A Fancy Bear Finds Its Way Into the Middle Kingdom

Lorand Laskai, research assistant in the Asia studies program, and Alex Grigsby, assistant director of the Digital and Cyberspace Policy program, contributed to this post.

Earlier this week, Chinese cybersecurity company Qihoo 360 released its annual report on advanced persistent threats (APTs) active in China. One of them was APT28--also known as Fancy Bear which the U.S. government has attributed to Russia’s intelligence services--in potential violation of a Russia-China cyber non-aggression pact signed in 2015.

Unlike certain western cybersecurity companies more willing to attribute cyber activity to a particular state, Qihoo’s reports can sometimes be frustratingly vague and shirk attribution. Its new report identifies thirty-six APTs active in China in 2016, including the actors behind ProjectSauron and APT28/Fancy Bear, and notes that universities were the primary victims, followed by the private sector and government institutions. Aside from noting that APT28/Fancy Bear was active in China, the report is silent on whether it aimed to compromise specific targets or industries, or was simply looking to use Chinese computers for their command and control infrastructure.

It will come as no surprise that Russia and China spy on each other. Despite their public appearances, both countries have traditionally been wary of each other and that skepticism extends to cyberspace. Last year, in its report detailing the decline of Chinese state-sponsored activity against U.S. targets, FireEye noted that Chinese actors tried to compromise Russian defense contractors and engineering firms in the energy sector. Kaspersky has also noted that Chinese activity against Russian targets has increased significantly in recent months. However, it is unclear whether this increase was state-sanctioned or just Chinese freelancers and moonlighters looking elsewhere given that U.S. targets were off-limits in light of the Obama-Xi deal.

What makes APT28’s activity in China particularly significant is the notoriety it has accrued over the past few years. The cyberattacks attributed to APT28 include conducting operations against the Ukrainian Central Election Commission (CEC) in May 2014, compromising the networks of France’s TV5 Monde in 2015, and most recently hacking the U.S. Democratic National Committee over the course of 2016.

If APT28--known to be operated by Russian intelligence services--is active in China, then it is would appear to violate an agreement Presidents Xi and Putin signed in 2015. That agreement said:

Each Party has an equal right to the protection of the information resources of their state against misuse and unsanctioned interference, including computer attacks against them. Each Party shall not exercise such actions with respect to the other Party and shall assist the other Party in the realization of said right.

Assessing the deal, Russian cyber expert Elaine Korzak wrote:

The two sentences, in conjunction, could be read in a way to keep Russia and China from using “computer attacks” against each other. [...] On the other hand, the language of this provision is strikingly vague. Phrases such as “misuse” and “unsanctioned interference” could obviously be interpreted quite differently by both sides leaving significant loopholes in the scope of the provision.

In other words, APT28’s activities could constitute a violation of the deal if Beijing interprets the text as a no-hacking pact.

Qihoo, like its American and European counterparts, produces these reports for marketing and advertising, but they raise an interesting policy challenge for Beijing. Chinese leaders hope to build a strong domestic cybersecurity industry, able to compete with foreign firms, and defend domestic networks and identify attackers. But even if Chinese policymakers wanted to confront Moscow on the reported espionage, they are unlikely to turn to a cybersecurity company for public attribution. It would set a precedent of the types of evidence that could be offered to prove who was behind a hacking attack, and there are numerous APT reports that point the finger at China using similar techniques. In fact, in the past, Beijing has harshly criticized these reports as unscientific and unprofessional.

The ambiguity of the phrasing in the Sino-Russia pact, the desire not to set a precedent on private actors and attribution, the demands of the bilateral relationship--these are all reasons why Beijing is likely to do nothing public in response to Russian hacking. China will hack Russia, Russia will hack China, and Beijing and Moscow will point to their non-aggression pact as a sign of friendship and cooperation.