Which country has the best hackers: Russia or China?

For many years I worked for Foundstone teaching hacking classes and doing penetration testing. It was the most enjoyable job I ever had.

As part of that job, I traveled the world, including China, and got to determine firsthand which country had the best hackers. Although I didn’t travel to Russia during that time, lots of Russian-born hackers showed up in my classes.

Rumblings of cyberwar

Foreign hacking is top of mind right now, thanks to Russia’s attempts to shake up the U.S. presidential election. With a high degree of confidence, U.S. intelligence agencies say the highest levels of Russia’s government are behind the Democratic National Committee email leaks intended to embarrass Hillary Clinton. According to the reports I’ve read, most of these Russian hacks seems to be based on simple password phishing.

China has been involved in hacking American (and other) companies for decades. Most computer security experts believe that China already has every intellectual property secret it wants. I didn’t believe the Chinese hacking rumors for years because accusers failed to provide public evidence. I’ve since changed my tune because many companies have released that evidence, and it appears quite convincing. Also, the Chinese government’s tight control over its domestic internet makes it unlikely that Chinese hackers could have hacked U.S. targets without either direct orders — or at least tacit acceptance.

Regardless, recent evidence suggests that Chinese hacking against American companies has decreased since President Obama and Chinese leaders signed an antihacking agreement last year. I’ve been involved in dealing with advanced persistent threat (APT) attacks for more than a decade, and I’m personally hearing less complaints about Chinese intrusions.

Which hackers cause the most damage?

If by “damage” you mean frequency and severity of attacks, Chinese hackers take the No. 1 spot. Very likely tens of thousands of them, funded by the government, have broken into any company they like. I’m convinced they’ve stolen more secrets and intellectual property than any other country, with a single breach potentially incurring many millions of dollars in damage. 

I’ve seen American companies work on a secret new product, only to have a Chinese company release a very similar, if not identical product first. Sometimes even the wording in the documentation is identical. I’ve seen entire American company divisions shut down as a result. 

Russia’s hackers are more focused on direct financial crime and probably incur hundreds of millions of dollars in damage each year. Who knows — it could be billions of dollars. But if I compare the direct financial costs of Russia versus China, China probably wins that battle due to its theft of high-value intellectual property.

What about Russia’s impact on the American elections, especially if that hacking results in a presidency friendly to the Russian government? Luckily, despite Russia’s best efforts, the American voting system is probably too much of a hodgepodge systems to be affected in a material way.

Best hacking skills

In my personal experience, the best hackers have always come from the United States or one of its friendly allies. I know that sounds biased, but when I taught hacking classes, the U.S. hackers always completed the hacking tests the fastest.

In the Foundstone classes we ran little tests during the day that allowed our students to practice some skill we had taught them. Most students, regardless of country, tended to perform roughly the same. At the end of the class, we had a major capture-the-flag test, which required that students put together everything we had taught them, but in slightly different ways. It required thinking outside the box. U.S. students were always able to complete the major test and were always fastest.

Unfortunately, my Foundstone experiences ended 10 years ago. Since then, several other countries have risen to become part of the elite club of hackers. Israel, for such a small country, has an enormous number of incredible hackers, and they enjoy a well-earned reputation as the best-thinking defenders.

Who’s the best?

Sorry to disappoint you, but the real answer is that we don’t know who’s best. To be a “good” hacker you have to be invisible. The best hackers are the ones we don’t see and don’t know about.

But the real irony is that breaking into most organizations requires little in the way of advanced techniques anyway. Even the elite hacking units don’t use their best stuff unless they have to. Why hack smart and give away your best stuff when you can hack like any script kiddie and get into the same results without being discovered?