Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor tied to the country’s top police agency and other parts of the government — a trove that catalogs apparent hacking activities and tools to spy on both Chinese and foreigners.
The obvious targets of the stricken company’s tools, I-Soon, include ethnicities and dissidents in parts of China where significant anti-government protests have taken place, such as Hong Kong or the heavily Muslim region of Xinjiang in China’s far west.
The dump of dozens of documents late last week and subsequent investigation were confirmed by two employees of I-Soon, known as Anxun in Mandarin, which has ties to the powerful Ministry of Public Security. The dump, which analysts consider highly significant even if it doesn’t reveal particularly new or powerful tools, includes hundreds of pages of contracts, marketing presentations, product manuals, and customer and employee lists.
They reveal in detail the methods used by Chinese authorities to surveil dissidents abroad, hack into other countries and promote pro-Beijing narratives on social media.
The documents show that I-Soon hacked networks across Central and Southeast Asia, as well as in Hong Kong and the self-governing island of Taiwan, which Beijing claims as its territory.
The hacking tools are used by Chinese state agents to unmask users of social media platforms outside China such as X, formerly known as Twitter, break into emails and hide the online activities of foreign agents. It also describes devices disguised as power strips and batteries that can be used to compromise Wi-Fi networks.
I-Soon and Chinese police are investigating how the files were leaked, the two I-Soon employees told the AP. One of the employees said I-Soon held a meeting about the leak on Wednesday and was told it wouldn’t affect business too much and that he should “just keep working.” The AP is not naming the employees — who did provide their last names, as is customary in China — out of concern about possible retaliation.
The source of the leak is unknown. The Chinese Foreign Ministry did not immediately respond to a request for comment.
A VERY IMPACTFUL LEAK
Jon Condra, an analyst at Recorded Future, a cybersecurity firm, called it the largest ever breach involving a company “suspected of providing cyber espionage and targeted intrusion services for China’s security services.” He said organizations targeted by I-Soon – according to the leaked material – include governments, telecommunications companies abroad and online gambling companies in China.
Until the 190-megabyte leak, I-Soon’s website contained a page of clients, at the top of which was the Ministry of Public Security, including eleven provincial-level security agencies and about forty municipal public security agencies.
Another page, available until early Tuesday, promoted advanced “attack and defense” capabilities for persistent threats, using the acronym APT — an acronym the cybersecurity industry uses to describe the world’s most advanced hacking groups. Internal documents in the leak describe I-Soon databases containing hacked data collected from foreign networks around the world that are advertised and sold to Chinese police.
The company’s website was completely offline later Tuesday. An I-Soon representative declined an interview request, saying the company would issue an official statement at an undisclosed date in the future.
I-Soon was founded in Shanghai in 2010, according to Chinese company records, and has subsidiaries in three other cities, including one in the southwestern city of Chengdu, which is responsible for hacking, research and development, leaked internal slides show.
I-Soon’s subsidiary in Chengdu was open as usual on Wednesday. Red New Year lanterns swayed in the wind in a covered alley leading to the five-story building that housed I-Soon’s offices in Chengdu. Employees flowed in and out, smoking cigarettes and drinking takeout coffee outside. Inside were posters with the hammer and stick emblem of the Communist Party with slogans such as: “Protecting the party and the country’s secrets is the duty of every citizen.”
I-Soon’s tools appear to be used by Chinese police to curb dissent on foreign social media and flood it with pro-Beijing content. Authorities can directly monitor Chinese social media platforms and order them to remove anti-government posts. But they lack that option on foreign sites like Facebook or X, where millions of Chinese users come to avoid state surveillance and censorship.
“There is a huge interest on the part of the Chinese government in monitoring and commenting on social media,” said Mareike Ohlberg, a senior fellow at the German Marshall Fund’s Asia program. She went through some documents.
To keep public opinion in check and prevent anti-government sentiment, control over critical posts at home is crucial, Ohlberg said. “Chinese authorities,” she said, “have a strong interest in tracking down users based in China.”
