An online dump of classified Chinese documents from a private security contractor is shining a light on hacking efforts the country’s spy agency uses on both foreigners and Chinese citizens.
The leaked documents show how Chinese authorities deploy these tools to surveil dissidents overseas, hack other nations, and promote pro-Beijing narratives on social media.
A menu of services revealed that $15,000 granted a local government in southwest China access to a traffic police website in Vietnam.
Disinformation campaigns and account hacking on X cost $100,000 – and $278,000 got customers personal information from social media accounts like Telegram and Facebook.
Meanwhile, Chinese police are investigating the hack of the security contractor, which is linked to the nation’s top policing agency and other parts of its government.
The interior of the I-Soon office, also known as Anxun in Mandarin, is seen after office hours in Chengdu in southwestern China’s Sichuan Province on Tuesday, Feb. 20, 2024. Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to China’s top policing agency and other parts of its government
The hacking tools are used by Chinese state agents to unmask users of social media platforms outside China such as X, break into email, and hide the online activity of overseas agents. Also described are devices disguised as power strips and batteries that can be used to compromise Wi-Fi networks.
Among the apparent targets of tools provided by the impacted company, I-Soon: ethnicities and dissidents in parts of China that have seen significant antigovernment protests, such as Hong Kong or the heavily Muslim region of Xinjiang in China’s far west.
Several of India’s government ministries were targeted in 2021, the documents revealed, during the height of China’s border dispute with the country, according to India Today.
The dump of scores of documents late last week and subsequent investigation were confirmed by two employees of I-Soon, known as Anxun in Mandarin, which has ties to the powerful Ministry of Public Security.
Analysts consider the dump highly significant even if it does not reveal any especially novel or potent tools. It includes hundreds of pages of contracts, marketing presentations, product manuals, and client and employee lists.
The documents show that I-Soon apparently hacked networks across Central and Southeast Asia, as well as Hong Kong and the self-ruled island of Taiwan, which Beijing claims as its territory.
The ‘Partner’ page on I-Soon’s website will no longer load in the U.S., but the Internet Archive’s Wayback Machine shows that as recently as Tuesday it listed ‘Police-Enterprise Cooperation’ at the top.
The documents in the leak revealed the private contractors role in granting the Chinese government entry into websites of foreign and domestic companies, as well as foreign governments. (AP Photo/Dake Kang)
I-Soon and Chinese police are investigating how the files were leaked, the two I-Soon employees told The Associated Press.
One of the employees said I-Soon held a meeting Wednesday about the leak and were told it wouldn´t affect business too much and to ‘continue working as normal.’ The AP is not naming the employees – who did provide their surnames, per common Chinese practice – out of concern about possible retribution.
The source of the leak is not known. The Chinese Foreign Ministry did not immediately respond to a request for comment.
Jon Condra, an analyst with Recorded Future, a cybersecurity company, called it the most significant leak ever linked to a company ‘suspected of providing cyber espionage and targeted intrusion services for the Chinese security services.’
He said organizations targeted by I-Soon – according to the leaked material – include governments, telecommunications firms abroad, and online gambling companies within China.
Until the 190-megabyte leak, I-Soon’s website included a page listing clients topped by the Ministry of Public Security and including 11 provincial-level security bureaus and some 40 municipal public security departments.
Another page available until early Tuesday advertised advanced persistent threat ‘attack and defense’ capabilities, using the acronym APT – one the cybersecurity industry employs to describe the world´s most sophisticated hacking groups. Internal documents in the leak describe I-Soon databases of hacked data collected from foreign networks around the world that are advertised and sold to Chinese police.
The company’s website was fully offline later Tuesday. An I-Soon representative refused an interview request and said the company would issue an official statement at an unspecified future date.
I-Soon was founded in Shanghai in 2010, according to Chinese corporate records, and has subsidiaries in three other cities, including one in the southwestern city of Chengdu that is responsible for hacking, research, and development, according to leaked internal slides.
I-Soon’s Chengdu subsidiary was open as usual on Wednesday. Red Lunar New Year lanterns swayed in the wind in a covered alleyway leading to the five-story building housing I-Soon’s Chengdu offices. Employees streamed in and out, smoking cigarettes and sipping takeout coffees outside. Inside, posters with the Communist Party hammer and stickle emblem featured slogans that read: ‘Safeguarding the Party and the country’s secrets is every citizen’s required duty.’
In response to the news of the leaks, Chinese Foreign Ministry spokesperson Mao Ning claimed that the U.S. has long been working to compromise the country’s critical infrastructure. She demanded that the U.S. ‘stop using cybersecurity issues to smear other countries.’
I-Soon’s tools appear to be used by Chinese police to curb dissent on overseas social media and flood them with pro-Beijing content. Authorities can surveil Chinese social media platforms directly and order them to take down antigovernment posts. But they lack that ability on overseas sites like Facebook or X, where millions of Chinese users flock to in order to evade state surveillance and censorship.
