China Is Conducting Cyberespionage Against Russia

Since the start of the invasion of Ukraine, Chinese state-linked hacking groups have repeatedly targeted Russian companies and government agencies in attempts to access military information. These attacks intensified notably in May 2022—just months after the war began.

Despite the rhetoric of a "strategic partnership," China continues to treat Russia as a vulnerable target. In 2023, for instance, a group known as Sanyo used fake email addresses posing as a Russian engineering firm to extract data on nuclear submarines, according to researchers at TeamT5. The group was linked to Beijing.

Experts point to a primary motive: lacking real battlefield experience, China’s People’s Liberation Army is eager to learn from Russia’s war in Ukraine—from battlefield tactics to the weaknesses of Western-supplied weapons. "China is likely trying to gather intelligence on Russia’s operations, weaponry, and geopolitical decision-making," explains Che Chang of TeamT5.

The success of these attacks remains unclear—Moscow has not acknowledged them. However, a leaked classified FSB document confirms that Russian intelligence is aware of the scale of the threat. The document refers to China as an "adversary" and identifies military technologies—including drones and battlefield software—as key targets of interest.

The FSB has voiced concern over Russia’s growing dependence on China—particularly in energy and technology—as ties with the West unravel. This reality stands in stark contrast to the public rhetoric of a "no-limits partnership."

Analysts note that mutual distrust between the two countries remains high. The Kremlin is reluctant to share with Beijing the full extent of what it has learned in Ukraine—including mistakes, weaknesses, and vulnerabilities. According to Itay Cohen of Palo Alto Networks, "The war has shifted intelligence priorities for both China and Russia." Taiwan, still a potential flashpoint with the West, makes this interest all the more acute.

According to Palo Alto Networks, a Chinese group hacked entities linked to Rostec to obtain information on satellite communications, electronic warfare systems, and radar technologies. Other hackers exploited vulnerabilities in Microsoft Word to infiltrate Russian aviation and government infrastructure.

There is growing evidence that the attacks are coordinated at the state level. In 2023, Positive Technologies identified attacks using Deed RAT—a form of malware considered a "domestic product" of Beijing. This tool is not available on the black market and is used only by select pro-Chinese groups, making it difficult to detect and highly effective for covert espionage.

While China has traditionally targeted institutions in the U.S. and EU, since February 2022 its focus has increasingly shifted toward Russia. According to Che Chang, his team is tracking several Chinese groups, including Mustang Panda—one of China’s most active hacking outfits.

Little is known about the group’s origins, but experts note that it often operates in tandem with Chinese investment projects in Africa and Southeast Asia under the Belt and Road Initiative. As Rafa Pilling of Sophos explains, the group tends to strike in regions where China seeks to expand its political and economic influence—and Russia has proven no exception.

Since the start of the war, Mustang Panda has expanded the scope of its attacks to include government entities in both Russia and the EU. In 2022, according to TeamT5, it targeted Russian military and border services near the China–Siberia border. "Every group attacking Russia is after political and military intelligence," says Pilling. "This is one of Beijing’s most important tools of espionage."

Mustang Panda has long been on the radar of U.S. authorities. In January, the Justice Department and FBI reported that its malware had infected thousands of systems, including government institutions in Europe and Asia. In an indictment, the group was explicitly identified as being affiliated with the Chinese state.

Another active group is Slime19. According to Chang, it targets Russian government agencies, the energy sector, and the defence industry.

China and Russia have formally signed cyber non-aggression pacts—in 2009 and 2015. But even then, analysts viewed them as largely symbolic. In reality, Chinese cyberattacks began well before the war. In 2021, for example, there was a recorded attack on Russian submarine developers. But it was Russia’s full-scale invasion of Ukraine that triggered a sharp uptick in activity.

"We observed a surge in the very first months of the war," says Cohen. "And it came against a backdrop of public declarations of friendship between Beijing and Moscow."