A massive trove of over 570 documents from a Chinese security firm called I-Soon was leaked online by persons unknown last Friday, revealing that the company worked for the Chinese government as a hacker-for-hire, billing Beijing up to $278,000 to spy on dissidents and attack corporate targets around the world.
I-Soon’s targets included Hong Kong pro-democracy protesters, the oppressed Uyghur Muslims, the governments of Taiwan, India, South Korea, Vietnam, and Thailand, and NATO.
The documents, which were posted to file sharing site GitHub, included details of sophisticated hacking tools and surveillance methods employed by the mercenary espionage agents. Their weapons include physical devices, like surge protectors and battery backups, that allow Chinese agents to break into nearby wi-fi networks.
I-Soon developed software that would steal the account information of Twitter users, including their email addresses and phone numbers. Hackers could read the private messages of compromised users and post disinformation using their Twitter accounts. The company also provided the Chinese government with an arsenal of malware designed to infect the Windows, iPhone, and Droid operating systems, as well as secure devices that Chinese agents could use to communicate overseas without fear of interception.
I-Soon evidently had a relationship with China’s Ministry of State Security similar to pirates of old working under letters of marque from feuding governments. The leaked material includes chat logs and financial records documenting this relationship, and they also make it clear I-Soon was not the only pirate for hire. Chinese hacker groups and security firms apparently submit bids to the Ministry of State Security to conduct cyber espionage under contract.
I-Soon worked hard to secure contracts to spy on the Uyghurs, according to analysts who pored over the leaked documents for security firm SentinelLabs.
“[I-Soon] listed other terrorism-related targets the company had hacked previously as evidence of their ability to perform these tasks, including targeting counterterrorism centers in Pakistan and Afghanistan,” SentinelLabs told Agence France-Presse (AFP) on Thursday.
Documented fees collected from the Chinese state for espionage contracts ranged from $15,000 for hacking into a Vietnamese police website, $55,000 for penetrating another Vietnamese government agency, and up to $278,000 for spying on the social media activity of dissidents. The BBC said the software that could hack user accounts on Twitter was priced at roughly $100,000.
The BBC transcribed documents describing I-Soon competing for a contract to hack the UK Foreign Office, and apparently losing to another mercenary hacker company:
In one undated chat log between “Boss Lu” and another unnamed user, the UK Foreign Office is revealed to be a priority target for i-Soon.
The unnamed participant says they have access to a Foreign Office software vulnerability. However, Boss Lu then says to focus on another organization because a rival contractor has been awarded the work.
In another chat log, a user sends a list of UK targets to i-Soon that include the British Treasury, Chatham House and Amnesty International.
Other capers described in the documents included stealing immigration data from India, road maps from Taiwan, and terabytes of call logs from telecom companies in South Korea, Hong Kong, Kazakhstan, Malaysia, Mongolia, Nepal, and Taiwan. One document confirms that I-Soon sold data from NATO to the Chinese government, but did not provide exact details of the data or how it was obtained.
AFP, the BBC, the New York Times (NYT), the Washington Post, and other media organizations consulted with cybersecurity experts who said the material leaked to GitHub appeared to be genuine.
“We rarely get such unfettered access to the inner workings of any intelligence operation. We have every reason to believe this is the authentic data of a contractor supporting global and domestic cyberespionage operations out of China,” Mandiant Intelligence chief analyst John Hultquist told the Washington Post on Thursday.
Hultquist speculated the I-Soon documents might have been leaked by “a rival intelligence service, a dissatisfied insider, or even a rival contractor.”
Other analysts noted that heists like the stolen immigration data from India and road maps from Taiwan could be useful to the People’s Liberation Army of China (PLA) when it plans military operations against those countries. The Chinese Communist Party also has a penchant for hiring mercenary hackers to go after international think tanks and human rights organizations it dislikes, including Amnesty International, the International Institute for Strategic Studies, and Chatham House.
I-Soon, a company with about 25 listed employees based in Shanghai and known as “Anxun” in Mandarin Chinese, went dark after the story broke and took its website offline. The Chinese Foreign Ministry refused to comment on the story, and China’s British embassy told the BBC it was “unaware of the leak,” but Chinese police later said they would investigate the report.
Two anonymous company employees told the Associated Press (AP) that a strategy meeting was held on Wednesday, and staffers were told to “continue working as normal.”
The AP said that before I-Soon’s website disappeared, the company touted its sophisticated electronic “attack and defense” capabilities, and proudly described itself as an Advanced Persistent Threat (APT) – the term worldwide cybersecurity experts use for dangerous hacker groups.
Malware researcher Mathieu Tartare of cybersecurity firm ESET told the AP he believes I-Soon could be likened to “Fishmonger,” an APT that targeted Hong Kong student protesters in 2020 and later attacked governments and non-government organizations (NGOs) in Asia, Europe, Central America, and the United States.
I-Soon’s vanished website listed the Chinese Ministry of Public Security as a top client, followed by 11 provincial and about 40 municipal Chinese government security agencies. The leaked documents showed the company also worked for the PLA.
I-Soon has subsidiary companies in three other Chinese cities, and the one in Chengdu appeared to be open for business on Wednesday. The AP described the office as a five-story building festooned with red Lunar New Year lanterns, and even redder Communist Party hammer-and-sickle propaganda posters that declared “safeguarding the Party and the country’s secrets is every citizen’s required duty.”