The Hamilton Spectator

Exposing Hackers For Hire In China

- This article is by Paul Mozur, Keith Bradsher, John Liu and Aaron Krolik.

The hackers offered a menu of services, at a variety of prices.

A local government in southwest China paid less than $15,000 for access to the private website of traffic police in Vietnam. Software that helped run disinforma­tion campaigns and hack accounts on X cost $100,000. For $278,000, Chinese customers could get a trove of personal informatio­n off social platforms like Telegram and Facebook.

The offerings, detailed in leaked documents, were a portion of the hacking tools and data caches sold by a Chinese security firm called I-Soon, one of the hundreds of enterprisi­ng companies that support China’s aggressive state-sponsored hacking efforts.

The materials, which were posted to a public website in February, revealed an eight-year effort to target databases and tap communicat­ions in South Korea, Taiwan, Hong Kong, Malaysia, India and elsewhere in Asia. The files also showed a campaign to monitor the activities of ethnic minorities in China.

Taken together, the files offered a rare look inside the secretive world of China’s state-backed hackers for hire. They illustrate­d how Chinese law enforcemen­t and its premier spy agency, the Ministry of State Security, have reached beyond their ranks to tap the private sector in its hacking campaigns.

“We have every reason to believe this is the authentic data of a contractor supporting global and domestic cyberespio­nage operations out of China,” said John Hultquist, the chief analyst at Google’s Mandiant Intelligen­ce.

He said the leak revealed that

I-Soon was working for several Chinese government entities that sponsor hacking, including the People’s Liberation Army and the national police. At times the firm helped China’s Ministry of Public Security surveil Chinese citizens.

“They are part of an ecosystem of contractor­s that has links to the Chinese patriotic hacking scene,” he added.

I-Soon did not respond to emailed questions about the leak.

The revelation­s underscore how China has ignored, or evaded, American and other efforts for over a decade to limit its extensive hacking operations. And it comes as U.S. officials are warning that China has also implanted malicious code in American critical infrastruc­ture — perhaps to prepare for a conflict over Taiwan.

The Chinese government’s use of private contractor­s to hack on its behalf borrows from the tactics of Iran and Russia, which for years have turned to nongovernm­ental entities to go after commercial and official targets. Although the scattersho­t approach to state espionage can be effective, it is harder to control. Some Chinese contractor­s have used malware to extort ransoms from private companies, even while working for China’s spy agency.

In part, the change is rooted in a decision by China’s top leader, Xi Jinping, to elevate the role of the Ministry of State Security to engage in more hacking activities, which had mainly been handled by the People’s Liberation Army. While the security ministry emphasizes absolute loyalty to Mr. Xi and Communist Party rule, its hacking and espionage operations are often initiated and controlled by provincial-level state security offices.

Those offices sometimes, in turn, farm out hacking operations to commercial­ly driven groups — a recipe for occasional­ly cavalier and even sloppy espionage activities that fail to heed to Beijing’s diplomatic priorities and may upset foreign government­s with their tactics.

Parts of China’s government still engage in sophistica­ted top-down hacks. But the overall number of hacks originatin­g in China has surged, and targets have ranged more broadly — including informatio­n about Ebola vaccines and driverless car technology.

That has fueled a new industry of contractor­s like I-Soon. The Shanghai company, which also has offices in Chengdu, epitomized the amateurish­ness that many of China’s relatively new contractor­s bring to hacking. The documents showed that at times the company was not sure if services and data it was selling were still available. For instance, it noted internally that the $100,000 software to spread disinforma­tion on X was “under maintenanc­e.”

The leak also outlined the hustle of China’s entreprene­urial hacking contractor­s. In place of selling to a centralize­d government agency, one spreadshee­t showed, I-Soon had to court China’s police and other agencies city by city. In one letter to local officials in western China, the company boasted that it could help with antiterror­ism enforcemen­t because it had broken into Pakistan’s counterter­rorism unit.

Materials included in the leak that promoted I-Soon’s techniques described technologi­es built to break into Outlook email accounts and procure informatio­n like contact lists and location data from Apple’s iPhones. One document appeared to contain extensive flight records from a Vietnamese airline.

At the same time, I-Soon said it had built technology that could meet the domestic demands of China’s police, including software that could monitor public sentiment on social media inside China. Another tool, made to target accounts on X, could pull email addresses, phone numbers and other identifiab­le informatio­n and, in some cases, help hack those accounts.

In recent years, Chinese law enforcemen­t officials have identified activists and government critics who had posted on X using anonymous accounts from inside and outside China. Often they then used threats to force X users to take down posts.

Mao Ning, a spokeswoma­n for the Chinese Ministry of Foreign Affairs, said at a news briefing that she was not aware of a data leak from I-Soon. “As a matter of principle, China firmly opposes and cracks down on all forms of cyberattac­ks in

Private companies for cyberespio­nage, foreign or domestic.

accordance with the law,” she said.

X did not respond to a request seeking comment.

Among the informatio­n hacked by I-Soon was a large database of the road network in Taiwan, a democracy that China has long claimed and threatened with invasion. The 459 gigabytes of maps came from 2021, and showed how firms like I-Soon collect informatio­n that can be militarily useful, experts said.

Other informatio­n included internal email services or intranet access for multiple Southeast Asian government ministries, including Malaysia’s foreign and defense ministries and Thailand’s national intelligen­ce agency. Immigratio­n data from India that covered national and foreign passengers’ flight and visa details was also on offer, according to the files.

In other cases, I-Soon claimed to have access to data from telecommun­ications companies in Kazakhstan, Mongolia, Myanmar, Vietnam and Hong Kong.

Experts said the huge amount of data from I-Soon could help agencies and companies working to defend against Chinese attacks.

Jonathan Condra, the director of strategic and persistent threats at Recorded Future, a cybersecur­ity firm, said, “This represents the most significan­t leak of data linked to a company suspected of providing cyberespio­nage and targeted intrusion services for the Chinese security services.”

Newspapers in English

Newspapers from Canada