BEIJING (AP) — The hotel was spacious. It was classy. He had a karaoke bar. The CEO of a Chinese hacking company believes the ideal setting is to hold a Lunar New Year banquet to curry favor with government officials. His first deputy said there was only one flaw.
“Who goes there?” The representative wrote. “Girls are so ugly.”
Such is the sordid behind-the-scenes dealings of China's hacking industry, as revealed in an unusual leak last month of internal documents from a private contractor linked to the Chinese government and police. The documents revealed that China's hacking industry suffers from questionable business practices, dissatisfaction with wages and work quality, and poor security protocols.
Private hacking contractors are companies that steal data from other countries to sell to Chinese authorities. Over the past two decades, Chinese state security services' demand for foreign intelligence has skyrocketed, giving rise to a vast network of private hacking firms for hire that have infiltrated hundreds of systems outside China.
Although the existence of these hacking contractors is an open secret in China, little was known about how they operated. but The leaked documents are from a company called I-Soon They pull back the curtain, revealing a seedy, sprawling industry where corners are cut and rules are arcane and poorly enforced in the pursuit of making money.
Leaked chat logs show I-Soon executives trying to woo officials over lavish dinners and late-night binge drinking. They collude with competitors to rig bids for government contracts. They pay thousands of dollars in “introduction fees” to contacts who offer them profitable projects. Ae-sun did not comment on the documents.
May Danowski, a cybersecurity analyst who wrote about I-Soon on her blog, NATO ideasHe said the documents show that Chinese hackers for hire operate like any other industry in China.
“It's profit-driven,” Danowski said. “It's governed by the business culture in China – who you know, who you have dinner with, who you are friends with.”
Hacking that was designed as patriotic
China's hacking industry grew out of the country's early hacking culture, first appearing in the 1990s when citizens bought computers and connected to the Internet.
Among them was I-Soon's founder and CEO, Wu Haibo. Wu was a member of China's first hacktivist group, the Green Army – a group informally known as the Whampoa Academy after a famous Chinese military school.
Wu and some other hackers distinguished themselves by declaring themselves “Red Hackers”—patriots who offered their services to the Chinese Communist Party, in contrast to the free, anarchistic, anti-establishment spirit common among many programmers.
In 2010, Wu founded I-Soon in Shanghai. His interviews with Chinese media depict a man determined to boost his country's hacking capacity to catch up with competitors. In a 2011 interview, Wu lamented that China still lags far behind the United States: “There are many technology enthusiasts in China, but very few enlightened people.”
With the spread of the Internet, the hacking-for-hire industry has flourished in China, focusing on espionage and intellectual property theft.
High-level hacks by Chinese state agents, Including one at the US Office of Personnel Management When personal data was stolen on 22 million current or potential federal employees, things became so serious that then-President Barack Obama personally complained to Chinese leader Xi Jinping. They agreed in 2015 to reduce espionage activities.
For a few years, the interventions subsided. But soon I-Soon and other private hacking groups became more active than ever, providing Chinese state security forces with cover and deniability. John Hultquist, a senior analyst at Google's Mandiant cybersecurity unit, said I-Soon is “part of an ecosystem of contractors with ties to China's national hacking scene.”
These days, Chinese hackers are a powerful force.
In May 2023, Microsoft revealed A Chinese state-sponsored hacking group affiliated with the People's Liberation Army called Volt Typhoon has been targeting critical infrastructure such as communications and ports on Guam, Hawaii and elsewhere, and could lay the groundwork for disruption in the event of conflict.
Today, hackers like those who work at I-Soon outnumber FBI cybersecurity staff by “at least 50 to one,” FBI Director Christopher Wray said in January at a conference in Munich.
The documents reveal an unhealthy, state-led industry
Although I-Soon boasted of its hacking prowess in slick marketing PowerPoint presentations, the real work was done at hot parties, late-night drinking sessions and poaching wars with competitors, leaked records show. A picture emerges of a company embroiled in a seedy, sprawling industry that relies heavily on communications to get things done.
The I-Soon leadership discussed buying gifts and which officials liked red wine. They exchanged tips on who is lightweight and who can handle alcohol.
Chat logs show that I-Soon executives paid “introduction fees” for lucrative projects, including tens of thousands of renminbi (thousands of dollars) to a man who awarded them a 285,000 yuan ($40,000) contract with police in Hebei province. To sweeten the deal, Chen Qing, I-Soon's chief operating officer, suggested arranging a drinking and karaoke session with the women.
“He likes touching girls,” Chen wrote.
It wasn't just officials who were courting. Rivals were also the target of late-night drinking sessions. Some of them were partners – subcontractors or collaborators on government projects. Others were hated competitors who constantly poached their employees. Often times, it was both.
One of them, Chinese cybersecurity giant Qi Anxin, was particularly disliked, despite being one of I-Soon's main investors and business partners.
“Qi Anxin's HR is a green tea whore who seduces our young men everywhere and has no morals,” COO Chen wrote to Wu, the CEO, using a Chinese online slur referring to innocent-looking but ambitious young women.
I-Soon also has a complicated relationship with Chengdu 404, an accused rival US Department of Justice To penetrate more than 100 targets around the world. Chinese court records showed they worked with 404 and drank with their executives, but were late in making payments to the company and were eventually sued over a software development contract.
