Massive leak reveals extent of China’s foreign hacking activities
Chinese police are currently investigating a major data breach originating from a private security contractor with alleged ties to Chinese state security. The data, which came from contractor I-Soon to an upload on code repository Github.com, provides unprecedented insight into the inner workings of an international cybersecurity operation.
This isn’t the first time GitHub has been the source of cybercriminal activity. In January of this year it was revealed that there were several bad actors deploying malicious payloads within GitHub’s legitimate traffic by taking advantage of file and code sharing capabilities. The cybercriminals were also able to redirect this traffic to phishing sites.
The leaked documents not only outlined the hacking activities and some of the tools used by the company, but also provided an insider’s view of the targets. This includes at least fourteen international government agencies, universities and, perhaps unsurprisingly, Hong Kong agencies. It should be noted that the authenticity of the documents remains unconfirmed, although much of the information matches known threat vectors that have historically originated in the People’s Republic of China.
I-Soon, also known as Shanghai Anxun Information Company, was founded in Shanghai in 2010 and has several offices in China. The company’s website, which is currently offline, showed off a number of cybersecurity services, many of which were detailed in the 190-megabyte leak. The client page listed a number of Chinese regional security bureaus and public security departments, as well as the country’s Ministry of Public Security.
The leaked data consists of an assortment of documents, screenshots and private chat conversations. The list also contains a selection of everyday information, such as complaints about low wages in the company and gambling habits of the employees. One of the interesting parts of the leak is the fact that AI translation has opened up the data to many more analysts than previously possible. The barrier to entry is now much lower, because people outside specialist sinologists can assess the information more quickly and easily. For example, we were able to use ChatGPT Vision to decode and translate some document images with OCR in seconds, something that would have taken much longer in the past.
The uploads began sometime in mid-February, with thousands of WeChat messages and marketing documents hitting Github servers. A large number of sales presentation documents detailing the company’s hacking capabilities and past exploits are among the pile. According to reports, the data explicitly mentions terrorism-related targets that the company has previously hacked, including some in Pakistan and Afghanistan. The illegal documents also reportedly include the fees earned for some of these hacking projects. For example, one report says the company made $55,000 collecting data from another country’s Ministry of Economy.
There are still few, if any, clues about the perpetrators of the leak – or even their motives – but it appears that a Taiwanese analyst discovered the leaked stock on Github and immediately shared it on their social media. An anonymous I-Soon employee told the Associated Press that there is currently an ongoing investigation within the company, and that employees were told to “just keep working” while the investigation was ongoing.
While this breach may not be earth-shattering in terms of naked content, it gives the world a rare and intimate glimpse into the reality on the front lines of the dark global espionage world. It turns out that a lot of it is probably not so much James Bond, more office parties and petty employee feuds.