Chinese police are investigating an unauthorized and highly unusual online document dump by a private security contractor linked to the nation’s main police agency and other parts of its government — a trove that catalogs apparent hacking activity and tools to spy on Chinese and foreigners.
Among the apparent targets for tools provided by the influential company, I-Soon: ethnic groups and dissidents in parts of China that have seen significant anti-government protests, such as Hong Kong or the far-flung Muslim region of Xinjiang western China.
Two employees of I-Soon, known as Anxun in Mandarin, confirmed the dumping of scores of documents late last week and a subsequent investigation, which has ties to the powerful Ministry of Public Security. The dump, which analysts consider highly significant even if it does not reveal any new or powerful tools, includes hundreds of pages of contracts, marketing presentations, product manuals, and lists of clients and employees.
They reveal, in detail, methods used by Chinese authorities to surveil overseas dissidents, hack other nations and promote pro-Beijing narratives on social media.
The documents show an apparent I-Soon hack on networks across Central and Southeast Asia, as well as Hong Kong and the self-governing island of Taiwan, which Beijing claims as territory.
Chinese state agents use the hacking tools to break into the email of users of social media platforms outside of China such as X, formerly known as Twitter, and to hide the online activity of overseas agents. Also described are devices disguised as power strips and batteries that can be used to compromise Wi-Fi networks.
I-Soon and Chinese police are investigating how the files were leaked, the two I-Soon employees told the AP. One of the employees said that I-Soon had a meeting on Wednesday about the leak and was told that it would not affect business too much and “continue to work as usual.” The AP is not naming the employees — who provided their last names, in accordance with common Chinese practice — because of concerns about possible retaliation.
The source of the leak is unknown. China’s Ministry of Foreign Affairs did not immediately respond to a request for comment.
VERY LOW LEAK
Jon Condra, an analyst with Recorded Future, a cyber security company, announced that the leak was the most significant ever involving a company “suspected of providing cyber espionage and targeted intrusion services to China’s security services.” He said organizations targeted by I-Soon include governments, overseas telecommunications firms and online gaming companies within China – according to the leaked material.
Until the 190 megawatt leak, there was a page on the I-Soon website listing clients that were topped by the Ministry of Public Security and included 11 provincial-level security bureaus and about 40 city public security departments.
Another page available until early Tuesday advertised advanced “attack and defense” capabilities for a persistent threat, using the acronym APT – one used by the cyber security industry to describe the most advanced hacking groups. sophisticated in the world. Internal documents in the leak describe I-Soon databases of hacked data collected from foreign networks around the world that are advertised and sold to Chinese police.
The company’s website was completely offline later Tuesday. An I-Soon representative declined an interview request and said the company would issue an official statement at an unspecified future date.
I-Soon was founded in Shanghai in 2010, according to Chinese corporate records, and has subsidiaries in three other cities, including one in the southwestern city of Chengdu responsible for hacking, research and development, according to leaked internal slides.
I-Soon’s Chengdu subsidiary was open as usual on Wednesday. Red Lunar New Year lanterns fluttered in the wind in a covered walkway that led to the five-story building that housed the Chengdu I-Soon offices. Employees wandered in and out, smoking cigarettes and sipping coffee outside. Inside, there was a slogan on posters with a hammer and the Communist Party emblem that said: “It is the duty of every citizen to protect the Party and the secrets of the country.”
Chinese police appear to be using I-Soon tools to suppress dissent on social media abroad and flood them with pro-Beijing content. Authorities can directly monitor Chinese social media platforms and order them to take down anti-government posts. But they don’t have that ability on overseas sites like Facebook or X, where millions of Chinese users flock to avoid state surveillance and censorship.
“There is a great interest in monitoring and commenting on social media from the Chinese government’s perspective,” said Mareike Ohlberg, a senior fellow in Germany’s Marshall Fund Asia Program. She reviewed some of the documents.
To control public opinion and promote anti-government sentiment, Ohlberg said, controlling key jobs at home is critical. “The Chinese authorities,” she said, “are very interested in tracking down users located in China.”
