Russia-China cybercriminal collaboration could “destabilize” international order

In a riff on the “Field of Dreams” theme, Russian cybercriminals continue to court their Chinese counterparts in hopes of forming mutually beneficial avenues of collaboration and are finding the Chinese to be a tough date. The latest peek into this engagement of Russia-China “frenemies” comes to us from Cybersixgill and its The Bear and The Dragon analysis of the two communities.

Russian cybercriminals motivated by money, Chinese by knowledge

The Cybersixgill findings have the two cybercriminal communities colliding and attempting to form what appears to be a “fledgling alliance.” This is a step above where the situation stood in November 2021, when Flashpoint Intelligence connected the dots between Chinese and Russian threat actors.

Both analyses have arrived at the same conclusion: Russian cybercriminals are driving the engagement and courting of Chinese cybercriminals in hopes of engaging in criminal collaboration. The landscapes of Russia and China are different: The Cybersixgill analysis characterizes the Russian criminal entities to be motivated by money, with their Chinese counterparts focused on establishing “powerful and sophisticated Chinese hacking collective.”

Delilah Schwartz, cyber geopolitics and extremism expert for Cybersixgill, said, “Given Russian-speaking cybercriminals’ sophistication and their constantly evolving modus operandi, the transfer of this knowledge to Chinese threat actors is especially concerning. Should this Russian and Chinese alliance continue, a devastating new non-state cyber superpower may emerge, unchecked by diplomatic concerns or fears of destabilizing the international order.”

Signs of collaboration tempered by geopolitical realities

Russia and China on the nation-state level have an ongoing agreement to not target each other’s entities for intellectual property (which has been ignored by both countries). That said, the two countries remain engaged diplomatically and have declared their relationship to be “a friendship without limits.”

As noted above, China’s cybercriminal interest evolves more toward establishing capability, as the results of their actions are often supporting nation-state intelligence requirements. This is evidenced by the never-ending klaxon calls of federal U.S. law enforcement and national security agencies on how China continues to target “networks holding sensitive intellectual property, economic, political and military information.”

The Russian invasion of Ukraine and the creation of the Ukrainian “cyber army” coupled with the actions of a great many nations across the globe to isolate Russia have changed the current digital landscape slightly. As noted in the Cybersixgill report, the technologically savvy citizens in Russia who found their access to western social networks (Instagram, Facebook, etc.) curtailed have morphed to the use of virtual private networks (VPNs) to access information in the west. The prior collaboration between the United States and Russia, which resulted in Russia disrupting and detaining individuals involved in ransomware attacks against western entities, has dried up. Indeed, there have been instances where Russian criminal entities have found their own members taking action to disrupt the capabilities of their criminal cohort.

In a nutshell, the RAMP (Ransom Anon Market Place) forum in October 2021 evolved into a multilingual environment having successfully added Mandarin, though Russian remains the dominant language, with English as the other linguistic offering. Cybersixgill characterizes it best: “This unique forum has emerged as a dedicated platform for unrestricted, cross-country cybercriminal collaboration and community-building, potentially indicating toward a nascent Russian-Chinese cybercriminal alliance in the face of increasing international efforts to tackle the scourge of ransomware.”

This potential collaboration by criminal entities via the RAMP forum or another avenue of communication does not bode well for enterprise and SMB entities should it ever come to fruition. While every criminal entity has its own skill set and technical capabilities, combining forces could create a bevy of criminal adversaries targeting our networks.

The current geopolitical realities appear to be the governor on the accelerator to collaboration, and as long as the Russian invasion and conflict with Ukraine continue, one may expect Chinese criminal entities to be hesitant to join forces with Russian criminals. The Chinese might yet accept the transference of knowledge from Russian criminals to enhance their own capabilities, but it will be measured and only when in the Chinese interests, according to Cybersixgill.