The Chinese hacking company’s CEO believed that the large, luxurious hotel with a karaoke bar was the ideal location to host a Lunar New Year banquet and gain favor with government officials. However, their top deputy pointed out one issue.

The deputy wrote, “Who is there? The girls are extremely unattractive.”

The recent leak of internal documents from a private contractor connected to China’s government and police has shed light on the corrupt wheeling and dealing that occurs within the country’s hacking industry. The documents expose questionable business tactics, dissatisfaction with pay and work standards, and inadequate security measures.

Private hacking contractors are companies that steal data from other countries to sell to the Chinese authorities. Over the past two decades, Chinese state security’s demand for overseas intelligence has soared, giving rise to a vast network of these private hackers-for-hire companies that have infiltrated hundreds of systems outside China.

Although the presence of these hackers-for-hire is widely known in China, not much was understood about their methods. However, leaked information from a company called I-Soon has divulged the inner workings of this shady and widespread industry, where corners are often cut and rules are unclear and not strictly followed in pursuit of profit.

Recently leaked chat transcripts reveal that executives at company I-Soon have been attempting to sweet-talk government officials through opulent dinners and excessive drinking late into the night. These same executives have been caught colluding with rival companies in order to manipulate the competitive bidding process for lucrative government contracts. In addition, they have been known to pay substantial sums of money as “introduction fees” to individuals who connect them with profitable projects. The company I-Soon has yet to address these allegations in regards to the leaked records.

According to Mei Danowski, a cybersecurity expert and author of the blog Natto Thoughts, the recently released documents reveal that China’s hackers operate similarly to other industries within the country.

Danowski stated that the focus is on making a profit and that the business is influenced by the culture of China. This includes factors such as personal connections, relationships built over meals, and friendships.

The growth of China’s hacking industry can be traced back to the early development of hacker culture in the country, which emerged in the 1990s as more people began purchasing computers and accessing the internet.

Wu Haibo, the founder and CEO of I-Soon, was part of this group. He was also a member of the Green Army, the first hacktivist organization in China, which was informally known as the “Whampoa Academy” after a renowned Chinese military academy.

Wu and a group of hackers stood out by identifying as “red hackers” – loyalists who provided their skills to the Chinese Communist Party, in contrast to the rebellious and anti-establishment ideals embraced by many coders.

In 2010, Wu established I-Soon in Shanghai. According to interviews with Chinese media, he was determined to strengthen China’s hacking capabilities and catch up with competitors. In a 2011 interview, Wu expressed disappointment that China was still significantly behind the United States in this area, stating, “While there are many technology enthusiasts in China, there is a lack of enlightened individuals.”

As the internet became more widespread, China’s hacking industry experienced a rapid growth, focusing on espionage and stealing intellectual property.

China’s government carried out significant cyber attacks, such as the breach at the U.S. Office of Personnel Management where personal information of 22 million federal employees was taken. This issue was so severe that former President Barack Obama addressed it with Chinese leader Xi Jinping, and they reached a resolution in 2015 to decrease espionage activities.

After a period of time, the disturbances lessened. However, I-Soon and other non-government hacking groups became increasingly active, aiding Chinese national security forces and allowing them to deny responsibility. According to John Hultquist, the chief analyst of Google’s Mandiant cybersecurity unit, I-Soon is connected to the Chinese patriotic hacking community as part of a network of contractors.

Presently, Chinese cyber attackers possess great power.

In May of 2023, Microsoft revealed that “Volt Typhoon,” a Chinese hacking group supported by the People’s Liberation Army, was conducting cyber attacks on essential infrastructure in areas like Guam, Hawaii, and other locations. This could potentially lead to disruption in the event of a conflict.

At a conference in Munich, FBI director Christopher Wray stated that hackers, specifically those at I-Soon, surpass the number of FBI cybersecurity staff by at least 50 to one.

According to leaked records, while I-Soon may have promoted its impressive hacking skills through polished PowerPoint presentations, its actual operations were centered around hotpot gatherings, late night drinking, and aggressive competition with other companies. This paints a picture of a business deeply embedded in a shady, extensive industry that heavily depends on personal connections to accomplish tasks.

The I-Soon leadership had a conversation about purchasing gifts and which members preferred red wine. They exchanged advice on who had a low tolerance for alcohol, and who could hold their alcohol well.

According to chat records, executives at I-Soon paid “introductory fees” in order to secure profitable projects. This includes a payment of tens of thousands of RMB (equivalent to thousands of dollars) to an individual who helped land a contract worth 285,000 RMB ($40,000) with police in the province of Hebei. The company’s chief operating officer, Chen Cheng, even proposed arranging for this individual to have a night of drinking and karaoke with women as an additional incentive.

According to Chen, he enjoys making physical contact with females.

They did not only pursue officials. They also tried to persuade competitors during late night drinking gatherings. Some of these competitors were working together with them on government projects, while others were fierce rivals who frequently stole their employees. Many times, they fell into both categories.

Qi Anxin, a major player in the Chinese cybersecurity industry, was widely disliked, despite being a significant investor and business ally of I-Soon.

COO Chen used a derogatory term commonly used on Chinese internet to refer to ambitious young women with an innocent appearance, when she wrote to CEO Wu about Qi Anxin’s HR being unethical and seductive towards our male employees.

I-Soon and Chengdu 404 have a complex connection, as the latter faces charges from the U.S. Department of Justice for hacking over 100 targets globally. While I-Soon collaborated with 404 and socialized with their executives, they fell behind on payments to the company. Eventually, they were sued over a software development agreement, according to records from Chinese courts.