The source of the leak could be “a rival intelligence service, a disgruntled insider, or even a rival contractor,” said lead threat analyst John Hultquist of Google’s Mandiant cybersecurity division. The data shows that I-Soon’s sponsors also include the Ministry of State Security and China’s military, the People’s Liberation Army, Hultquist said.
MANY TARGETS, MANY COUNTRIES
One leaked draft contract shows that I-Soon was marketing “anti-terrorism” technical support to Xinjiang police to track the region’s indigenous Uyghurs in Central and Southeast Asia, claiming it had access to hacked airline, cellular and government data from countries like Mongolia, Malaysia. , Afghanistan and Thailand. It is not clear if the contact was signed.
“We see a lot of targeting of organizations associated with ethnic minorities – Tibetans, Uyghurs. Much of the targeting of foreign entities can be seen through the lens of the government’s domestic security priorities,” said Dakota Cary, China analyst with cybersecurity firm SentinelOne.
He said the documents appear legitimate because they are consistent with what would be expected from a hacking contractor on behalf of China’s security apparatus with domestic political priorities.
Cary found a spreadsheet listing the data repositories collected from victims and listed 14 governments as targets, including India, Indonesia and Nigeria. The documents show that I-Soon largely supports the Ministry of Public Security, he said.
Cary was also struck by Taiwan’s Ministry of Health’s goal of determining its COVID-19 caseload by early 2021 — and was impressed by the low cost of some of the hacks. The documents show that I-Soon charged $55,000 to hack Vietnam’s economy ministry, he said.
While a few chat records refer to NATO, there is no indication of a successful hack of any NATO country, an initial review of the data by The Associated Press found. That doesn’t mean state-backed Chinese hackers aren’t trying to hack the United States and they are allies, however. If the leak is inside China, as it seems likely, Cary said that “leaking information about the NATO hack would be really, really inflammatory” – a suitable risk to make the Chinese authorities more determined the identify a hacker.
Mathieu Tartare, a malware researcher at cyber security firm ESET, says he has linked I-Soon to a Chinese state hacking group that he tells Fishmonger he actively tracks and wrote about in January 2020 after the group of universities Hong Hacking Kong during student protests. . He said that since 2022, he has seen target governments, NGOs and think tanks across Asia, Europe, Central America and the United States.
French cyber security researcher Baptiste Robert also combed through the documents and said it appeared I-Soon had found a way to hack accounts on X, formerly known as Twitter, even if they have two-factor authentication , as well as another one to analyze mailboxes. He said US cyber operators and their allies are among potential suspects in the I-Soon leak because it is in their interest to expose Chinese state hacking.
A spokesman for US Cyber Command would not comment on whether the National Security Agency or Cybercom were involved in the leak. An email to the press office at X replied, “Busy now, please check back later.”
Western governments, including the United States, have taken steps to curb Chinese state surveillance and harassment of government critics abroad in recent years. Laura Harth, campaign director at Safeguard Defenders, an advocacy group that focuses on human rights in China, said such tactics of the Chinese government instill fear in Chinese citizens and foreigners abroad, drawing criticism and leading to self-censorship. “They are an ever-present threat and very difficult to destroy.”
Last year, US officials charged 40 members of Chinese police units assigned to harass family members of Chinese dissidents abroad as well as spreading pro-Beijing material online. The indictments describe tactics similar to those detailed in the I-Soon documents, Harth said. Chinese officials have accused the United States of similar activity. US officials including FBI Director Chris Wary recently complained about Chinese state hackers planting malware that could be used to damage civilian infrastructure.
On Monday, Mao Ning, a spokesman for China’s Ministry of Foreign Affairs, said that the US government has been working for a long time to compromise China’s critical infrastructure. She called on the US to “stop using cyber security issues to smear other countries.”
___
Kang reported from Chengdu, China. AP reporters Didi Tang in Washington, DC, and Larry Fenn in New York contributed to this report.