How China-based hackers, working together, elude the censors 

There’s strength in numbers, as China-based hackers know. Working communally helps them slip past the “Chinese Firewall” – the Chinese government’s censorship filter – and avoid surveillance. 

Now that some are interacting on Russian underground sites, might Chinese cybercriminals teach their Russian counterparts new approaches, increasing the global threat?  

Like Russians, Chinese hackers work for money – but they also help one another, sharing information and even training less experienced group members. As a result, they’re able to slip under the Chinese Firewall to access the dark web in spite of strict bans blocking the Tor onion-site browser. Others conduct their criminal activities  openly on the public internet (the “clear web”), but use encoded language and images to evade detection.

Lately, some in the Chinese cybercrime community have begun to expand their network, participating in Russian dark-web forums. What might their Russian counterparts learn from their community-centric approach? Might they teach individualistic, money-driven Russian cybercriminals new ways of working together to elude governmental surveillance and international cybercrime crackdowns? 

Still nascent, a joint China-Russia hacker network isn’t likely to pose major threats anytime soon. But to comprehend the nature and extent of the damage this cross-border criminal collaboration could inflict – and to protect our own systems and networks accordingly – it’s vital to understand how both communities operate, and to what end.

Much has already been written about the tactics, techniques, and dangers that Russian threat actors pose. The Chinese hacker community, on the other hand, remains largely a mystery. Instead of turning our focus away from this enigmatic group, we sought answers where few have ventured: behind the Chinese firewall. 

Our report, “The Bear and the Dragon – Analyzing the Russian and Chinese Cybercriminal Communities,” explores both communities, offering detailed analyses of what their fledgling alliance might mean for the cyber threat landscape. Here, we delve deeper into the Chinese underground, providing insight into the unique hacking community that operates within. 

They’re wily and determined

Where there’s a will, there’s a way, and China-based criminals operating on the Internet definitely have a will. 

Although constrained by stringent censorship laws and harsh internet restrictions via the government-run “Great Firewall,” illicit actors of every stripe nevertheless find ways to conduct their shadowy deeds beyond the watchful eye of the Chinese Big Brother. 

Accessing the dark web is incredibly difficult in China. Launched in 1998, the Great Firewall blocks access to any online sites, apps, or information that doesn’t adhere to Chinese rules. In the years since then, Chinese internet censorship has only grown more strict, with VPN services within Chinese borders accessible only to those awarded a government-issued license. 

As a result, the Tor Onion browser – the primary medium for accessing the dark web – is very difficult to download and use. But some advanced Chinese cybercriminals, working together, have found ways to slip past the Tor blockades undetected. 

Those with less hacking expertise must operate on the clear web, right under their surveillants’ noses. They do so using slang, code words and coded images, even an invented “Martian” language () based on Chinese characters. These messages are indecipherable except by those in the know – those in the tightly knit Chinese hacker community. 

They help each other

While China’s hackers are undoubtedly motivated by money, they’re not competitive among themselves. On the contrary, they support one another with a greater goal in mind: China’s success in the global cybercriminal arena.

Chinese threat actors rally around a sense of community and camaraderie. For example, they often require forum users to engage with one another’s content. More experienced threat actors may advertise hacking tutorials and apprenticeship programs. Group members often share their tactics, tools, and procedures (TTPs) for free. Especially popular are “how to” posts sharing detailed instructions for  ​​circumventing government-enforced internet restrictions.

Their motives reflect Eastern cultural values emphasizing collectivism rather than the West’s individualism. Chinese hackers don’t self-glorify but try to lift up the group as a whole, enhancing the expertise of Chinese cybercriminals overall by educating and guiding entry-level Chinese threat actors.

Information is power

Understanding what motivates and shapes the behaviors of the individuals operating within  China’s cybercriminal underground is essential to preparing for and counteracting the threats they might pose. 

It’s important to keep a close watch on the criminal underground, where the earliest indicators of new and changing threats emerge. Do you understand how world events play out on the deep and dark web, the reverberations these events cause, and how and when the cybercrime community shifts tactics, techniques and tools?

Our report, “The Bear and the Dragon – Analyzing the Russian and Chinese Cybercriminal Communities,” explores the dynamics of individual hacker communities within Russia and China, detailing their differences as well as the connections that could lead to their collaboration. We also show how the war in Ukraine is affecting the threatscape and its actors, and the repercussions. 

To stay apprised of these developments and of threats in a timely manner, we recommend an automated threat intelligence (TI) solution that gathers and contextualizes data from the deep, dark and clear webs: few scour all three. TI that continuously monitors even the most obscure sites and alerts your enterprise in real time to relevant chatter, helping to ensure that you’re ready for threats wherever they occur –  in the open, underground, or somewhere in between.