Leak exposes how China spies on own citizens and foreigners
I-Soon, the firm whose documents have been dumped, is linked to the top policing agency of China and to other parts of the Chinese government.
By Siam Sarower Jamil
The online dumping of some documents of a private security contractor has taken the lid off how official agencies in China hack activities and tools to spy on both Chinese people and foreigners.
“China has increasingly turned to private companies to hack foreign governments and control its domestic population,” the New York Times reported on February 22, 2024. “The files offer a rare look inside the secretive world of state-backed hackers available in China for hire. They illustrate how Chinese law enforcement and its premier spy agency, the Ministry of State Security, have reached beyond their own ranks to tap private-sector talent in a hacking campaign.”
I-Soon, the firm whose documents have been dumped, is linked to the top policing agency of China and to other parts of the Chinese government.
The documents dumped indicate that the apparent targets of the tools to spy on are people of ethnicities and dissidents in parts of China that have seen significant anti-government protests, such as Hong Kong or the Xinjiang region in China’s far west, inhabited by Uighur Muslims.
An AP report from Beijing on February 21, 2024, said two employees of I-Soon had confirmed the dumping of scores of documents in the period between February 15 and 18 and the subsequent investigations by official Chinese agencies. Known as Anxun in Mandarin, the firm has ties with the powerful Ministry of Public Security of China.
Analysts consider the online dump highly significant. It does not reveal any especially novel or potent tools for hacking and includes hundreds of pages of contracts, marketing presentations, product manuals, and client and employee lists. But they reveal in detail, methods used by Chinese authorities to keep surveillance on dissident Chinese citizens overseas, hack plans and activities of other nations and promote pro-Beijing narratives on social media.The documents show apparent I-Soon hacking of networks across Central and Southeast Asia, as well as Hong Kong and the self-ruled island of Taiwan, which Beijing claims as its territory.
The tools of hacking are used by Chinese state agents to keep surveillance on users of social media platforms outside China such as X, formerly known as Twitter, break into email accounts and hide the online activities of overseas agents. The dumped documents also give a description of devices disguised as power strips and batteries that can be used to compromise Wi-Fi networks. The source of the leak is not yet known.
AnalystJon Condra with Recorded Future, a cyber-security company, has been quoted in the AP report as saying it is the most significant leak ever linked to a companysuspected of providing cyber espionage and targeted intrusion services for the Chinese security services. Organizations targeted by I-Soon — according to the leaked material — include governments, telecommunications firms abroad and online gambling companies within China.
Until the 190-megabyte leak, the website of I-Soon included a page listing clients; topped by the Ministry of Public Security and including 11 provincial-level security bureaus and some 40 municipal public security departments.
Internal documents in the leak describe I-Soon databases of hacked data collected from foreign networks around the world that are advertised and sold to the Chinese police. Chief threat analyst of the Mandiant cyber-security division of Google’s John Hultquist has said that the sponsors of I-Soon also include the Ministry of State Security and the People’s Liberation Army.
One leaked draft contract shows I-Soon was marketing “anti-terror” technical support to the Xinjiang police to track the native Uighur of Xinjiang in Central and Southeast Asia, claiming it had access to hacked airline, cellular and government data from countries like Mongolia, Malaysia, Afghanistan and Thailand. It was unclear whether the contract was signed.
China analyst with the cyber-security firm SentinelOneDakota Cary has been quoted as saying:“We see a lot of targeting of organizations that are related to ethnic minorities — Tibetans, Uighur. A lot of the targeting of foreign entities can be seen through the lens of domestic security priorities for the government.” He said the documents appeared legitimate because they aligned with what would be expected from a contractor hacking on behalf of China’s security apparatus with domestic political priorities.
