Moscow Built It First
Part 2 of 3. Russia confirmed it the other week. China has confirmed it for a year. North Korea refuses to.
Part 2 of Architectures of Cyber Power, a three-part series. Start with Part 1. Part 3 follows next week.
Between May 9 and May 11, 2026, alongside a three-day Russia-Ukraine kinetic ceasefire, the IT Army of Ukraine paused operations. Three days of no DDoS or defacements or claimed intrusions. The first documented hacktivist cyber-pause keyed to a state-level ceasefire window.
The pause expired at midnight on May 12. Russian state-directed proxies, operating up to and through the ceasefire window in mirror image, resumed full tempo at the same moment.
Two state-directed cyber proxies demonstrating political off-switches in the same calendar quarter. That’s an architecture.
The Iranian instance went visible at the moment of termination. The Ukrainian instance went visible at the moment of initiation: the political instruction was to pause, and the proxy paused. The two cases run on different proxy ecosystems with different political instructions, but the architectural play is identical. Same conduit.
If Part 1 made the case that Iran has built one, Part 2 makes the case that Iran is not alone.
Russia’s architecture is the proxy model with a criminal cover layer and a paramilitary capability stacked underneath.
The visible faces have rotated for a decade. Conti before its 2022 leaks. BlackCat/ALPHV through 2023 and into 2024. LockBit through its peak and into its takedown. Each brand burned, each brand replaced. The IT Army of Ukraine, operating against Russia, is a mirror-image proxy that uses the same architectural template the Russians invented.
The signature operation of the BlackCat era was the February 2024 ransomware attack on Change Healthcare, the UnitedHealth subsidiary that processes roughly one in three US healthcare transactions. The vector was an absent remote-access authentication control on a single application. The conduit pushed through, and the affiliate operator stayed inside Change Healthcare’s environment for nine days before deploying ransomware. UnitedHealth paid the $22 million ransom in March; CEO Andrew Witty confirmed it publicly on April 30, 2024. The personal information of more than 100 million Americans was exfiltrated. UnitedHealth’s Q1 2024 8-K posted $872 million in losses in that quarter alone; the company has since estimated total impact above $1.5 billion. By data volume, BlackCat may have insured more Americans in 2024 than Aetna.
By data volume, BlackCat may have insured more Americans in 2024 than Aetna.
Underneath the cover layer, Sandworm and APT29 and the GRU’s military-intelligence cyber units handle what the proxies cannot, or what the state wants done with its own fingerprints visible (the KGB often performed their “covert” work in public, along with direct but transparently thin denials, as a form of influence through terror. This is an exceedingly Russian approach to greyzone conflict).
The architecture is older than the Internet’s commercial era. The Russian Business Network, operating openly from St. Petersburg by 2007, established the early template: criminal infrastructure tolerated domestically as long as the targets are foreign, with the state harvesting capability and signals access in exchange for the tolerance. The FSB inherited the relationship and learned to use it. Conti and its successors are the architecture working as designed.
I wrote in February that the conventional indicator-of-compromise model is dead because offensive cyber has industrialized. The Russian architecture is the industrialized version of the proxy model. A criminal ecosystem with state-tasking, a labor market the state did not have to build because the post-Soviet collapse built it for them. The architecture is path-dependent. The Kremlin did not whiteboard this. The Kremlin inherited it, and learned to keep the conduit live.
The two architectures went public together.
On May 20, 2026, Xi Jinping and Vladimir Putin signed a 47-page joint statement in Beijing covering roughly forty bilateral agreements. The statement extended the 2001 Treaty of Good-Neighborliness. Most of the press coverage focused on what was missing: the Power-of-Siberia-2 pipeline closed only at “basic understanding on route” with no timeline. “Basic understanding on route” is the language project managers reach for in status updates after the deadline has already slipped twice and looks to be collapsing altogether.
What most of the press coverage missed was the cyber paragraph.
The joint statement voices “concern about emerging threats to global information security” and emphasizes “the key role of the UN in responding to threats in the information space.” It backs the UN’s new global mechanism for responsible state behavior in cyberspace, calls for binding international agreements on data security and supply-chain stability, and states plainly that the two sides “respect and support the principle of sovereignty of the information space.”
That is the explicit articulation of the Russian-Chinese preference for a UN-centric cyber-governance model anchored in state sovereignty, framed against the Western multistakeholder model that has organized the cyber norms conversation for twenty years. The language is not new. Moscow and Beijing put nearly identical language in their 2022 ‘no limits’ statement; what is new is the re-signing, in Beijing, days after the Trump-Xi summit.
The two conduits have moved past parallel architecture. They now publicly coordinate the international-norm posture that makes their architectures politically defensible.
China runs an architecture that is documented, large, and analytically open.
The i-SOON leak in February 2024 exposed a Chinese InfoSec contractor operating under Ministry of Public Security, Ministry of State Security, and PLA tasking. The documents covered target lists, tooling, and pricing. The target lists named Indian government ministries. They named the Nepalese Foreign Ministry and the Nepalese Presidential Palace. SentinelOne’s analysis called the leak the most concrete public evidence yet of “the maturing nature of China’s cyber espionage ecosystem” and noted that government targeting requirements were producing “a competitive marketplace of independent contractor hackers-for-hire.”
