Inside Look at Chinese Government Hacking Efforts Revealed in Spyware Leak
Over the weekend, a cache of files and documents allegedly stolen from the Chinese government hacking contractor, I-Soon, was posted online. This leak has given cybersecurity researchers and rival governments an unprecedented opportunity to gain insight into the operations of Chinese government hacking facilitated by private contractors.
The leak resembles the hack-and-leak operation that targeted Italian spyware maker Hacking Team in 2015. It includes company documents and internal communications that reveal I-Soon’s alleged involvement in hacking companies and government agencies in various countries, including India, Kazakhstan, Malaysia, Pakistan, Taiwan, and Thailand.
The leaked files were initially posted to code sharing site GitHub on Friday, and since then, experts in Chinese hacking operations have been meticulously examining them. Jon Condra, a threat intelligence analyst at cybersecurity firm Recorded Future, describes this leak as the most significant data leak connected to a company suspected of providing cyber espionage and targeted intrusion services for the Chinese security services.
For John Hultquist, the chief analyst at Google-owned Mandiant, this leak is a rare opportunity to gain unfettered access to the inner workings of an intelligence operation. The leaked files provide a first-of-its-kind look at the internal operations of a state-affiliated hacking contractor, according to Dakota Cary, an analyst at cybersecurity firm SentinelOne.
The leak has caught the attention of threat intelligence researcher Azaka from Taiwan. Azaka analyzed some of the documents and files and shared findings on social media platform X. The researcher highlighted spying software developed by I-Soon for various operating systems, including Windows, Macs, iPhones, and Android devices. Additionally, Azaka discovered hardware hacking devices designed for real-world situations that can crack Wi-Fi passwords, track down Wi-Fi devices, and disrupt Wi-Fi signals.
Azaka states that this leak confirms how APT (advanced persistent threat) groups operate similarly to regular workers but with very low pay. It reveals that there is a substantial market for breaching large government networks and provides confirmation of the scale of Chinese hacking operations.
The leaked documents link I-Soon to APT41, a Chinese government hacking group that has been active since 2012. APT41 has targeted organizations in various industries worldwide, including healthcare, telecom, tech, and video games.
Furthermore, the leak exposes an IP address associated with I-Soon that hosted a phishing site used against Tibetans in a hacking campaign in 2019. Citizen Lab researchers referred to the hacking group responsible as “Poison Carp.”
The leaked documents also contain chat logs between I-Soon employees and management, some of which are mundane, discussing topics like gambling and playing mahjong. These chat logs, along with the leaked documents, shed light on the low salaries received by I-Soon employees.
According to cybersecurity firm SentinelOne’s analysis of the leaked documents and chats, I-Soon was working for various Chinese government agencies, including the Ministry of Public Security, the Ministry of State Security, the Chinese army and navy. They also pitched and sold their services to local law enforcement agencies across China, specifically targeting minorities such as Tibetans and Uyghurs.
The leak raises questions about the future actions of mercenary hacking groups based on their past activity. Researchers and cybersecurity firms should be cautious when assessing the potential targets of these groups since they respond to the requests of government agencies. The leak suggests that these groups may shift their focus based on new requests and partnerships.
The Chinese Embassy in Washington D.C. did not respond to requests for comment regarding the leak. Similarly, an email sent to I-Soon’s support inbox went unanswered. However, two anonymous I-Soon employees informed the Associated Press that the leak would not impact their business and instructed staff to continue working as usual.
At present, it remains unknown who posted the leaked documents and files. GitHub has since removed the leaked cache from its platform. Many researchers believe that a disgruntled current or former employee is the most likely source of the leak. The leaked information is structured in a way that aims to embarrass the company, featuring employee complaints about low pay and the financial conditions of the business.
In conclusion, this spyware leak has provided invaluable insights into the inner workings of Chinese government hacking operations facilitated by private contractors. It offers a glimpse into the tools, targets, and affiliations of these hacking groups. As cybersecurity experts continue to analyze the leaked files, it is expected that more revelations will come to light, shedding further light on the evolving landscape of state-sponsored cyber espionage.