Chinese police are investigating an unauthorized and highly unusual online document dump from a private security contractor with ties to the country’s top police agency and other parts of its government; it’s a treasure trove listing apparent hacking activities and tools used to spy on both Chinese and foreigners.
The apparent targets of the vehicles provided by the affected company I-Soon include ethnic groups and dissidents in parts of China that have seen significant anti-government protests, such as Hong Kong or the Muslim-majority Xinjiang region in China’s far west.
The distribution of scores of documents and subsequent investigation late last week was confirmed by two employees of I-Soon, known as Anxun in Mandarin, with ties to the powerful Ministry of Public Security. The dump, which analysts consider extremely important even if it doesn’t reveal any particularly new or powerful tools, includes hundreds of pages of contracts, marketing presentations, product manuals and customer and employee lists.
They detail methods used by Chinese officials to spy on dissidents abroad, hack other countries and promote pro-Beijing rhetoric on social media.
The documents show I-Soon hacked networks in Central and Southeast Asia, as well as networks in Hong Kong and the self-governing island of Taiwan, which Beijing claims as its own territory.
Hacking tools are being used by Chinese government officials to unmask users of social media platforms outside China, such as X, formerly known as Twitter, to infiltrate emails and hide the online activities of representatives abroad. Also described are devices that appear to be extension cords and batteries that can be used to compromise Wi-Fi networks.
Two I-Soon employees told the AP that I-Soon and Chinese police are investigating how the files were leaked. One of the employees said I-Soon had a meeting about the leak on Wednesday and was told it would not affect the business too much and to “continue operating normally”. The AP is not naming employees who give their surnames, according to common Chinese practice, out of concern about possible retribution.
The source of the leak is unknown. China’s Foreign Ministry did not immediately respond to a request for comment.
AN EXTREMELY EFFECTIVE LEAK
Jon Condra, an analyst at Recorded Future, a cybersecurity firm, called it the most significant leak yet linked to a company “suspected of providing cyberespionage and targeted intrusion services for Chinese security services.” According to the leaked material, the organizations targeted by I-Soon include governments, overseas telecommunications firms and online gambling companies in China.
Until the 190-megabyte leak, I-Soon’s website included a page listing clients undertaken by the Ministry of Public Security, which included 11 provincial-level security bureaus and approximately 40 municipal public security departments.
Another page, available until early Tuesday, advertised advanced persistent threat “offensive and defensive” capabilities, using the acronym APT, which the cybersecurity industry uses to describe the world’s most advanced hacking groups. Leaked internal documents describe I-Soon databases collected from foreign networks around the world, advertised and sold to Chinese police.
The company’s website was completely offline later Tuesday. An I-Soon representative declined an interview request and said the company would release an official statement at an unspecified future date.
I-Soon was founded in Shanghai in 2010, according to Chinese corporate filings, and has subsidiaries in three other cities, including the southwestern city of Chengdu, which is responsible for hacking, research and development, according to leaked internal slides.
I-Soon’s Chengdu subsidiary was open as usual on Wednesday. Red Lunar New Year lanterns swayed in the wind in a covered alleyway leading to the five-story building where I-Soon’s Chengdu offices are located. Employees were coming in and out, smoking outside and sipping takeaway coffees. Inside, posters bearing the Communist Party hammer and stick emblem bore the following slogans: “It is the obligatory duty of every citizen to protect the Party and the country’s secrets.”
I-Soon’s tools appear to be used by Chinese police to block dissent on overseas social media and flood them with pro-Beijing content. Authorities could directly monitor Chinese social media platforms and order them to remove anti-government posts. But they lack this ability on overseas sites like Facebook or X, where millions of Chinese users flock to escape government surveillance and censorship.
“The Chinese government has a keen interest in monitoring and commenting on social media,” said Mareike Ohlberg, a senior fellow at the German Marshall Fund’s Asia Program. He examined some documents.
Ohlberg said control of critical missions within the country is vital to control public opinion and prevent anti-government sentiment. “Chinese authorities,” he said, “have a keen interest in tracking down users based in China.”