‘There’s a huge interest in social media monitoring and commenting on the part of the Chinese government,’ said Mareike Ohlberg, a senior fellow in the Asia Program of the German Marshall Fund. She reviewed some of the documents.
To control public opinion and forestall antigovernment sentiment, Ohlberg said, control of critical posts domestically is pivotal. ‘Chinese authorities,’ she said, ‘have a big interest in tracking down users who are based in China.’
The source of the leak could be ‘a rival intelligence service, a dissatisfied insider, or even a rival contractor,’ said chief threat analyst John Hultquist of Google’s Mandiant cybersecurity division. The data indicates I-Soon’s sponsors also include the Ministry of State Security and China’s military, the People´s Liberation Army, Hultquist said.
One leaked draft contract shows I-Soon was marketing ‘anti-terror’ technical support to Xinjiang police to track the region´s native Uyghurs in Central and Southeast Asia, claiming it had access to hacked airline, cellular, and government data from countries like Mongolia, Malaysia, Afghanistan, and Thailand. It is unclear whether the contact was signed.
Beijing has a strong interest in monitoring Chinese citizens on foreign social media sites like Facebook and X, sites that are not as easy for the government to access. (AP Photo/Dake Kang)
The leaked documents also revealed how the Chinese government used private contractor I-Soon to spread pro-Beijing sentiment on social media. (AP Photo/Dake Kang)
‘We see a lot of targeting of organizations that are related to ethnic minorities – Tibetans, Uyghurs. A lot of the targeting of foreign entities can be seen through the lens of domestic security priorities for the government,’ said Dakota Cary, a China analyst with the cybersecurity firm SentinelOne.
He said the documents appear legitimate because they align with what would be expected from a contractor hacking on behalf of China’s security apparatus with domestic political priorities.
Cary found a spreadsheet with a list of data repositories collected from victims and counted 14 governments as targets, including India, Indonesia, and Nigeria. The documents indicate that I-Soon mostly supports the Ministry of Public Security, he said.
Cary was also struck by the targeting of Taiwan’s Health Ministry to determine its COVID-19 caseload in early 2021 – and impressed by the low cost of some of the hacks. The documents show that I-Soon charged $55,000 to hack Vietnam’s economy ministry, he said.
Although a few chat records refer to NATO, there is no indication of a successful hack of any NATO country, an initial review of the data by the AP found. That doesn’t mean state-backed Chinese hackers are not trying to hack the U.S. and its allies, though. If the leaker is inside China, which seems likely, Cary said that ‘leaking information about hacking NATO would be really, really inflammatory’ – a risk apt to make Chinese authorities more determined to identify the hacker.
It is not yet clear who the source of the document leak was. One expert from Google suspected it could be ‘a rival intelligence service, a dissatisfied insider, or even a rival contractor.’ (AP Photo/Dake Kang)
A signboard reading ‘Anti-cyber crime office’ is displayed near an entrance door to the I-Soon office. Minority groups like the Uyghurs were among those targeted by the firm, according to the leaked documents. (AP Photo/Dake Kang)
Mathieu Tartare, a malware researcher at the cybersecurity firm ESET, says it has linked I-Soon to a Chinese state hacking group it calls Fishmonger that it actively tracks and which it wrote about in January 2020 after the group hacked Hong Kong universities during student protests. He said it has, since 2022, seen Fishmonger target governments, NGOs and think tanks across Asia, Europe, Central America and the United States.
French cybersecurity researcher Baptiste Robert also combed through the documents and said it seemed I-Soon had found a way to hack accounts on X, even if they have two-factor authentication, as well as another for analyzing email inboxes. He said U.S. cyber operators and their allies are among potential suspects in the I-Soon leak because it’s in their interests to expose Chinese state hacking.
A spokeswoman for U.S. Cyber Command wouldn’t comment on whether the National Security Agency or Cybercom were involved in the leak. An email to the press office at X responded, ‘Busy now, please check back later.’
Western governments, including the United States, have taken steps to block Chinese state surveillance and harassment of government critics overseas in recent years. Laura Harth, campaign director at Safeguard Defenders, an advocacy group that focuses on human rights in China, said such tactics instill fear of the Chinese government in Chinese and foreign citizens abroad, stifling criticism and leading to self-censorship. ‘They are a looming threat that is just constantly there and very hard to shake off.’
Last year, U.S. officials charged 40 members of Chinese police units assigned to harass the family members of Chinese dissidents overseas as well as to spread pro-Beijing content online. The indictments describes tactics similar to those detailed in the I-Soon documents, Harth said. Chinese officials have accused the United States of similar activity. U.S. officials including FBI Director Chris Wray have recently complained about Chinese state hackers planting malware that could be used to damage civilian infrastructure.
On Monday, Mao Ning, a Chinese Foreign Ministry spokeswoman, said the U.S. government has long been working to compromise China’s critical infrastructure. She demanded the U.S. ‘stop using cybersecurity issues to smear other countries.’