Leaked files reveal the secret world of Chinese hackers

A cache of documents from a Chinese security firm working for Chinese government agencies revealed extensive attempts to hack many foreign governments and telecommunications companies, especially in Asia, as well as targets of the country's domestic surveillance apparatus.

The documents, posted on a public website last week, revealed an eight-year effort to target databases and tap communications in South Korea, Taiwan, Hong Kong, Malaysia, India and elsewhere in Asia. The files also revealed a campaign to closely monitor the activities of ethnic minorities in China and online gambling companies.

The files contained records of apparent correspondence between employees, as well as lists of targets and materials showing cyber attack tools. The documents came from I-Soon, a Shanghai company with offices in Chengdu. Three cybersecurity experts interviewed by The Times said the documents appeared authentic.

All told, the leaked files offered a glimpse into the secretive world of Chinese state-backed hackers for hire. They underscored how Chinese law enforcement and its main spy agency, the Ministry of State Security, have reached beyond their own ranks to tap private sector talent in a global hacking campaign that U.S. officials say has targeted U.S. infrastructure and the government.

“We have every reason to believe this is the authentic data of a contractor supporting global and domestic cyber espionage operations from China,” said John Hultquist, principal analyst at Google's Mandiant Intelligence.

Mr Hultquist said the data showed I-Soon worked for a range of Chinese government agencies that sponsor hacking, including the Ministry of State Security, the People's Liberation Army and the Chinese National Police.

“They are part of an ecosystem of contractors linked to the Chinese patriotic hacking scene, which developed 20 years ago and has since become legitimate,” he added, referring to the rise of nationalist hackers who have become something of a cottage industry .

The files showed how I-Soon was able to draw on a grab bag of technologies to act as a hacking clearinghouse for branches of the Chinese government. At times, the company's employees focused on foreign targets, and in other cases, they helped China's feared Ministry of Public Security surveil Chinese citizens at home and abroad.

I-Soon did not immediately respond to emailed questions about the leak.

The material in the leak promoting I-Soon's hacking techniques described a technology built to break into Outlook email accounts and another that could control Windows computers while supposedly bypassing 95 percent of antivirus systems. I-Soon boasted about having access to data from a range of governments and companies in Asia, including Taiwan, India, Nepal, Vietnam and Myanmar. One list showed comprehensive flight data from a Vietnamese airline, including traveler identity numbers, occupations and destinations.

At the same time, I-Soon said it had developed technology that could meet the domestic demands of Chinese police, including software that could monitor public sentiment on social media in China. Another tool, built specifically to target accounts on X, could retrieve email addresses, phone numbers and other identifiable information related to user accounts.

In recent years, Chinese law enforcement officials have managed to identify activists and government critics who had posted on X using anonymous accounts from inside and outside China. They often then used threats to force X users to delete posts that authorities deemed overly critical or inappropriate.

China's Foreign Ministry had no immediate response to a request for comment. X did not respond to a request for comment. A spokesperson said the South Korean government would not comment.

“This represents the largest data breach associated with a company suspected of providing cyber espionage and targeted intrusion services to China's security services,” said Jonathan Condra, director of strategic and persistent threats at Recorded Future, a cybersecurity firm. Analysis of the breach would provide new insights into how contractors work with the Chinese government to conduct cyber espionage, he added.

The Chinese government's use of private contractors to hack on its behalf borrows from the tactics of Iran and Russia, which for years have turned to non-governmental entities to pursue commercial and official goals. While the loose approach to state spying may be more effective, it has also proven more difficult to control. Some Chinese contractors have used malware to earn ransoms from private companies even while working for China's spy agency.

Over the past year, U.S. government officials have repeatedly warned about Chinese hacking efforts. In late January, Christopher A. Wray, director of the Federal Bureau of Investigation, described an extensive campaign to attack U.S. infrastructure, including the power grid, oil pipelines, and water systems, in the event of a conflict with Taiwan. Last year it emerged that the email accounts of a number of US officials, including Nicholas Burns, the US ambassador to China, and Commerce Secretary Gina Raimondo, had been hacked.