Could Russian and Chinese cybercriminals team up against the West?

Intelligence gathered from underground cybercriminals indicates that Chinese hackers are increasingly active in Russian threat actor spaces. While Russian cybercriminals undoubtedly have adequate hacking expertise, they take advantage of the innovation and creativity of Chinese threat actors. Could Chinese cybercriminals teach their Russian counterparts new approaches to hacking and increase the global cyber threat? There is strength in numbers, as China-based hackers have learned. Working together helps them pass the “Chinese firewall” (the Chinese government’s censorship filter) and avoid surveillance.

Much like Russian hackers, Chinese cybercriminals are primarily driven by financial motives. However, they also have another common goal: to help each other by sharing information and training less experienced group members to advance the Chinese hacking collective. This community-centric mindset helps individual members evade the strict Internet restrictions imposed by China’s Great Firewall. With the help of their peers, Chinese cybercriminals can bypass internet blocks to the Tor Onion internet browser and access the dark web. Others adopt the community’s secret coded language to conduct their criminal activities openly on the public Internet (also known as the “Clear Web”) to evade detection.

Recently, some individuals and groups in the Chinese cybercriminal community have expanded their network, accepting invitations from their peers and participating in Russian dark web forums. One might wonder why Russia’s highly experienced cybercriminal community would seek out this partnership with its less skilled Chinese counterparts. Are Russian threat actors learning anything from China’s community-centric approach? Could individualistic, ruthless, money-driven Russian hackers adopt new ways of working together to evade government surveillance and international cybercrime crackdowns?

A joint China-Russia hacker network is unlikely to pose a major threat anytime soon. Yet, to effectively protect global society against the growing threat of cybercrime, it is essential to understand the nature and extent of the potential harm that could be inflicted as a result of this cross-border criminal collaboration.

Much has already been written about the tactics, techniques and threats posed by Russian threat actors. On the other hand, the Chinese hacker community remains largely a mystery. Instead of turning away from this enigmatic group, it is imperative to look closely behind the Chinese firewall.

A determination to succeed

As the old saying goes, where there is a will, there is a way. Cybercriminals based in China have certainly embodied this notion, their steely determination giving rise to innovative and creative ways to achieve their goals.

Accessing the dark web is incredibly difficult in China. Launched in 1998, the Great Firewall imposes heavy restrictions on Internet access, blocking the digital flow of information, websites and other forms of online content that do not meet the government’s message. Since the launch of the project, Chinese internet censorship has only become stricter, with VPN services within China’s borders only accessible to those who have obtained a government-issued license.

As a result, the Tor Onion browser, the primary means of accessing the dark web, is very difficult to download and use. Yet, despite being constrained by strict censorship laws and severe internet restrictions via the Great Firewall, a variety of illicit actors are finding ways to operate beyond the watchful eye of the Chinese government.

Working together, some advanced Chinese cybercriminals have found ways to bypass Tor blocks without being detected.

Those with less hacking expertise must operate on the Clear Web, right under the noses of their overseers. They operate using slang, code words and coded images, or even an invented “Martian” language (火星文) based on Chinese characters. These messages are indecipherable, except by those of the close-knit community of Chinese hackers.

Members of this community are dedicated to supporting each other in pursuit of their common goal of promoting China’s success in the global cybercrime arena. This communal motive, though in odd juxtaposition with the monetary motivations of individual members, reflects Eastern cultural values ​​emphasizing collectivism rather than Western individualism. Chinese hackers do not glorify themselves, but try to elevate their colleagues as a whole to improve the expertise of Chinese cybercriminals as a whole by educating and guiding newbie Chinese actors.

Chinese threat actors come together around a sense of community and camaraderie. For example, they often require forum users to interact with other people’s content. More experienced threat actors might advertise hacking tutorials and learning programs. Group members often share their tactics, tools, and procedures (TTPs) for free. “How-to” posts are particularly popular and share step-by-step instructions for circumventing government-imposed internet restrictions.

Fertile ground for new threats

It is important to closely monitor the criminal underground, where the first indicators of new and changing threats emerge. Understanding what motivates and shapes the behaviors of individuals operating in the Chinese cybercriminal underground is key to preparing for and countering the threats they might pose.

Understanding how global events unfold on the dark web and the impact these events have on underground cybercriminals is essential to protecting critical infrastructure.

The Chinese and Russian hacker communities are vibrant, determined and continue to evolve. Their separate forces, if brought together, threaten to form a formidable alliance, potentially bringing new waves of threats from a more powerful and united adversary.

Delilah Schwartz is Product Manager at Cybersixgill where Naomi Yusupov is a Chinese intelligence analyst.


Comments are closed.