Chinese police are investigating an unauthorized and highly unusual online collection of documents from a private security company linked to the country's top police agency and other parts of the government – a trove containing apparent hacking activities and tools for spying on both Chinese people as well as cataloged by foreigners.
The obvious targets of the tools provided by affected company I-Soon include ethnic groups and dissidents in parts of China that have seen significant anti-government protests, such as Hong Kong or the heavily Muslim Xinjiang region in China's far west.
The filing of numerous documents late last week and the subsequent investigation were confirmed by two employees of I-Soon, known in Mandarin as Anxun, which has ties to the powerful Ministry of Public Security. The dump, which analysts consider extremely significant even if it does not reveal any particularly novel or effective tools, includes hundreds of pages of contracts, marketing presentations, product manuals, and customer and employee lists.
They reveal in detail Chinese authorities' methods of monitoring dissidents abroad, hacking other nations and spreading pro-Beijing narratives on social media.
The documents show apparent I-Soon hacking attacks on networks across Central and Southeast Asia, as well as in Hong Kong and the self-ruled island of Taiwan, which Beijing claims as its territory.
The hacking tools are used by Chinese state agents to unmask users of social media platforms outside China such as X, formerly known as Twitter, break into emails and hide the online activities of foreign agents. Devices disguised as power strips and batteries that can be used to compromise Wi-Fi networks are also described.
I-Soon and Chinese police are investigating how the files were leaked, the two I-Soon employees told the AP. One of the employees said I-Soon held a meeting about the leak on Wednesday and was told it wouldn't affect business too much and to “continue operating as usual.” The AP is not naming the employees – who provided their last names in accordance with standard Chinese practice – out of concern about possible retaliation.
The source of the leak is unknown. China's Foreign Ministry did not immediately respond to a request for comment.
An extremely serious leak
Jon Condra, an analyst at Recorded Future, a cybersecurity firm, called it the most significant leak ever linked to a company “suspected of providing cyber espionage and targeted intrusion services to the Chinese security services.” He said that I-Soon's targets – according to the leaked material – included governments, telecommunications companies abroad and online gambling companies in China.
Until the 190-megabyte leak, I-Soon's website contained a page with a list of clients headed by the Ministry of Public Security, including 11 provincial-level security bureaus and about 40 municipal public security departments.
Another page, available until early Tuesday, promoted advanced “attack and defense capabilities” for persistent threats, using the acronym APT – one the cybersecurity industry uses to describe the world's most sophisticated hacking groups. Internal documents in the leak describe I-Soon databases containing hacked data collected by foreign networks around the world, promoted and sold to Chinese police.
The company's website was completely offline later Tuesday. A representative for I-Soon declined an interview request and said the company would issue an official statement at an unspecified future date.
I-Soon was founded in Shanghai in 2010, according to Chinese company documents, and has subsidiaries in three other cities, including one in the southwestern city of Chengdu, which is responsible for hacking, research and development, according to leaked internal slides.
The main entrance door to the I-Soon office, also called Anxun in Mandarin, is seen after office hours in Chengdu, southwest China's Sichuan province, on Tuesday, February 20, 2024. (AP Photo/Dake Kang)
I-Soon's Chengdu branch was open as usual on Wednesday. Red New Year's lanterns swayed in the wind in a covered alley leading to the five-story building that housed I-Soon's offices in Chengdu. Employees streamed in and out, smoking cigarettes and drinking take-out coffee outside. Inside were posters with the Communist Party's hammer and handle emblem, with slogans reading: “Protecting the Party and the country's secrets is the duty of every citizen.”
I-Soon's tools are apparently being used by Chinese police to curb dissent on social media abroad and flood it with pro-Beijing content. Authorities can directly monitor Chinese social media platforms and order them to remove anti-government posts. But they lack this ability on foreign websites like Facebook or X, where millions of Chinese users flock to escape government surveillance and censorship.
“There is a lot of interest from the Chinese government in monitoring and commenting on social media,” said Mareike Ohlberg, senior fellow in the German Marshall Fund’s Asia program. She checked some of the documents.
