{ "id": "5fbcac15-6254-44e4-8b1a-3c9761c60dc8", "created_at": "2026-04-06T00:22:24.12579Z", "updated_at": "2026-04-10T03:35:29.076841Z", "deleted_at": null, "sha1_hash": "dcd5065640553d853ea6e15e8b8bf3b3cc4b6953", "title": "Chinese Cyberspies Pivot To Russia In Wake Of Obama-Xi Pact", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 131895, "plain_text": "Chinese Cyberspies Pivot To Russia In Wake Of Obama-Xi Pact\r\nBy Kelly Jackson Higgins\r\nPublished: 2016-02-09 · Archived: 2026-04-02 10:58:48 UTC\r\nTENERIFE, SPAIN – Kaspersky Security Analyst Summit 2016 – Cyber espionage attacks by Chinese advanced\r\npersistent threat groups against Russian targets have increased by 300 percent in the past two months, according to\r\na top security expert with Kaspersky Lab.\r\nCostin Raiu, director of the global research and analysis team at Kaspersky Lab, says his firm’s researchers\r\nwitnessed a dramatic drop in Chinese-speaking APTs going after US and UK organizations’ intellectual property\r\nin September after President Obama and Chinese president Xi Jinping came to a historic agreement not to conduct\r\ncyber spying attacks for economic gain. Kaspersky Lab refrains from confirming the actual actors behind\r\nadvanced groups such as nation-states, so it refers to these attackers as \"Chinese-speaking\" cyber espionage\r\ngroups.\r\n“Immediately after the signing of the agreement, there was silence” in attacks against the US, Raiu said in an\r\ninterview with Dark Reading. “Then there were some small bits and pieces of random noise … but after that, they\r\n[Chinese-speaking APTs] completely went silent in the US and UK,” Raiu said, referring to Xi’s similar no-hack\r\ndeal in October with Prime Minister Cameron in the UK.\r\nRaiu said the cyber espionage groups appear to have shifted their focus to Russia and other former Soviet\r\ncountries as new sources of intellectual property for economic gain in the wake of the Obama-Xi pact.\r\nWhile the Obama-Xi agreement was applauded by the security and IT industries as a good first step, critics had\r\nexpected China ultimately not to fully comply with the agreement. Those concerns appeared to come to fruition in\r\nOctober, when CrowdStrike reported spotting multiple Chinese APT groups attempting to steal business secrets\r\nfrom seven US companies in the technology and pharmaceutical industries the day after the Obama-Xi agreement.\r\nThe Obama-Xi pact stops short of banning traditional espionage via hacking.\r\nKaspersky’s Raiu said his company has seen activity from Mirage, a Chinese-speaking APT group that\r\ntraditionally has targeted ministries of foreign affairs, waging attacks in Russia. “Now they are super-active in\r\nRussia,” he said, with interests in military espionage, for example. But there have been “several” APT groups seen\r\ntargeting Russian victims, he said.\r\nKurt Baumgartner, principal security researcher at Kaspersky Lab, says the increased activity targets “a\r\ngeopolitical profile.”\r\nIndustries that support those geopolitical interests and structure are also under attack, he said.\r\nCrowdStrike also has seen more Chinese attacks on Russia -- from a specific Chinese APT group called Hammer\r\nPanda against Russian Federation nations. But it's also still seeing China-based attacks on US companies.\r\nhttp://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242\r\nPage 1 of 2\n\n\"We have definitely observed an increase in Hammer Panda targeting of the Russian Federation. In the\r\n[CrowdStrike] Global Threat Report ... we observe that following an agreement between China and Russia in May\r\n2015 to abolish any type of hacking between the two states, we observed an almost immediate violation of the\r\nagreement by China,\" said Adam Meyers, vice president of intelligence at CrowdStrike. \"We have continued to\r\nobserve China-based intrusion groups targeting US companies.\" \r\nFind out more about APTs at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las\r\nVegas. Register today and receive an early bird discount of $200.\r\nAbout the Author\r\nEditor-in-Chief, Dark Reading\r\nKelly Jackson Higgins is the Editor-in-Chief of Dark Reading and VP, cybersecurity editorial at Informa\r\nTechTarget, where she leads editorial strategy for the company's three cybersecurity media brands: Dark Reading,\r\nSearchSecurity and Cybersecurity Dive. She is an award-winning veteran technology and business journalist with\r\nthree decades of experience in reporting and editing for various technology and business publications and major\r\nmedia properties. Jackson Higgins was selected three consecutive times as one of the Top 10 Cybersecurity\r\nJournalists in the U.S., and was named as one of Folio's 2019 Top Women in Media. She has been with Dark\r\nReading since its launch in 2006.\r\nSource: http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242\r\nhttp://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242" ], "report_names": [ "1324242" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680", "created_at": "2022-10-25T16:07:23.899157Z", "updated_at": "2026-04-10T02:00:04.782542Z", "deleted_at": null, "main_name": "NetTraveler", "aliases": [ "APT 21", "Hammer Panda", "NetTraveler", "TEMP.Zhenbao" ], "source_name": "ETDA:NetTraveler", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "NetTraveler", "Netfile", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "254f2fab-5834-4d90-9205-d80e63d6d867", "created_at": "2023-01-06T13:46:38.31544Z", "updated_at": "2026-04-10T02:00:02.924166Z", "deleted_at": null, "main_name": "APT21", "aliases": [ "HAMMER PANDA", "TEMP.Zhenbao", "NetTraveler" ], "source_name": "MISPGALAXY:APT21", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434944, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dcd5065640553d853ea6e15e8b8bf3b3cc4b6953.pdf", "text": "https://archive.orkl.eu/dcd5065640553d853ea6e15e8b8bf3b3cc4b6953.txt", "img": "https://archive.orkl.eu/dcd5065640553d853ea6e15e8b8bf3b3cc4b6953.jpg" } }