John Hultquist, chief threat analyst at Google’s Mandiant cybersecurity division, said the source of the leak could be “a rival intelligence service, a dissatisfied insider, or even a rival contractor.” According to the data, I-Soon’s sponsors also include the Ministry of State Security and the Chinese military and the People’s Liberation Army, Hultquist said.
MANY DESTINATIONS, MANY COUNTRIES
A leaked contract draft shows I-Soon marketing “counter-terrorism” technical support to Xinjiang police to track the region’s indigenous Uyghurs in Central and Southeast Asia, claiming to have access to hacked airline, mobile phone and government data from countries such as Mongolia and Malaysia. is showing. , Afghanistan and Thailand. It is unclear whether the contract has been signed.
“We see that many organizations affiliated with ethnic minorities such as Tibetans and Uyghurs are targeted. “Much of the targeting of foreign organizations can be seen in terms of the government’s internal security priorities,” said Dakota Cary, a China analyst at cybersecurity firm SentinelOne.
He said the documents appeared legitimate because they dovetailed with domestic political priorities from a contractor doing hacking on behalf of China’s security apparatus.
Cary found a spreadsheet listing data repositories collected from victims and counted 14 governments as targets, including India, Indonesia and Nigeria. Documents show I-Soon mostly supports the Department of Public Security, he said.
Cary was also impressed by Taiwan’s Ministry of Health’s targeting to determine the COVID-19 caseload in early 2021, and was also impressed by the low cost of some of the hacks. Documents show I-Soon demanded $55,000 to hack Vietnam’s economy ministry, he said.
An initial investigation by The Associated Press found there was no indication that any NATO countries had been successfully hacked, although several chat logs referenced NATO. But that doesn’t mean state-sponsored Chinese hackers aren’t trying to hack the United States and its allies. Cary said that if the leaker was inside China, which seems likely, “leaking information about the hacking of NATO would be very provocative indeed”; This is a risk that could cause Chinese officials to be more determined to identify the hacker.
Mathieu Tartare, a malware researcher at cybersecurity firm ESET, says he linked I-Soon to the Chinese state hacking group he calls Fishmonger, which he actively follows and wrote about in January 2020 after the group hacked Hong Kong universities during student protests. . He said they have seen Fishmonger targeting governments, NGOs and think tanks in Asia, Europe, Central America and the United States since 2022.
French cybersecurity researcher Baptiste Robert also scanned the documents and said I-Soon found another way to analyze email inboxes in addition to hacking accounts on X, formerly known as Twitter, even if they had two-factor authentication. He said US cyber operators and their allies were among potential suspects in the I-Soon leak because it was in their interest to expose Chinese state hacking.
A spokesman for U.S. Cyber Command did not comment on whether the National Security Agency or Cybercom was involved in the leak. An email sent to the press office at X replied: “Currently busy, please check back later.”
Western governments, including the United States, have taken steps in recent years to curb Chinese state surveillance and harassment of government critics abroad. Such tactics instill fear in Chinese and foreign citizens abroad of the Chinese government, stifle criticism and lead to self-censorship, said Laura Harth, campaign director for Safeguard Defenders, an advocacy group focused on human rights in China. “They are a looming threat that is always there and very difficult to get rid of.”
Last year, US officials charged 40 members of Chinese police units tasked with harassing family members of Chinese dissidents abroad and spreading pro-Beijing content online. Harth said the indictments describe tactics similar to those detailed in the I-Soon documents. Chinese officials have accused the United States of engaging in similar activities. US officials, including FBI Director Chris Wary, recently complained that Chinese state hackers were planting malware that could be used to damage civilian infrastructure.
On Monday, Chinese Foreign Ministry spokesman Mao Ning said the US government has long been working to endanger China’s critical infrastructure. He demanded that the United States “stop using cybersecurity issues to denigrate other countries.”
___
Kang reported from Chengdu, China. AP journalists Didi Tang in Washington, D.C., and Larry Fenn in New York contributed to this report.