Leaked files show secret world of China’s hackers now for hire
The hackers offered a menu of services at a variety of prices.
A local government in southwest China paid less than $15,000 for access to the private website of traffic police in Vietnam. Software that helped run disinformation campaigns and hack accounts on X, cost $100,000. For $278,000, Chinese customers could get a trove of personal information behind social media accounts on platforms such as Telegram and Facebook.
The offerings, detailed in leaked documents, were a portion of the hacking tools and data caches sold by a Chinese security firm called I-soon, one of the hundreds of enterprising companies that support China’s aggressive state-sponsored hacking efforts. The work is part of a campaign to break into the websites of foreign governments and telecommunications firms.
The materials, which were posted to a public website last week, revealed an eight-year effort to target databases and tap communications in South Korea, Taiwan, Hong Kong, Malaysia, India and elsewhere in Asia. The files also showed a campaign to closely monitor the activities of ethnic minorities in China and online gambling companies.
The data included records of apparent correspondence between employees, lists of targets, and material showing off cyberattack tools. Three cybersecurity experts interviewed by The New York Times said the documents appeared to be authentic.
Taken together, the files offered a rare look inside the secretive world of China’s statebacked hackers for hire. They illustrated how Chinese law enforcement and its premier spy agency, the Ministry of State Security, have reached beyond their own ranks to tap privatesector talent in a hacking campaign that United States officials say has targeted American companies and government agencies.
“We have every reason to believe this is the authentic data of a contractor supporting global and domestic cyberespionage operations out of China,” said John Hultquist, the chief analyst at Google’s Mandiant Intelligence.
Hultquist said the leak revealed that I-soon was working for a range of Chinese government entities that sponsor hacking, including the Ministry of State Security, the People’s Liberation Army and China’s national police.
At times the firm’s employees focused on overseas targets. In other cases they helped China’s feared Ministry of Public Security surveil Chinese citizens domestically and overseas.
“They are part of an ecosystem of contractors that has links to the Chinese patriotic hacking scene, which developed two decades ago and has since gone legit,” he added, referring to the emergence of nationalist hackers who have become a kind of cottage industry.
I-soon did not respond to emailed questions about the leak.
The revelations underscore the degree to which China has ignored, or evaded, American and other efforts for more than a decade to limit its extensive hacking operations. And it comes as American officials are warning that the country has not only doubled down, but also has moved from mere espionage to the implantation of malicious code in American critical infrastructure — perhaps to prepare for a day when conflict erupts over Taiwan.
The Chinese government’s use of private contractors to hack on its behalf borrows from the tactics of Iran and Russia, which for years have turned to nongovernmental entities to go after commercial and official targets.
Although the scattershot approach to state espionage can be more effective, it also has proved harder to control. Some Chinese contractors have used malware to extort ransoms from private companies, even while working for China’s spy agency.
In part, the change is rooted in a decision by China’s top leader, Xi Jinping, to elevate the role of the Ministry of State Security to engage in more hacking activities, which had fallen primarily under the purview of the People’s Liberation Army.
Although the Security Ministry emphasizes absolute loyalty to Xi and Communist Party rule, its hacking and espionage operations often are initiated and controlled by provincial-level state security offices.
Those offices sometimes, in turn, farm out hacking operations to commercially driven groups — a recipe for occasionally cavalier and even sloppy espionage activities that fail to heed to Beijing’s diplomatic priorities and may upset foreign governments with their tactics.
Parts of China’s government still engage in sophisticated top-down hacks, such as endeavoring to place code inside U.S. core infrastructure.
The leak also outlined the workaday hustle, and struggle, of China’s entrepreneurial hacking contractors. In place of selling to a centralized government agency, one spreadsheet showed, I-soon had to court China’s police and other agencies city by city. That meant advertising and marketing its wares.
In one letter to local officials in western China, the company boasted that it could help with anti-terrorism enforcement because it had broken into Pakistan’s counterterrorism unit.