The origins of the I-Soon documents are uncertain, prompting both executives and Chinese law enforcement to initiate an investigation. Despite Beijing’s consistent denial of any involvement in harmful hacking activities, the disclosure reveals the strong connections between I-Soon and other hacking enterprises and the Chinese government.

For instance, communication logs reveal that the Chinese Ministry of Public Security granted businesses access to prototypes of what are known as “zero days”, a technical phrase for a security flaw in software that was previously unidentified. These zero days are highly valued because they can be taken advantage of until they are discovered. Executives at I-Soon company discussed ways to acquire them, which are generally discovered at a Chinese government-sponsored hacking event held every year.

In alternate reports, leaders explored the idea of funding hacking contests at universities in China as a means of discovering potential new skilled individuals.

According to a leaked contract list, I-Soon’s customer base included law enforcement officials in various Chinese cities. I-Soon focused on finding valuable databases to sell to these individuals, such as Vietnamese traffic information for Yunnan province or data on Tibetans who have been exiled to the Tibetan regional government.

I-Soon occasionally engaged in hacking upon request. One conversation reveals two individuals discussing a possible long-term client who is interested in obtaining data from multiple government organizations linked to an unidentified prime minister.

The Chinese Academy of Sciences, a government organization in China, has a small ownership in I-Soon through a Tibetan investment fund, according to corporate records from China.

I-Soon declared their loyalty in order to attract new customers. Senior managers deliberated on taking part in China’s efforts to reduce poverty, a signature project of Chinese President Xi Jinping, in order to build relationships. I-Soon’s CEO Wu proposed that their COO become a member of the People’s Political Consultative Conference in Chengdu, a government advisory group made up of scientists, entrepreneurs, and other influential members of society. In interviews with state-run media, Wu referenced Mencius, a philosopher from China, portraying himself as an intellectual who is committed to China’s national well-being.

Although Wu claims to be patriotic, leaked chat logs reveal a more intricate narrative. They portray a driven individual with a desire for financial success.

Wu wrote to Lei Feng in a private conversation that it is impossible for you to live up to the expectations of being a long-dead Communist worker who has been used as propaganda for many years as a symbol of selflessness. According to Wu, fame is insignificant if it does not bring you wealth.

The leaked documents reveal that China’s flourishing industry of hired hackers has suffered as a result of the country’s economic decline, resulting in minimal profits, inadequate salaries, and a mass departure of skilled individuals.

I-Soon experienced financial losses and faced challenges with managing their cash flow, resulting in delayed payments to subcontractors. In recent years, the outbreak of the pandemic in China had a negative impact on the country’s economy, leading to reduced government spending which had a detrimental effect on I-Soon’s profits. In 2020, the COO of I-Soon stated, “The government is facing financial constraints.”

The staff at I-Soon receive low salaries. According to a salary record from 2022, the majority of employees on the safety evaluation and software development teams make only 5,600 yuan to 9,000 yuan per month, with a few receiving higher compensation. In the documentation, I-Soon’s officials expressed concern about the low pay and its potential impact on the company’s image.

According to chat records, low wages and unequal pay led to employee grievances. Internal documents revealed that the majority of I-Soon employees had received vocational training instead of a college degree, indicating lower levels of education and skill. Sales representatives reported customer dissatisfaction with the accuracy of I-Soon’s data, resulting in challenges with receiving payments.

I-Soon represents a portion of China’s hacking community. The nation is known for its highly skilled hackers, with many employed by the military and other government agencies. However, the struggles faced by the company highlight larger problems within China’s private hacking sector. According to four cybersecurity experts and insiders in the Chinese industry, the country’s declining economy, stricter government regulations, and increased involvement of the state have resulted in a departure of top hacking talent.

An anonymous industry expert expressed that China has changed significantly and many talented individuals have departed from the country. The source claimed that under Xi’s leadership, the state’s increased involvement in the technology sector has prioritized political beliefs over skills, hindered fair compensation, and made connections to government officials crucial.

According to some, a significant problem is the lack of technical proficiency among Chinese officials to confirm the claims made by contractors. This leads hacking companies to prioritize pleasing those in power rather than providing high-quality services.

Recently, Beijing has actively encouraged the growth of China’s technology sector and the integration of technology in governmental operations as part of a larger plan to enhance the country’s global status. However, a significant portion of China’s data and cybersecurity operations have been outsourced to smaller third-party contractors staffed by inexperienced programmers, resulting in subpar digital practices and significant data breaches.

I-Soon’s operations are done in secrecy, but the company has surprisingly relaxed security measures. This is evident in their office in Chengdu, where minimal security is in place and the public is allowed to enter. However, there are posters in the office reminding employees of their duty to maintain the confidentiality of the country and the party. The leaked documents reveal that top executives of I-Soon regularly communicated on WeChat, which does not have end-to-end encryption.

The documents do show that staff are screened for political reliability. One metric, for example, shows that I-Soon checks whether staff have any relatives overseas, while another shows that employees are classified according to whether they are members of China’s ruling Communist Party.

However, according to cybersecurity expert Danowski, many regulations in China are merely superficial. Ultimately, she believes that this may not have much impact.

“She commented on I-Soon, saying that it was somewhat untidy and the tools were not particularly impressive. However, the Ministry of Public Security values the ability to successfully complete tasks and will hire those who possess it.”

___

Hong Kong was Soo’s source for this report, with contributions from Frank Bajak in Boston, who is an AP Technology Writer.

Source: wral.com