The source of the leak could be “a rival intelligence agency, a disgruntled insider or even a rival contractor,” said chief threat analyst John Hultquist of Google’s Mandiant cybersecurity division. The data shows that I-Soon’s sponsors also include the Ministry of State Security and the Chinese military, the People’s Liberation Army, Hultquist said.
MANY OBJECTIVES, MANY COUNTRIES
A leaked draft contract shows that I-Soon was selling counter-terror technical support to Xinjiang police to hunt down indigenous Uyghurs in Central and Southeast Asia, claiming it had access to hacked aviation, mobile and government data from countries such as Mongolia and Malaysia. , Afghanistan and Thailand. It is unclear whether the contact was signed.
“We see that many organizations are targeting ethnic minorities – Tibetans, Uyghurs. Many of the attacks on foreign entities can be viewed through the lens of homeland security priorities for the government,” said Dakota Cary, a China analyst at cybersecurity firm SentinelOne.
He said the documents appear legitimate because they fit what would be expected of a contractor hacking on behalf of China’s security apparatus with domestic political priorities.
Cary found a spreadsheet with a list of data repositories collected from victims and counted fourteen governments as targets, including India, Indonesia and Nigeria. The documents show that I-Soon mainly supports the Ministry of Public Security, he said.
Cary was also struck by Taiwan’s Ministry of Health’s focus on identifying COVID-19 case counts in early 2021 — and was impressed by the low cost of some of the hacks. The documents show that I-Soon charged $55,000 to hack Vietnam’s Ministry of Economy, he said.
While some chat data points to NATO, there is no evidence of a successful hack of any NATO country, an initial review of the data by The Associated Press found. However, that doesn’t mean state-backed Chinese hackers aren’t trying to hack the US and its allies. If the leak is in China, which seems likely, Cary said that “leaking information about NATO hacking would be really incendiary” – a risk that would make Chinese authorities more determined to identify the hacker.
Mathieu Tartare, a malware researcher at the cybersecurity firm ESET, says it has linked I-Soon to a Chinese state hacking group it calls Fishmonger, which it is actively tracking and wrote about in January 2020 after the group hacked universities in Hong Kong during student protests. He said that since 2022, Fishmonger has been targeting governments, NGOs and think tanks in Asia, Europe, Central America and the United States.
French cybersecurity researcher Baptiste Robert also reviewed the documents and said it appeared that I-Soon had found a way to hack into accounts on X, formerly known as Twitter, even if they have two-factor authentication, as well as another for analyzing email inboxes. He said US cyber operators and their allies are among the potential suspects in the I-Soon leak because it is in their interest to expose hacking by the Chinese state.
A spokeswoman for the U.S. Cyber Command would not say whether the National Security Agency or Cybercom were involved in the leak. An email to X’s press office replied: “Busy now, check back later.”
Western governments, including the United States, have taken steps in recent years to block Chinese state surveillance and intimidation of government critics abroad. Laura Harth, campaign director at Safeguard Defenders, an advocacy group focused on human rights in China, said such tactics instill fear of the Chinese government among Chinese and foreign citizens abroad, stifling criticism and leading to self-censorship. “They pose a looming threat that is constantly present and very difficult to shake off.”
Last year, US officials charged 40 members of Chinese police units tasked with harassing relatives of Chinese dissidents abroad and spreading pro-Beijing content online. The charges describe tactics similar to those described in the I-Soon documents, Harth said. Chinese officials have accused the United States of similar activities. US officials, including FBI Director Chris Wary, have recently complained about Chinese state hackers installing malware that could be used to damage civilian infrastructure.
On Monday, Mao Ning, a spokeswoman for China’s Foreign Ministry, said the US government has long been working to compromise China’s critical infrastructure. She demanded that the US “stop using cybersecurity issues to smear other countries.”
___
Kang reported from Chengdu, China. AP journalists Didi Tang in Washington, DC, and Larry Fenn in New York contributed to this report.