Very impressive leak
John Condra, an analyst at Recorded Future, a cybersecurity firm, called this the most significant leak ever linked to a company “suspected of providing cyber espionage and targeted intrusion services to Chinese security services.” He said the organizations targeted by I-Soon – according to the leaked materials – include governments, telecom companies abroad and online gambling companies inside China.
Until the 190MB leak, I-Soon's website included a page listing clients led by the Ministry of Public Security, including 11 provincial-level security bureaus and about 40 municipal public security departments.
Another page available as of early Tuesday advertised advanced “attack and defense” capabilities for the persistent threat, using the abbreviation APT — which is what the cybersecurity industry uses to describe the world's most sophisticated hacking groups. Internal documents in the leak describe I-Soon's databases of hacked data collected from foreign networks around the world and being made public and sold to Chinese police.
The company's website was completely offline later Tuesday. An I-Soon representative declined an interview request and said the company will issue an official statement at an unspecified future date.
I-Soon was founded in Shanghai in 2010, according to Chinese corporate records, and has branches in three other cities, including one in the southwestern city of Chengdu responsible for hacking and research and development, according to leaked internal slides.
I-Soon's Chengdu branch was open as usual on Wednesday. Red Lunar New Year lanterns swayed in the wind in a covered alley leading to the five-story building that houses I-Soon's offices in Chengdu. Employees were milling in and out of the place, smoking cigarettes and drinking coffee outside. Inside, posters bearing the hammer and stick emblem of the Communist Party appeared with slogans saying: “Protecting the secrets of the party and the country is a duty owed to every citizen.”
I-Soon offices, which are being investigated by Chinese authorities after an unauthorized dump of documents online credit: AP
I-Soon's tools appear to be used by Chinese police to curb dissent on social media abroad and flood it with pro-Beijing content. Authorities could directly monitor Chinese social media platforms and order them to remove anti-government posts. But they lack this ability on offshore sites like Facebook or X, which millions of Chinese users use to evade state surveillance and censorship.
“There is a lot of interest in social media monitoring and commentary by the Chinese government,” said Marieke Ohlberg, a senior fellow at the German Marshall Fund’s Asia Program. She reviewed some documents.
In order to control public opinion and thwart anti-government sentiment, control of important positions locally is pivotal, Olberg said. “Chinese authorities have a great interest in tracking users residing in China,” she said.
The source of the leak could be “a rival intelligence service, a dissatisfied insider, or even a competing contractor,” said John Hultquist, a senior threat analyst from Google's Mandiant cybersecurity division. Data indicates that I-Soon's sponsors also include the Ministry of State Security and China's military, the People's Liberation Army, Hultquist said.
So many goals, so many countries
One leaked draft of the contract shows that I-Soon was marketing “counter-terrorism” technical support to Xinjiang police to track down the region’s indigenous Uyghurs in Central and Southeast Asia, claiming to have access to compromised airline, mobile and government data from countries such as Mongolia. Malaysia, Afghanistan and Thailand. It is unclear whether the contract has been signed.
“We are seeing a lot of targeting of organizations associated with ethnic minorities — Tibetans and Uyghurs. A lot of the targeting of foreign entities can be seen through the lens of the government’s internal security priorities,” said Dakota Curry, a China analyst at cybersecurity firm SentinelOne.
download
He said the documents appear legitimate because they align what would be expected of a contractor to hack on behalf of Chinese security services with domestic political priorities.
Curry found a spreadsheet containing a list of data repositories collected from victims and counted 14 governments as targets, including India, Indonesia and Nigeria. He added that the documents indicate that the I-Sun organization mostly supports the Ministry of Public Security.
Curry was also shocked that Taiwan's Ministry of Health was targeted for identifying the number of coronavirus (COVID-19) cases in early 2021 — and impressed by the low cost of some of the hacks. He said documents show that I-Soon paid $55,000 to hack the Vietnamese Ministry of Economy.
Although some chat logs reference NATO, there is no indication of a successful hack of any NATO country, a preliminary review of the data by The Associated Press found. But that doesn't mean Chinese state-backed hackers aren't trying to hack the United States and its allies. If the leaker is inside China, which seems likely, Curry said that “leaking information about the NATO hack would be really controversial” — a risk that would make Chinese authorities more determined to identify the hacker.
Mathieu Tartar, a malware researcher at cybersecurity firm ESET, says he has linked I-Soon to a Chinese government hacking group called Fishmonger that it is actively tracking, which he wrote about in January 2020 after the group hacked Hong Kong universities during student protests. Since 2022, he said, it has seen Fishmonger target governments, NGOs and think tanks across Asia, Europe, Central America and the United States.
French cybersecurity researcher Baptiste Robert also combed through the documents, and said it appears that I-Soon found a way to hack accounts on X even if they had two-factor authentication, as well as another way to analyze email inboxes. He said US internet operators and their allies are among potential suspects in the I-Soon leak because it is in their interest to expose Chinese government hacking.
A cybersecurity researcher said it appears that I-Soon has found a way to hack accounts on X.credit: AP
A spokeswoman for US Cyber Command did not comment on whether the NSA or Cybercom was involved in the leak. An email came back from X's press office: “Busy now, please check back later.”
Western governments, including the United States, have taken steps to prevent Chinese state surveillance and harassment of government critics abroad in recent years. Such tactics instill fear of the Chinese government in Chinese citizens and foreigners abroad, stifling criticism and leading to self-censorship, said Laura Harth, campaign director at Safeguard Defenders, an advocacy group focused on human rights in China. “They are a looming threat that is ever-present and difficult to eliminate.”
Last year, US officials charged 40 members of Chinese police units tasked with harassing family members of Chinese dissidents abroad as well as spreading pro-Beijing content online. Harth said the indictments describe methods similar to those detailed in the I-Soon documents. Chinese officials accused the United States of similar activity. US officials, including FBI Director Chris Wray, have recently complained that Chinese state hackers are planting malware that could be used to destroy civilian infrastructure.
Mao Ning, a spokeswoman for the Chinese Foreign Ministry, said on Monday that the US government has long been working to endanger China's critical infrastructure. It called on the United States to “stop using cybersecurity issues to discredit other countries.”
Kang reported from Chengdu, China. AP journalists Dede Tang in Washington, D.C., and Larry Finn in New York contributed to this report.
AP
Get a direct note from our foreigners Reporters About what's making headlines around the world. Subscribe to our weekly “What in the World” newsletter..
