Intelligence collected from the cybercriminal underground indicates that Chinese hackers are increasingly active within Russian threat actor spaces. While Russian cybercriminals undoubtedly have adequate hacking expertise, they serve to benefit from the innovation and creativity of Chinese threat actors. Could Chinese cybercriminals teach their Russian counterparts new approaches to hacking and increase the global cyber threat? There’s strength in numbers, as China-based hackers have learned. Working communally helps them slip past the “Chinese Firewall” (the Chinese government’s censorship filter) and avoid surveillance.
Just like Russian hackers, Chinese cybercriminals are driven primarily by financial motivations. However, they also have another joint objective: to help one another by sharing information and training less experienced group members to advance the Chinese hacking collective. This community-centric mindset helps individual members evade the strict internet restrictions imposed through the Great Chinese Firewall. With the help of their peers, Chinese threat actors can bypass internet blockades to the Tor Onion internet browser and access the dark web. Others adopt the community’s secret encoded language to conduct their criminal activities openly on the public internet (also called the “clear web”) to evade detection.
Recently, certain individuals and groups from the Chinese cybercriminal community have expanded their network, accepting their peers’ invitations and participating in Russian dark web forums. One might question why the highly-experienced Russian cybercriminal community would seek out this partnership with their less adept Chinese counterparts. Are Russian threat actors learning anything from the Chinese community-centric approach? Might individualistic, ruthless, and financially-driven Russian hackers adopt new ways of working together to elude governmental surveillance and international cybercrime crackdowns?
A joint China-Russia hacker network is unlikely to pose a major threat anytime soon. Yet, to effectively protect global society from the rising threat of cybercrime, it is vital to understand the nature and extent of the potential damage that could be inflicted as a result of this cross-border criminal collaboration.
Much has already been written about the tactics, techniques, and threats that Russian threat actors pose. On the other hand, the Chinese hacker community remains largely a mystery. Instead of turning away from this enigmatic group, it is imperative to look closely behind the Chinese firewall.
A Determination to Succeed
As the old adage goes, where there’s a will, there’s a way. China-based cybercriminals have certainly embodied this notion, with their staunch determination giving rise to innovative and creative ways to accomplish their goals.
Accessing the dark web is incredibly difficult in China. Launched in 1998, the Great Firewall imposes heavy restrictions on internet access, blocking the digital flow of information, websites, and other forms of online content that do not adhere to the government’s message. Since the project’s launch, Chinese internet censorship has only grown more strict, with VPN services within Chinese borders accessible only to those awarded a government-issued license.
As a result, the Tor Onion browser—the primary medium for accessing the dark web—is very difficult to download and use. Still, while constrained by stringent censorship laws and harsh internet restrictions via the Great Firewall, a variety of illicit actors find ways to operate beyond the watchful eye of the Chinese government
By working together, some advanced Chinese cybercriminals have found ways to slip past the Tor blockades undetected.
Those with less hacking expertise must operate on the clear web, right under the noses of their surveillants. They operate by using slang, code words, and coded images, even an invented “Martian” language (火星文) based on Chinese characters. These messages are indecipherable except by those in the tightly-knit Chinese hacker community.
The members of this community are dedicated to supporting one another in favor of their shared objective of promoting China’s success in the global cybercriminal arena. This community motive, while in strange juxtaposition with the individual members’ money-based motivations, reflects Eastern cultural values emphasizing collectivism rather than the West’s individualism. Chinese hackers don’t glorify themselves but try to lift up their colleagues as a whole to enhance the expertise of Chinese cybercriminals overall by educating and guiding entry-level Chinese threat actors.
Chinese threat actors rally around a sense of community and camaraderie. For example, they often require forum users to engage with each other’s content. More experienced threat actors might advertise hacking tutorials and apprenticeship programs. Group members often share their tactics, tools, and procedures (TTPs) for free. Especially popular are “how to” posts sharing detailed instructions for circumventing government-enforced internet restrictions.
Fertile Soil for New Threats
It’s important to keep a close watch on the criminal underground, where the earliest indicators of new and changing threats emerge. Understanding what motivates and shapes the behaviors of the individuals operating within China’s cybercriminal underground is essential to prepare for and counteract the threats they might pose.
Understanding how world events play out on the dark web, and the reverberations these events cause on the cybercriminal underground, is key to protecting critical infrastructure.
Chinese and Russian hacker communities are dynamic, determined, and continue to evolve. Their separate strengths, if joined together, threaten to pose a formidable alliance, potentially resulting in new waves of threats from a more powerful and united adversary.
Delilah Schwartz is Product Manager at Cybersixgill where Naomi Yusupov is a Chinese Intelligence Analyst.