Leaked files show the secret world of China’s hackers for hire

Materials posted to a public website last week revealed an eight-year effort to target databases and tap communications in South Korea, Taiwan, Hong Kong, Malaysia, India and elsewhere in Asia.

By Paul Mozur,

Keith Bradsher,

John Liu and

Aaron Krolik

The Minnesota Star Tribune
February 23, 2024 at 2:23AM
The interior of the I-Soon office, also known as Anxun in Mandarin, is seen after office hours in Chengdu in southwestern China's Sichuan Province on Tuesday, Feb. 20, 2024. Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to China’s top policing agency and other parts of its government. (Dake Kang)

The hackers offered a menu of services, at a variety of prices.

A local government in southwest China paid less than $15,000 for access to the private website of traffic police in Vietnam. Software that helped run disinformation campaigns and hack accounts on X, formerly known as Twitter, cost $100,000. For $278,000 Chinese customers could get a trove of personal information behind social media accounts on platforms such as Telegram and Facebook.

The offerings, detailed in leaked documents, were a portion of the hacking tools and data caches sold by a Chinese security firm called I-Soon, one of the hundreds of enterprising companies that support China’s aggressive state-sponsored hacking efforts. The work is part of a campaign to break into the websites of foreign governments and telecommunications firms.

The materials, which were posted to a public website last week, revealed an eight-year effort to target databases and tap communications in South Korea, Taiwan, Hong Kong, Malaysia, India and elsewhere in Asia. The files also showed a campaign to closely monitor the activities of ethnic minorities in China and online gambling companies.

The data included records of apparent correspondence between employees, lists of targets, and material showing off cyberattack tools. Three cybersecurity experts interviewed by The New York Times said the documents appeared to be authentic.

Taken together, the files offered a rare look inside the secretive world of China’s state-backed hackers for hire. They illustrated how Chinese law enforcement and its premier spy agency, the Ministry of State Security, have reached beyond their own ranks to tap private-sector talent in a hacking campaign that United States officials say has targeted American companies and government agencies.

“We have every reason to believe this is the authentic data of a contractor supporting global and domestic cyberespionage operations out of China,” said John Hultquist, the chief analyst at Google’s Mandiant Intelligence. Hultquist said the leak revealed that I-Soon was working for a range of Chinese government entities that sponsor hacking, including the Ministry of State Security, the People’s Liberation Army and China’s national police.

At times the firm’s employees focused on overseas targets. In other cases they helped China’s feared Ministry of Public Security surveil Chinese citizens domestically and overseas.

“They are part of an ecosystem of contractors that has links to the Chinese patriotic hacking scene, which developed two decades ago and has since gone legit,” he added, referring to the emergence of nationalist hackers who have become a kind of cottage industry.

I-Soon did not respond to emailed questions about the leak.

The revelations underscore the degree to which China has ignored, or evaded, American and other efforts for more than a decade to limit its extensive hacking operations. And it comes as American officials are warning that the country has not only doubled down, but also has moved from mere espionage to the implantation of malicious code in American critical infrastructure — perhaps to prepare for a day when conflict erupts over Taiwan.

The Chinese government’s use of private contractors to hack on its behalf borrows from the tactics of Iran and Russia, which for years have turned to nongovernmental entities to go after commercial and official targets. Although the scattershot approach to state espionage can be more effective, it has also proved harder to control. Some Chinese contractors have used malware to extort ransoms from private companies, even while working for China’s spy agency.

In part, the change is rooted in a decision by China’s top leader, Xi Jinping, to elevate the role of the Ministry of State Security to engage in more hacking activities, which had previously fallen primarily under the purview of the People’s Liberation Army. While the Security Ministry emphasizes absolute loyalty to Xi and Communist Party rule, its hacking and espionage operations are often initiated and controlled by provincial-level state security offices.

Those offices sometimes, in turn, farm out hacking operations to commercially driven groups — a recipe for occasionally cavalier and even sloppy espionage activities that fail to heed to Beijing’s diplomatic priorities and may upset foreign governments with their tactics.

Parts of China’s government still engage in sophisticated top-down hacks, like endeavoring to place code inside U.S. core infrastructure. But the overall number of hacks originating in China has surged and targets have ranged more broadly — including information about Ebola vaccines and driverless car technology.

