russia is not new and predates the war in Ukraine. As far back as 2021, a sophisticated attack targeted the Rubin Central Design Bureau for Marine Engineering, a Russian firm involved in nuclear submarine technology development. This attack used a spear-phishing campaign and the PortDoor malware, with tools associated with China-linked hacker groups like Tick and Tonto Team.

However, experts agree that the Ukraine war has triggered a significant surge in cyber intrusions. As Itay Cohen stated, "We saw the activity... immediately in the months after the Russian invasion of Ukraine," despite the public narrative of close ties between the two countries.

Contradictions and implications

These attacks not only contradict public declarations of a "no-limits partnership" between China and Russia but also confirm the inherently opportunistic nature of Chinese foreign policy. While both countries are united by a desire to challenge the Western-dominated global order, their national interests remain distinct and, in this case, in conflict.

The revelation of the FSB document highlights deep internal contradictions between Russia's political leadership and its security apparatus. Chinese espionage, which aims to learn from Russia's combat experiences in Ukraine to strengthen its own capabilities, demonstrates that Beijing is willing to compromise its ally's cybersecurity to achieve its strategic objectives. The escalation of these intrusions shows that the war has provided China with a unique opportunity to gather military intelligence in a real-world conflict setting, exploiting Moscow's vulnerabilities and distractions.

The persistence of these attacks confirms that China views Russia not only as a partner but also as a valuable source of information and, in a sense, as a living laboratory for analyzing modern warfare tactics. This approach underscores that, in the grand game of geopolitics, trust between allies can easily be superseded by the thirst for knowledge and strategic calculation.