The KnownSec leak in November 2025 was larger: 12,000 classified internal documents, a target library that included 378,942,040 IPs, 3,482,468 domains, and 24,241 organizations globally, state-backed tools, AI-driven exploits. Mandiant authenticated the dump. The size and scope of these campaigns was not an analyst number. 24,241 organizations is a freight-train number.
The FBI alert that followed was titled Beijing Leveraging Freelance Hackers and Information Security Companies to Compromise Computer Networks Worldwide. The Department of Justice indicted twelve Chinese contract hackers and law-enforcement officers in March 2025. There is now a public record of the architecture more complete than any other state’s.
What that record does not yet tell us is the direction of travel.
The i-SOON leak shows an industrialized state-direct architecture with private-corporate cover. The KnownSec leak shows scale. Neither shows an off-switch of the kind Handala demonstrated. Whether China is moving toward Iranian-style proxy autonomy (looser conduit, more deniability, more political discretion at the contractor level), or stabilizing as an industrialized state-direct model (stiffer conduit, less autonomy, more central tasking), is an open analytical question. The contractors are state-tasked; how far the leash extends, the open source cannot yet see.
I wrote in December, after a week in Taipei, that the Chinese threat ecosystem had grown past 250 firms, each perfecting one phase of the kill chain like stations on an assembly line. Specialization is what industrialization looks like, and it buys a second layer of cover: when reconnaissance sits in one company, weaponization in another, and command infrastructure in a third, attribution fragments across organizational lines no single analyst can reassemble.
That visibility gap is the architecture’s most reliable property. We see what the architecture chooses to let us see, and right now the architecture is choosing to let us see itself in transition.
That visibility gap is the architecture’s most reliable property. We see what the architecture chooses to let us see, and right now the architecture is choosing to let us see itself in transition.
North Korea runs the contrast.
The Reconnaissance General Bureau operates state-direct without proxy mediation. RGB officers function as units, salaried, deployed in clusters in Pyongyang and as IT-worker remote employees inside Western companies. There is no domestic criminal cover layer because the regime cannot tolerate any private sector. There is no proxy ecosystem because the proxies would have to be private, and private is unavailable.
The signature operation is Bybit. On February 21, 2025, Lazarus Group (also tracked as TraderTraitor and APT38, all operating under RGB) executed a social-engineering compromise of a Safe{Wallet} developer’s workstation, injected malicious JavaScript into the Safe UI, and intercepted a routine multisig transaction at the moment of authorization. $1.5 billion in Ethereum moved off the exchange in one transfer. The FBI confirmed Lazarus attribution four days later. By March 20, 86 percent of the stolen ETH had been laundered into Bitcoin across thousands of addresses on multiple blockchains. It is the largest digital heist in human history. The proceeds, per the FBI, fund DPRK missile development. An offensive cyber operation that paid for itself an order of magnitude over.
The architecture is the same on both ends as the Western model: the operator and the state are one entity. The difference is that the West built its state-direct model with legal frameworks; North Korea built its without. DPRK is structurally incapable of running a proxy architecture. The regime cannot tolerate the private sector required to build one. DPRK is the contrast that proves the typology. Not every state can pick its architecture from a menu.
The steelman against all of this.
States do not select cyber architectures at policy whiteboards. They inherit, adapt, and accumulate them under structural pressures. The Iranian proxy model emerged from twenty-five years of Islamic Revolutionary Guard Corps relationships with regional non-state actors. The Russian model emerged from FSB co-option of a post-Soviet criminal underworld that existed before the FSB knew what to do with it. The Chinese contractor model emerged from 2010s state-capital integration, not from a 2010s policy decision. The Western state-direct model was largely codified after the architectures already existed: Title 50 modernization, USCYBERCOM elevation, post-fact rationalizations of practice. To present these as choices is to project policy-shop thinking onto operations whose architectures grew rather than were built.
The steelman is mostly right.
But growing an architecture and extending one are different operations. The joint statement signed in Beijing on May 20th is an extension, deliberately taken, by two states pricing their architectures into the international order in front of the world. China’s apparent evolution from pure state-direct (2010s) to industrialized contractor (i-SOON era) to whatever-comes-next (post-KnownSec) is a sequence of extensions made by identifiable actors inside MSS and the Cyberspace Administration. Japan’s Active Cyber Defense Law, going into force on October 1, is an extension being negotiated this quarter inside specific Tokyo ministries. The whole-architecture choice is rarely available. The extension choice is always available. And the extensions, taken across a decade, are where one architecture becomes another.
Setting aside the moral question (and I am setting it aside, deliberately, and next week I’ll explain why): which of these five architectures is best?
That answer is uglier than the conventional wisdom admits.
Next week.
If you enjoy A Discipline of Seeing, it would mean the world to me if you shared it with others. Please use the button below to send my Substack to someone who might find my work interesting. Thanks!
— Brandon


