Since the start of Russia’s invasion of Ukraine, cyber-espionage groups linked to the Chinese government have ramped up attacks against Russian government institutions and strategic companies, apparently in search of military secrets. According to cybersecurity analysts, this campaign intensified around May 2022, casting doubt on the so-called “no limits” partnership between Moscow and Beijing.
These intrusions have continued even as Presidents Vladimir Putin and Xi Jinping publicly reaffirmed their strategic alliance against the West. Experts say the cyberattacks reveal China’s perception of Russia as a weakened and vulnerable target for military intelligence gathering.
Taiwan-based cybersecurity firm TeamT5 identified the Chinese group “Sanyo” as responsible for hacking a major Russian engineering firm to obtain information on nuclear submarines. Another firm, Palo Alto Networks, reported that Chinese state-sponsored hackers targeted Rostec, Russia’s defense conglomerate, seeking data on satellite communications, radar systems, and electronic warfare.
“China isn’t just after technology,” said Che Chang, a researcher at TeamT5. “They’re also trying to learn tactical lessons from the modern warfare Russia is conducting in Ukraine.”
While the Kremlin has kept silent about these attacks, a classified FSB counterintelligence document—obtained by The New York Times—confirms growing concern within Russian intelligence circles. The document warns that China is seeking Russian defense technology and battlefield expertise, even going as far as labeling China an “enemy.”
Although it is not uncommon for allies to spy on one another, the scale of China’s cyber activities against Russia suggests deeper mistrust. Analysts believe the Kremlin’s reluctance to share its full wartime insights with Beijing may have prompted the escalation of cyber intrusions.
According to the FSB document, one of China’s main interests is drone warfare—especially the software and tactical applications involved. Experts argue that such intelligence could be critical if China faces a future conflict, particularly over Taiwan.
One of the most active groups is Mustang Panda, identified by firms like Sophos and TeamT5. Known to operate in line with China’s global Belt and Road Initiative, Mustang Panda expanded its operations after the Ukraine invasion, targeting Russian and European institutions alike.
Sophos reports that Mustang Panda is likely backed by China’s Ministry of State Security, the country’s top intelligence agency. In 2022, the group allegedly targeted Russian military and border guard units near the Siberian frontier. This January, the U.S. Department of Justice formally charged Mustang Panda with stealing data from thousands of systems, including those of Chinese dissidents and foreign governments.
Other groups, such as Slime19, have also focused on Russian targets, especially in the energy and defense sectors. According to Chang, this reflects a sustained and systematic campaign that contradicts bilateral agreements made in 2009 and 2015, in which China and Russia pledged not to hack each other.
Although those agreements were presented as goodwill gestures, analysts say they were largely symbolic. “We saw an immediate spike in activity after Russia’s full-scale invasion of Ukraine,” said Itay Cohen, a researcher at Palo Alto Networks. “Despite the public narrative of strong ties between Russia and China, the reality is a far more complex and pragmatic relationship.”
