Gentlemen's Agreement: Chinese And Russian Hacking In Wake of 2015 Cyber Pact

Yesterday, the Council on Foreign Relations published a blog regarding a public report from Qihoo, a Chinese cybersecurity company, that mentioned the targeting of China by the Russia-based hacker group known as APT28/FANCY BEAR. CFR drew attention to this because APT28 operations targeting Russia could be in violation of a 2015 agreement between Russia and China in which the two countries agreed not to engage in "computer attacks" or other cyber operations that might result in "misuse" or "unsanctioned interference" with the other country's "information resources." 

CFR's blog post points out that the ambiguity in the terms of the Russia-China agreement allow for a broad range of interpretation which leaves room for the two countries to engage in cyber operations against the other without violating the agreement. In particular, the "misuse" and "interference" terms leave a significant amount of room for interpretation.

Even if APT28 has been hacking China, it is not only the Russians that may have carried out such operations in the wake of the agreement. Cyber espionage activity targeting Russia and linked to Chinese actors occurred at a significant pace after the agreement was reached in April 2015. The cybersecurity company Proofpoint published a couple of blog posts (here and here) detailing a long running campaign from a group they refer to as TA459 targeting Russian organizations in the military and telecommunications sectors. This campaign involved the use of a number of malware families (PlugX, NetTraveler, and Saker) historically linked to Chinese operators. 

In the end, it is unlikely that Russia and China would find the actions of APT28 or TA459 to be in violation of the April 2015 agreement. This is because, at least in TA459’s case, the activity appears to be more traditional espionage rather than computer attacks or intrusions aimed at providing commercial advantage to the perpetrator. The Russia-China agreement doesn’t mention cyber espionage aimed at providing commercial advantage, but such activity may be more likely to be viewed as a violation. In fact, commercial cyber espionage was the crux of the agreement between the US and China a few months later. While there was also some ambiguity in the US-China agreement as to how a commercial motive was to be determined, like the Russia-China pact, it contained no language that would preclude traditional cyber espionage.

As the CFR blog post ultimately concludes, Qihoo’s report of APT28 operations targeting China is unlikely to result in a reaction from Beijing. This underscores the fact that despite agreements like those between Russia and China, and the US and China, cyber espionage is going to continue. The cyber domain is becoming increasingly more central to the geopolitical and military activities of countries all across the globe. None of these countries will wish to limit their own activities through international agreements more than they have to so while such agreements can have positive effects in curbing things like commercial espionage or computer attacks both public and private organizations are likely to remain targets of cyber operations from nation-state actors.