In order to control public opinion and prevent anti-government sentiment, controlling critical contributions domestically is crucial, said Ohlberg. “Chinese authorities,” she said, “have a keen interest in tracking down users who are based in China.”
The source of the leak could be “a rival intelligence agency, a dissatisfied insider or even a rival contractor,” said John Hultquist, chief threat analyst for Google's Mandiant cybersecurity division. The data suggests I-Soon's sponsors include the Ministry of State Security and China's military, the People's Liberation Army, Hultquist said.
MANY DESTINATIONS, MANY COUNTRIES
A leaked draft contract shows that I-Soon marketed “anti-terrorism” technical support to Xinjiang police to track down the region's native Uyghurs in Central and Southeast Asia, claiming the company had access to hacked air, Mobile and government data from countries such as Mongolia and Malaysia, Afghanistan and Thailand. It is unclear whether the contact was signed.
“We see a lot of attacks on organizations linked to ethnic minorities – Tibetans, Uyghurs. “Much of the attacks on foreign companies can be viewed in the context of the government's domestic security priorities,” said Dakota Cary, China analyst at cybersecurity firm SentinelOne.
He said the documents appeared legitimate because they were consistent with what one would expect from a contractor carrying out hacking attacks on domestic political priorities on behalf of China's security apparatus.
Cary found a spreadsheet listing data sets collected from victims and counted 14 governments as targets, including India, Indonesia and Nigeria. The documents show that I-Soon primarily supports the Department of Public Security, he said.
Cary was also impressed by Taiwan's Ministry of Health's intention to assess its COVID-19 case numbers in early 2021 – and impressed by the low cost of some of the hacks. The documents show that I-Soon demanded $55,000 to hack Vietnam's Ministry of Economy, he said.
Although some chat recordings reference NATO, there is no evidence of a successful hack of any NATO country, an initial review of the data by The Associated Press found. But that doesn't mean state-backed Chinese hackers aren't trying to hack the U.S. and its allies. If the leaker is in China, which is likely, Cary said that “sharing information about hacking attacks on NATO would be really, really inflammatory” – a risk that could make Chinese authorities even more determined to identify the hacker .
Mathieu Tartare, a malware researcher at cybersecurity firm ESET, says it linked I-Soon to a Chinese state-run hacking group called Fishmonger, which it actively tracks and wrote about in January 2020 after the group participated in student protests at universities in Hong Kong had hacked. He said that since 2022, Fishmonger has targeted governments, NGOs and think tanks across Asia, Europe, Central America and the United States.
French cybersecurity researcher Baptiste Robert also combed through the documents and said I-Soon appeared to have found a way to access accounts. He said U.S. cyber operators and their allies were among the potential suspects in the I-Soon leak because it was in their interests lies in uncovering Chinese state hacking activities.
A US Cyber Command spokeswoman declined to comment on whether the National Security Agency or Cybercom were involved in the leak. An email to X's press office replied: “Busy now, please check back later.”
Western governments, including the United States, have taken measures in recent years to prevent China's government surveillance and harassment of government critics abroad. Laura Harth, campaign director at Safeguard Defenders, an advocacy group focused on human rights in China, said such tactics incite fear of the Chinese government among Chinese and foreign citizens abroad, suppress criticism and lead to self-censorship. “They are a looming threat that is just constantly there and very difficult to shake off.”
Last year, U.S. officials indicted 40 members of Chinese police units tasked with harassing family members of Chinese dissidents abroad and spreading pro-Beijing content online. The charges describe tactics similar to those described in the I-Soon documents, Harth said. Chinese officials have accused the United States of similar activities. U.S. officials, including FBI Director Chris Wray, have recently complained that Chinese state hackers are planting malware that could damage civilian infrastructure.
On Monday, Mao Ning, a Chinese Foreign Ministry spokeswoman, said the U.S. government has long been working to endanger China's critical infrastructure. She called on the US to “stop using cybersecurity issues to denigrate other countries.”
___
Kang reported from Chengdu, China. AP journalists Didi Tang in Washington, D.C. and Larry Fenn in New York contributed to this report.