The tools of I-Soonappear to have been used by the Chinese police to curb dissent on overseas social media and flood them with pro-Beijing content. Authorities can carry out surveillance on Chinese social media platforms directly and order them to take down anti-government posts. But they lack the same authority on overseas sites like Facebook or X, where millions of Chinese users flock to in order to evade state surveillance and censorship. French cyber-security researcher Baptiste Robert who has analysed the dumped I-Soon documents has said I-Soon could have found a way to hack accounts on X.
Cary has found a spreadsheet with a list of data repositories collected from victims and counted 14 governments as targets, including India, Indonesia and Nigeria. The documents indicate that I-Soon mostly supports the Ministry of Public Security, Cary says.The documents have shown that I-Soon had charged $55,000 to hack the Economy Ministry of Vietnam.
Some of the chat records in the dumped I-Soon documents refer to NATO. State-backed Chinese hackers are trying to hack the U.S. and its allies, but an initialreview of the leaked documents do not reveal a a successful hack of any NATO country.
“There’s a huge interest in social media monitoring and commenting on the part of the Chinese government,” Senior Fellow in the Asia Program of the German Marshall Fund Mareike Ohlberg has been quoted as saying. “To control public opinion and forestall anti-government sentiment, control of critical posts domestically is pivotal. Chinese authoritieshave a big interest in tracking down users who are based in China.”
I-Soon was founded in Shanghai in 2010, according to Chinese corporate records. The company has subsidiaries in three other cities, including one in the south-western city of Chengdu that is responsible for hacking, research and development, according to leaked internal slides.
Malware researcher at the cyber-security firm ESET Mathieu Tartare says I-Soon has been found to have links with Chinese state hacking group Fishmonger that during the student protest in 2019-20 hacked Hong Kong universities. Since 2022, Fishmonger has been targetinggovernments, NGOs and think tanks across Asia, Europe, Central America and the United States.
Campaign Director at Safeguard DefendersLaura Harth, an advocacy group that keeps track of the human rights situation in China, says the knowledge that Chinese security agencies hack the accounts of dissidents instils fear of the Chinese government in Chinese and foreign citizens living abroad, stifling criticism and leading to self-censorship. “They are a looming threat (that one is watched) that is just constantly there and very hard to shake off.”
In 2023, US officials charged 40 members of Chinese police units assigned to harass the family members of Chinese dissidents overseas, as well as to spread pro-Beijing content online. The charges against them described tactics similar to those detailed in the I-Soon documents, Harth has said. US officials including FBI Director Chris Wary have recently complained about Chinese state hackers planting malware that could be used to damage civilian infrastructure.
The U.S. is trying to curb the activities of Chinese hackers, using superior technology and through legal means. The US Department of Justice said in a Press release on January 31, 2024: “A December 2023 court-authorized operation has disrupted a botnet of hundreds of U.S.-based small office and home office routers hijacked by People’s Republic of China state-sponsored hackers.”A botnet (short for robot network) is, incidentally, a network of computers infected by malware that are under the control of a single attacking party.
The hackers, “known to the private sector as ‘Volt Typhoon,’ used privately-used small office and home office routers infected with the ‘KV Botnet’ malware to conceal the PRC origin of further hacking activities directed against U.S. and other foreign victims. These further hacking activities included a campaign targeting critical infrastructure organizations in the United States and elsewhere.”
The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet such as blocking communications with other devices used to control the botnet.
I-Soon documents, posted to a public website, have revealed an effort continuing for eight years to target databases and tap communications in South Korea, Taiwan, Hong Kong, Malaysia, India and elsewhere in Asia. The files have also revealed a campaign closely to monitor the activities of ethnic minorities in China.
I-Soon is, in fact, one of hundreds of enterprising companies that support the aggressive state-sponsored hacking efforts of China. Local governments in south west China have not paid more than $15,000 for accessing the private website of the traffic police of Vietnam. Software that helps in disinformation campaigns and hacks accounts on X costs $100,000. For $278,000 Chinese customers can get a host of personal information behind social media accounts on platforms like Facebook. I-Soon hackers are said to have breached over 95 gigabytes of immigration data from India.
