Chinese contractor’s hacking detailed in leak
Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to the nation’s top policing agency and other parts of its government — a trove that catalogs apparent hacking activity and tools to spy on both Chinese and foreigners.
Among the apparent targets of tools provided by the impacted company, I-Soon: ethnicities and dissidents in parts of China that have seen significant anti-government protests, such as Hong Kong or the heavily Muslim region of Xinjiang in China’s far west.
The dump of scores of documents late last week and subsequent investigation were confirmed by two employees of I-Soon, known as Anxun in Mandarin, which has ties to the powerful Ministry of Public Security. The dump, which analysts consider highly significant even if it does not reveal any especially novel or potent tools, includes hundreds of pages of contracts, marketing presentations, product manuals, and client and employee lists.
They reveal, in detail, methods used by Chinese authorities to surveil dissidents overseas, hack other nations and promote pro-Beijing narratives on social media.
The documents show apparent I-Soon hacking of networks across Central and Southeast Asia, as well as Hong Kong and the self-ruled island of Taiwan, which Beijing claims as its territory.
The hacking tools are used by Chinese state agents to unmask users of social media platforms outside China such as X, formerly known as Twitter, break into email and hide the online activity of overseas agents. Also described are devices disguised as power strips and batteries that can be used to compromise Wi-Fi networks.
I-Soon and Chinese police are investigating how the files were leaked, the two I-Soon employees told the AP. One of the employees said I-Soon held a meeting Wednesday about the leak and were told it wouldn’t affect business too much and to “continue working as normal.” The AP is not naming the employees — who did provide their surnames, per common Chinese practice — out of concern about possible retribution.
The source of the leak is not known. The Chinese Foreign Ministry did not immediately respond to a request for comment.
IMPACTFUL LEAK
Jon Condra, an analyst with Recorded Future, a cybersecurity company, called it the most significant leak ever linked to a company “suspected of providing cyber espionage and targeted intrusion services for the Chinese security services.” He said organizations targeted by I-Soon — according to the leaked material — include governments, telecommunications firms abroad and online gambling companies within China.
Until the 190-megabyte leak, I-Soon’s website included a page listing clients topped by the Ministry of Public Security and including 11 provincial-level security bureaus and some 40 municipal public security departments.
Another page available until early Tuesday advertised advanced persistent threat “attack and defense” capabilities, using the acronym APT — one the cybersecurity industry employs to describe the world’s most sophisticated hacking groups. Internal documents in the leak describe I-Soon databases of hacked data collected from foreign networks around the world that are advertised and sold to Chinese police.
The company’s website was fully offline later Tuesday. An I-Soon representative refused an interview request and said the company would issue an official statement at an unspecified future date.
MINORITIES TRACKED
One leaked draft contract shows I-Soon was marketing “anti-terror” technical support to Xinjiang police to track the region’s native Uyghurs in Central and Southeast Asia, claiming it had access to hacked airline, cellular and government data from countries like Mongolia, Malaysia, Afghanistan and Thailand. It is unclear whether the contact was signed.
“We see a lot of targeting of organizations that are related to ethnic minorities — Tibetans, Uyghurs. A lot of the targeting of foreign entities can be seen through the lens of domestic security priorities for the government,” said Dakota Cary, a China analyst with the cybersecurity firm SentinelOne.
He said the documents appear legitimate because they align with what would be expected from a contractor hacking on behalf of China’s security apparatus with domestic political priorities.
Cary found a spreadsheet with a list of data repositories collected from victims and counted 14 governments as targets, including India, Indonesia and Nigeria. The documents indicate that I-Soon mostly supports the Ministry of Public Security, he said.
Although a few chat records refer to NATO, there is no indication of a successful hack of any NATO country, an initial review of the data by The Associated Press found. That doesn’t mean state-backed Chinese hackers are not trying to hack the U.S. and its allies, though. If the leaker is inside China, which seems likely, Cary said that “leaking information about hacking NATO would be really, really inflammatory” — a risk apt to make Chinese authorities more determined to identify the hacker.