That has fueled a new industry of contractors such as I-Soon. Although a part of the cloak-and-dagger world of Chinese cyberespionage, the Shanghai company, which also has offices in Chengdu, epitomized the amateurishness that many of China’s relatively new contractors bring to hacking. The documents showed that at times the company was not sure if services and data it was selling were still available. For instance, it noted internally that the software to spread disinformation on X was “under maintenance” — despite its $100,000 price tag.

The leak also outlined the workaday hustle, and struggle, of China’s entrepreneurial hacking contractors. Like many of its rivals, I-Soon organized cybersecurity competitions to recruit new hires. In place of selling to a centralized government agency, one spreadsheet showed, I-Soon had to court China’s police and other agencies city by city. That meant advertising and marketing its wares. In one letter to local officials in western China, the company boasted that it could help with anti-terrorism enforcement because it had broken into Pakistan’s counterterrorism unit.

Materials included in the leak that promoted I-Soon’s hacking techniques described technologies built to break into Outlook email accounts and procure information like contact lists and location data from Apple’s iPhones. One document appeared to contain extensive flight records from a Vietnamese airline, including travelers’ identity numbers, occupations and destinations.

Vietnam’s Foreign Ministry did not immediately respond to an emailed request for comment.

At the same time, I-Soon said it had built technology that could meet the domestic demands of China’s police, including software that could monitor public sentiment on social media inside China. Another tool, made to target accounts on X, could pull email addresses, phone numbers and other identifiable information related to user accounts, and in some cases, help hack those accounts.

In recent years, Chinese law enforcement officials have managed to identify activists and government critics who had posted on X using anonymous accounts from inside and outside China. Often they then used threats to force X users to take down posts that authorities deemed overly critical or inappropriate.

Mao Ning, a spokesperson for the Chinese Ministry of Foreign Affairs, said at a news briefing Thursday that she was not aware of a data leak from I-Soon. “As a matter of principle, China firmly opposes and cracks down on all forms of cyberattacks in accordance with the law,” Mao said.

X did not respond to a request seeking comment. A spokesperson said the South Korean government would have no comment.

Even though the leak involved only one of China’s many hacking contractors, experts said the huge amount of data could help agencies and companies working to defend against Chinese attacks.

“This represents the most significant leak of data linked to a company suspected of providing cyberespionage and targeted intrusion services for the Chinese security services,” said Jonathan Condra, the director of strategic and persistent threats at Recorded Future, a cybersecurity firm.

Among the information hacked was a large database of the road network in Taiwan, an island democracy that China has long claimed and threatened with invasion. The 459 gigabytes of maps came from 2021, and showed how firms like I-Soon collect information that can be militarily useful, experts said.

China’s government itself has long deemed Chinese driving navigation data as sensitive and set strict limits on who can collect it.

“Figuring out the road terrain is crucial for planning armored and infantry movements around the island on the way to occupy population centers and military bases,” said Dmitri Alperovitch, a cybersecurity expert.

Other information included internal email services or intranet access for multiple Southeast Asian government ministries, including Malaysia’s Foreign and Defense ministries and Thailand’s National Intelligence Agency. Immigration data from India that covered national and foreign passengers’ flight and visa details was also up for grabs, according to the files.

n other cases I-Soon claimed to have access to data from private companies such as telecom firms in Kazakhstan, Mongolia, Myanmar, Vietnam and Hong Kong.

The revelations gained about Chinese attacks are likely to confirm the fears of policymakers in Washington, where officials have issued repeated, dire warnings about such hacks. Last weekend in Munich, FBI Director Christopher Wray said that hacking operations from China were now directed against the United States at “a scale greater than we’d seen before,” and ranked it among America’s chief national security threats.

He became one of the first senior officials to talk openly about Volt Typhoon, the name of a Chinese network of hackers that has placed code in critical infrastructure, resulting in alarms across the government.

Intelligence officials believe the code was intended to send a message: that at any point China could disrupt electrical supplies, water supplies or communications. Some of the code has been found near U.S. military bases that rely on civilian infrastructure to keep running — especially bases that would be involved in any rapid response to an attack on Taiwan.

“It’s the tip of the iceberg,” Wray concluded.

David E. Sanger and Chris Buckley contributed.

about the writers

about the writers

Paul Mozur

Keith Bradsher

John Liu

Aaron Krolik