Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to the nation’s top policing agency and other parts of its government — a trove that catalogs apparent hacking activity and tools to spy on both Chinese and foreigners.

Possible rewording: The tools offered by I-Soon appear to be aimed at specific groups, including ethnic minorities and political dissidents in areas of China where there have been notable protests against the government. These areas include Hong Kong and Xinjiang, a predominantly Muslim region in the far west of China.

Two employees from I-Soon, also known as Anxun, which has connections to the Ministry of Public Security, have confirmed the release of scores of documents last week and the subsequent investigation. These documents, which are considered important by analysts despite not containing any groundbreaking or powerful tools, consist of contracts, marketing presentations, product manuals, and lists of clients and employees.

They disclose the specific techniques employed by the Chinese government to monitor opponents abroad, breach the security of other countries, and advance pro-Beijing messages on social media.

The records demonstrate suspected instances of I-Soon infiltrating networks in Central and Southeast Asia, as well as Hong Kong and Taiwan, which China considers its territory.

Chinese government agents utilize hacking tools to reveal the identities of individuals on social media platforms outside of China, including X (previously known as Twitter). They also employ these tools to gain access to email accounts and conceal the online actions of foreign agents. In addition, there are devices designed to look like power strips and batteries that can be utilized to infiltrate Wi-Fi networks.

The AP has been informed by two I-Soon employees that I-Soon and Chinese authorities are conducting an investigation into the source of the leaked files. One of the employees stated that a meeting was held on Wednesday to address the leak and were assured that it would not significantly impact business. They were advised to continue with their normal work routine. The identities of the employees, who did provide their last names following common Chinese practice, are being withheld by the AP due to potential retaliation concerns.

The origin of the leak is currently unknown. The Chinese Foreign Ministry has not yet responded to a comment request.

According to Recorded Future analyst Jon Condra, the recent leak is the most notable one associated with a company believed to be providing cyber espionage and targeted intrusion services for the Chinese security forces. The leaked information reveals that I-Soon has targeted governments, overseas telecommunications companies, and domestic online gambling firms in China.

Prior to the 190-megabyte data breach, I-Soon’s website featured a section that listed their clients, with the Ministry of Public Security ranked at the top. This list also included 11 security bureaus at the provincial level and approximately 40 public security departments at the municipal level.

A different webpage, accessible until Tuesday, promoted advanced skills in defending against “attack and defense” threats, using the abbreviation APT – which the cybersecurity field uses to refer to the most advanced hacking groups. Documents within the leak detail databases, named I-Soon, containing compromised information obtained from global networks that are marketed and distributed to Chinese law enforcement agencies.

The website of the company was completely down on Tuesday. A representative from I-Soon declined an interview and stated that the company will release an official statement at a later, unspecified time.

According to leaked internal slides, I-Soon was established in Shanghai in 2010 and has branches in three other cities. One of these branches, located in Chengdu in the southwest, is in charge of hacking and research and development, as mentioned in Chinese corporate records.

I-Soon’s branch in Chengdu operated normally on Wednesday. Red lanterns for the Lunar New Year were hanging in a covered alleyway that led to the five-story building where I-Soon’s offices are located. Workers were seen coming and going, taking smoke breaks and enjoying takeout coffee outside. Inside, posters displaying the Communist Party’s hammer and sickle emblem displayed slogans emphasizing the importance of protecting the Party and the country’s secrets, which is every citizen’s responsibility.

I-Soon’s tools are allegedly utilized by Chinese law enforcement to suppress criticism on international social media platforms and inundate them with pro-Beijing material. While authorities have the power to monitor and remove anti-government content on Chinese social media, they do not have the same capabilities on foreign sites such as Facebook or X, which attract millions of Chinese users seeking to avoid government surveillance and censorship.

Mareike Ohlberg, a senior fellow in the Asia Program of the German Marshall Fund, stated that the Chinese government has a significant interest in monitoring and commenting on social media. She examined certain documents related to this topic.

According to Ohlberg, the control of crucial positions within the country is essential in order to manipulate public opinion and prevent any negative views towards the government. She also stated that the Chinese government has a strong desire to locate and monitor users who are located within China.

