Recently, a Russian cybersecurity company published a report on nation-state offensive cyber campaigns that have been targeting Russia in 2023.  Perhaps more surprising were the alleged sources of this activity, using telemetry data from Russia’s largest telecom to identify threat actors from China and North Korea as driving the majority of what the company observed during the year.  Per the report’s findings, advanced persistent threats posed the most serious threat to Russian organizations, accounting for 20% all incidents that the company investigated.  While hostile state activity is not new with state threat actors executing stealth and disruptive campaigns against targets of interest, the alleged sources of these offensives are especially interesting given Moscow’s efforts to strengthen ties between Russia and China and North Korea.

Per the company, Chinese-related activity consisted of aggressive and frequent cyber espionage campaigns that sought out in some cases 20-40 Russian organizations every day and infecting them with malware.  For the West, such news is not novel.  China has been frequently cited as a pervasive cyber threat actor that has targeted public and private entities globally, especially Western countries in its search for intellectual property and sensitive diplomatic information to support its national interests.  And to be fair, China has targeted Russia before the Ukraine invasion, exploiting Russian government organizations and telecoms in 2022 in support of its espionage interests.  But China is not alone.  Known for engaging in cyber activities more akin to cybercriminals than nation states, the report identified North Korean actors as being prominent in targeting state entities for espionage purposes, collecting pertinent missile development information.  Ukrainian state cyber actors and non-state supporters also featured prominently, but that was expected given the current conflict in Ukraine.

While it is well acknowledged that states engage in spying, even against those considered to be friends and allies, this recent revelation bears closer inspection.  Russia has been trying to bolster its relations with governments like China, Iran, and North Korea as it becomes increasingly isolated from the rest of the world due to the Ukraine war.  Over 2023, there has been notable strides taken to build economic and political alliances to counter traditional Western blocs, as well as formal cyber cooperation agreements to offset U.S. cyber engagement with Five Eyes partners and European governments.  These agreements have often included an understanding that the signatories would not hack each other, and even help one another via the exchange of threat information, best practices, training, and exchanges.  From every perspective, it appears China has been targeting Russia’s defense industries for commercial advantage, and North Korea has been seeking missile engineering-related information as a way of improving its own missile program.

Though far from disruptive acts of cyber malfeasance, these willful acts of sensitive information theft from a partner are not indicative of governments in alignment with one another and suggest that China and North Korea may be uncertain of Russia’s future, and if Moscow will wield the same influence after the Ukraine situation is resolved.  It’s clear that Russia has been willing to look the other way with respect to China’s cyber activities, probably out of the need to maintain a strong united front against the West.  Moscow has undoubtedly seen China’s ascendency and understands that it benefits Russia to be a partner rather than a competitor to Beijing.  Even recently, Putin lauded Russia’s high-tech military cooperation with China in order to shore up strategic security and provide enough ambiguity to its February 2022 “no limits” pact to create a deterrent value in the current geopolitical environment.

North Korea is a different matter, though the reasons Russia has thus far chosen not to at least publicly admonish Pyongyang may have to do with it needing friendly nations in a time of turmoil.  Enhanced relations as set by a September 2023 meeting by the two leaders catalyzed increased cooperation between North Korea and Russia culminating in Pyongyang sending military munitions to Russia to aid its efforts in Ukraine.  Suffice to say that even though their relations have not been as robust as some have speculated and feared, North Korea’s interest in space and space capabilities would give the United States another adversary to monitor in the domain, which coupled with military support, may be enough for Russia to be patient with North Korea’s cyber incursions.

As outlined in this report, the activity from China and North Korea is consistent with espionage and not attack, despite how news article titles covering this revelation portray them in their headlines.  What is abundantly clear is that good diplomatic relations between governments do not necessarily extend into cyberspace.  Nothing exemplifies this more than exposure of the world’s leading democracy conducting similar acts of spying (though to be fair not for economic advantage) against its closest allies and friends.  Because they are not attacks meant to cause disruption and/or destruction, Moscow may be using the report to signal its acknowledgement of the activities occurring against it as well as its tolerance of them for the time being because of the aid China and North Korea are providing with respect to Ukraine. Russia needs its friends more for what they are providing than it needs to admonish them for what they are taking.

What would be more telling is how Moscow could use this knowledge to its advantage.  There has been speculation if China and Russia could be supporting each other’s cyber operations, sharing tools, and/or information.  Though there has been nothing conclusive on the subject, as more Western countries embrace hunt-forward operations and continue to collaborate on such activities, any joint cyber endeavors by these two prominent cyber actors would certainly shift the global cyber dynamic.  Adding into the mix North Korea whose capabilities continue to evolve, and whose actions are at best unpredictable, and cyberspace quickly becomes a deteriorating environment where all categories of actors look to act first and talk later.  Given stalled efforts of getting the global community under the same rubric of responsible state behavior in cyberspace, that is looking more and more to be the plan.