State-sponsored Chinese hacker in front of laptop with digital Chinese flag background showing document leak

Document Leak Reveals Use of Private Firm by State-Sponsored Chinese Hackers for International Espionage

A mysterious cache of documents uploaded to GitHub last week implicates a private business in Shanghai in assisting state-sponsored Chinese hackers with foreign espionage. The document leak has been examined by Mandiant Intelligence and other cybersecurity firms and appears to be authentic, providing a rare look into the past decade of China’s use of private contractors to provide cover for overseas spy operations.

About 570 documents are included in the leak, dating back as far as 2012. It comes from a firm called “i-Soon” that fronts as an information security outfit. Chinese hackers working for the firm are believed to have successfully breached at least 80 targets during this time, and fielded operations in 20 foreign countries that targeted their governments.

Document leak reveals both foreign hacking and domestic surveillance

The document leak includes contracts that make clear the Chinese government employed i-Soon for the purposes of breaching foreign targets and spying, exfiltrating data of interest to it. At least one document indicates the company may have also run some side business in selling off some of this stolen data, with references to material taken from NATO in 2022 being up for offer.

The Chinese hackers were employed not just for foreign hacking, but also as a part of the government’s domestic surveillance program. The document leak indicates that i-Soon may have also hacked domestic targets for the purpose of intelligence-gathering on potential dissent. It signed numerous contacts with assorted Chinese city police departments ranging from as little as the equivalent of $1,400 USD to as much as $800,000 USD.

Though the United States is not named as one of the 20 nations the Chinese hackers ran operations in, other pieces of the document leak boast of the company’s ability to access individual accounts of users of Google, Apple and Microsoft’s services. The document cache does not contain hacked materials, but does contain some spreadsheets that outline what was taken from specific targets. The Chinese hackers appear to have had a heavy focus on attacking telecommunications firms in Eastern Europe and Asia, and lists three terabytes of call logs stolen from South Korea’s LG U Plus.

The Chinese hackers were also employed to attack rival nations for intelligence materials, stealing 95.2 gigabytes of immigration data from India, an undisclosed amount of data from Thailand’s foreign ministry, and 459 gigabytes of road-mapping data from Taiwan among its other prizes. The information stolen from Taiwan may be part of the country’s explorations of military action against the island, potentially put to use if armed forces were to land on its shores.

i-Soon also targeted government agencies in the United Kingdom, though it is unclear if breaches actually took place. The document leak mentions the UK Treasury and Home and Foreign offices as targets. It also lists the Chatham House and the International Institute for Strategic Studies, two prominent “think tanks” in the country.

Chinese hackers may have been exposed by disgruntled former employee

The source of the document leak did not identify themselves, but claimed that they were a whistleblower acting more in the interest of the government than the victims of the Chinese hackers. They claim that i-Soon is “duping” the government into purchasing low-quality services and intelligence, and that the company overstates its ability to break into targets. All of that paired with the inclusion of internal i-Soon chats in which employees complain about work conditions point to a disgruntled former employee.

The employee chats do appear to back up many of these assertions, painting a picture of low workplace morale and clients that regularly complain about not getting what they paid for. Many of its hackers also appear to be working for the equivalent of $1,000 USD per month, far below estimates that put the national median at about $3,000 to $4,000 USD. Minimum wage varies by province in China but is generally somewhere between $300 to $400 USD per month, meaning the Chinese hackers are making just a little over double that; the pay is comparable to what many relatively low-skill jobs offer, but the hackers are handling state secrets and engaging in foreign espionage.

The Chinese government reportedly contracts with many such companies that do this sort of work, and they compete amongst themselves for contracts, driving pay and working conditions down. Despite this, Chinese hackers at these firms sometimes work directly with their state-sponsored counterparts from some of the world’s biggest advanced persistent threat (APT) groups. The document leaks reveal that i-Soon directly worked with members of APT41, with the company CEO joking that this now meant the company would be recognized by the FBI.

The document leaks also contained advertising materials for some of the services offered by the Chinese hackers. One of its priciest offerings is a $25,000 iOS hacking service that claims to allow remote access control of target devices. It is not clear if this is something related to the Pegasus spyware offered by an Israeli security outfit, or the zero-day exploits it has been documented taking advantage of.

John Gallagher, Vice President of Viakoo Labs at Viakoo, expects to see adversary nations engaging in more “public-private partnerships” of this sort going forward: “Large hacker organizations are corporations. Over the last decade, threat actors broadly have taken on the trappings of normal corporations; board of directors, quarterly financial statements, and competitive threat analysis.  That’s why on the dark web you have price lists for DDoS attacks and public actions like exploits performed in order to advertise services.  That this exists in China is no surprise; what is surprising is that the depth and breadth of these organizations in China has not been have revealed earlier. Of concern to organizations is that APTs are not for governments only. The Chinese APT “apparatus” being a network of private organizations means that the tools of government conflict can be had by non-governmental organizations. Throughout history, the military objectives of countries have driven the development of science and technology.  U.S. government taking an aggressive role in cyber defense is needed, and perhaps will accelerate as the threats do.  The challenge is for private industry will be to put efforts and resources into cyber defense when it does not tie to their profit or competitive goals.  Will there be a “wartime” coalition between the U.S. government and private industry?  As cyber conflict increases between the U.S. and China that becomes more likely.”

Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start, notes that these groups should also be expected to be involved in critical infrastructure attacks going forward: “The leaked documents from I-SOON reveal detailed operations of China’s cyber espionage, including the targeting of foreign governments, pro-democracy groups in Hong Kong, universities, and NATO. The capabilities highlighted involve sophisticated hacking techniques and the exploitation of various vulnerabilities, likely including those found in critical infrastructure systems. Relating to the U.S., vulnerabilities in systems such as water utilities, as mentioned in the recent government warning, and maritime industry cybersecurity, addressed by the Biden Executive Order, could be of interest. The specifics of the leaked capabilities that directly relate to these or other U.S. vulnerable systems were not detailed, but the broad scope of I-SOON’s operations suggests a potential overlap with sectors identified as critical by the U.S. government. The leak from I-SOON and the increasing visibility of cyber threats necessitate a comprehensive and dynamic approach to cybersecurity, involving not just technological solutions but also diplomatic, legal, and strategic measures to effectively counter these threats and safeguard national security.”