The source of the I-Soon documents is unclear, and Chinese executives and police are investigating. Although Beijing has repeatedly denied its involvement in offensive hacking, the leak illustrates the deep ties between I-Soon and other hacking companies with the Chinese state.
For example, chat logs show that China's Ministry of Public Security gave companies access to evidence of the concept of so-called “zero days,” an industry term for a previously unknown software vulnerability. Zero days are valued because they can be exploited until they are discovered. Company executives quickly discussed how to obtain it. They are regularly discovered in the annual Chinese state-sponsored hacking contest.
In other records, executives discussed sponsoring hacking competitions at Chinese universities to scout new talent.
The leaked contract list showed that many of I-Soon's clients were police in cities across China. I-Soon looked for databases that it thought would sell well with officers, such as data on Vietnamese traffic to the southeastern Yunnan province, or data on Tibetans exiled to the Tibetan regional government.
Occasionally, I-Soon's website has been hacked on request. One conversation shows two parties discussing a potential “long-term client” interested in data from several government offices relating to an unspecified “prime minister.”
Chinese corporate records show that a Chinese government body, the Chinese Academy of Sciences, also owns a small stake in I-Soon through a Tibetan investment fund.
I-Soon declared their patriotism to win new business. Senior executives discussed participating in China's poverty alleviation plan – One of the distinctive initiatives of Chinese leader Xi Jinping – to conduct communications. Wu, I-Soon's CEO, suggested that his COO become a member of the Chengdu People's Political Consultative Conference, a government advisory body composed of scholars, businessmen and other prominent members of society. In interviews with state media, Wu quoted Mencius, a Chinese philosopher, who presented himself as a scholar concerned with China's national interest.
But despite his professed patriotism, the leaked chat logs tell a more complicated story. It depicts a competitive man eager to get rich.
“You cannot be Li Feng,” Wu wrote in private letters, referring to the long-dead Communist worker who had been under propaganda for generations as a model of self-denial. “If you don't make money, fame is useless.”
Lax security and poor wages among hackers
China's thriving hacker-for-hire industry has been hit hard The economic downturn that the country has witnessed recentlyLeaked documents show that this leads to slim profits, low wages and an exodus of talent.
I-Soon lost money, had cash flow problems, and was late in making payments to subcontractors. In the past few years, The epidemic has hit China's economy, prompting the police to back away from spending that hurt I-Soon's bottom line. “The government has no money,” I-Soon’s chief operating officer wrote in 2020.
Employees are often poorly paid. In a salary document dated 2022, most employees on I-Soon's safety evaluation and software development teams earned salaries ranging from just 5,600 yuan ($915) to 9,000 yuan ($1,267) per month, with only a few earning more than that. In the documents, I-Soon officials acknowledged the low salary and expressed concern about the company's reputation.
Chat logs show that low salaries and pay disparities prompted employees to complain. Leaked employee rosters show that most I-Soon employees have a degree from a vocational training school, rather than a university degree, indicating lower levels of education and training. Sales staff reported that customers were dissatisfied with the quality of I-Soon's data, making it difficult to collect payments.
I-Soon is a small part of China's hacking ecosystem. The country boasts world-class hackers, many of whom work in the Chinese military and other state institutions. But the company's problems reflect broader issues in China's private hacking industry. The country's crumbling economy, Beijing tightens controls And The growing role of the state That led to an exodus of top hacking talent, four cybersecurity analysts and Chinese industry insiders told The Associated Press.
“China is no longer the country we knew. A lot of highly skilled people have left,” said one industry insider, declining to give his name to talk about a sensitive topic. The source added that under Xi, the country’s growing role in the technology industry has focused China's ideology over efficiency, hampered wages and made access to officials pivotal.
One major issue, the people say, is that most Chinese officials lack the technical knowledge to verify contractors' claims. So piracy companies prioritize gaining favor over providing excellence.
In recent years, Beijing has heavily promoted China's technology industry and the use of technology in government, as part of a broader strategy to facilitate the country's rise. But much of China's data and cybersecurity work has been outsourced to smaller subcontractors with junior programmers, leading to poor digital practices. Major data leaks.
Despite the secretive nature of I-Soon's work, the company has surprisingly lax security protocols. For example, Ai Sun's offices in Chengdu have minimal security and are open to the public, despite posters on the walls of its offices reminding employees that “preserving the secrets of the country and the Party is the duty required of every citizen.” Leaked files show that senior I-Soon executives frequently communicated via WeChat, which lacks end-to-end encryption.
Documents show that employees are vetted for political reliability. For example, one measure shows that I-Soon checks whether employees have any relatives abroad, while another shows that employees are classified according to whether they are members of China's ruling Communist Party.
However, many standards in China are often “just for show,” says Danowski, the cybersecurity analyst. But she added that in the end, it may not matter.
“It's a bit sloppy. The tools are not impressive. But the Ministry of Public Security sees that you get the job done,” she said of I-Soon. “They will hire whoever can get the job done.”
___
Su reported from Hong Kong. AP Technology Writer Frank Bajak in Boston contributed to this report.