John Hultquist, the chief threat analyst at Google’s Mandiant cybersecurity division, stated that the origin of the leak could potentially be attributed to various sources such as a competing intelligence agency, a disgruntled employee, or a rival contractor. According to Hultquist, the information suggests that I-Soon’s backers may also involve the Ministry of State Security and the People’s Liberation Army of China.

A leaked preliminary agreement reveals that I-Soon was promoting “anti-terror” technical assistance to Xinjiang authorities in order to monitor Uyghur individuals in Central and Southeast Asia. The company claimed to have obtained hacked information from airlines, cell phone companies, and government databases in countries such as Mongolia, Malaysia, Afghanistan, and Thailand. It is uncertain if the contract was ultimately executed.

According to Dakota Cary, a China expert from SentinelOne, there is a significant amount of focus on targeting ethnic minority groups, such as Tibetans and Uyghurs, by various organizations. This targeting is often linked to the government’s priorities for domestic security.

He stated that the documents seem genuine as they match the actions of a contractor hired by China’s security organization, with a focus on domestic political agendas.

Cary discovered a spreadsheet containing a compilation of data repositories taken from those affected and listed 14 governments as victims. These governments include India, Indonesia, and Nigeria. According to the documents, I-Soon primarily assists the Ministry of Public Security.

Cary was surprised by the specific focus on Taiwan’s Health Ministry in assessing their COVID-19 cases during the beginning of 2021. He was also impressed by the relatively low cost of certain hacking methods. According to the documents, I-Soon only charged $55,000 for hacking into Vietnam’s economy ministry.

After reviewing the data, The Associated Press has not found any evidence of a successful hack on any NATO country, despite some chat records mentioning the organization. However, this does not mean that Chinese hackers supported by the government are not attempting to hack the U.S. and its allies. According to Cary, if the leaker is located in China, the act of leaking information about hacking NATO could have serious consequences and potentially escalate tensions, pushing Chinese authorities to further pursue the hacker’s identity.

Malware researcher Mathieu Tartare from cybersecurity company ESET has identified a connection between I-Soon and a Chinese government hacking group known as Fishmonger. This group was previously reported on by ESET in January 2020 for their involvement in cyber attacks on Hong Kong universities during student demonstrations. According to Tartare, Fishmonger has continued their hacking activities and has targeted various entities including governments, NGOs, and think tanks in Asia, Europe, Central America, and the United States since 2022.

According to French cybersecurity researcher Baptiste Robert, I-Soon has discovered a method to hack into X, previously known as Twitter, even if the account has two-factor authentication. Additionally, the researcher found evidence of another technique for analyzing email inboxes. Robert believes that U.S. cyber operators and their allies may be responsible for the leak of I-Soon’s findings, as it is in their best interest to expose Chinese state-sponsored hacking.

A representative from U.S. Cyber Command declined to confirm if the National Security Agency or Cybercom played a role in the release. In an email to X’s press office, they replied, “Currently occupied, please inquire again at a later time.”

Governments in the Western world, including the US, have implemented measures to prevent Chinese state surveillance and intimidation of those who criticize the government while overseas. According to Laura Harth, the campaign director of Safeguard Defenders, a group dedicated to promoting human rights in China, these tactics create a sense of fear towards the Chinese government among both Chinese and foreign citizens living abroad. This fear leads to a suppression of criticism and self-censorship. As Harth puts it, the threat of Chinese surveillance and harassment is constantly looming and difficult to escape.

In the previous year, American authorities pressed charges against 40 Chinese police officers who were tasked with intimidating the relatives of Chinese dissidents living abroad and promoting pro-Beijing materials on the internet. According to Harth, the accusations in the indictments mirror the tactics described in the I-Soon documents. Chinese officials have also accused the United States of engaging in similar behavior. Recently, U.S. officials, including FBI Director Chris Wray, have expressed concerns about Chinese government hackers installing malware that could potentially harm civilian infrastructure.

Mao Ning, a spokeswoman for the Chinese Foreign Ministry, stated on Monday that the U.S. government has been consistently attempting to undermine China’s essential systems. She urged the U.S. to refrain from using cybersecurity concerns as a means to defame other nations.

___

Kang provided coverage from Chengdu, China. Didi Tang and Larry Fenn, AP journalists in Washington, D.C. and New York respectively, also contributed to this report.

Source: wral.com