A massive data breach exposes the inner workings of China’s freelance hacking industry.

A massive data breach exposes the inner workings of China’s freelance hacking industry.

A major data breach from a Chinese cybersecurity company has exposed instances of government security agents paying significant amounts of money to collect data on specific targets, such as foreign governments. Meanwhile, cybercriminals are amassing vast quantities of information on individuals and organizations that may be of interest to potential customers.

Over 500 confidential documents from Chinese company I-Soon were leaked and shared on the developer site Github. Cybersecurity experts believe that these files are authentic and mention targets such as Nato and the UK Foreign Office.

The disclosure offers an exceptional understanding of the realm of Chinese freelance hackers, which the leader of the UK’s security services has deemed a “significant” obstacle for the nation.

The files, which are a mixture of chat logs, company prospectuses and data samples, reveal the extent of China’s intelligence gathering operations, while also highlighting the market pressures felt by the country’s commercial hackers as they vie for business in a struggling economy.

I-Soon has reportedly collaborated with, and later became entangled in a business disagreement with, another Chinese hacking group known as Chengdu 404. The US Department of Justice has charged members of Chengdu 404 with carrying out cyber-attacks on American companies and pro-democracy advocates in Hong Kong, among other targets.

The I-Soon leaks revealed that there were other targets besides private individuals, such as the British thinktank Chatham House and the public health bureaux and foreign affairs ministries of Asean countries. It appears that some of this information was obtained without a specific purpose, while in other instances, there were agreements between Chinese public security bureaus to collect particular types of data.

A representative from Chatham House expressed their awareness of the recently revealed data and expressed concern. The organization places a high importance on the security of its data and information. Due to ongoing attempts from various sources, including state and non-state actors, Chatham House, like many other organizations, is a frequent target of attacks.

“We implement security measures, including regularly reviewed and updated technology-based safeguards, to ensure protection.”

A representative from Nato stated that the organization is consistently confronted with cyber threats and has taken measures to defend against them by investing in robust cyber defenses. Additionally, Nato thoroughly investigates all reports of cyber threats.

The British Foreign Office refused to provide a statement.

I-Soon offers a diverse range of services. For instance, the public security bureau of a Shandong city paid approximately £44,000 to gain email inbox access for 10 targets for a year.

The company advertised the ability to hack accounts on X, gather personal information from Facebook, access data from internal databases, and compromise a variety of operating systems such as Mac and Android.

The exterior of the I-Soon office building in Chengdu in China’s south-western Sichuan province.View image in fullscreen

One of the documents contains an image of a folder labeled “Notes from the secretariat of European Affairs of North Macedonia”. Another image displays files that seem to pertain to the EU, such as one titled “Draft EU position with regard to COP 15 part 2”. The file names refer to an encryption method utilized by EU organizations to protect official information.

Sometimes, the reason for gathering the data is uncertain. According to Alan Woodward, a computer security specialist at the University of Surrey, the Chinese government is essentially collecting as much data as possible. Their goal is to have a vast amount of information at their disposal, in case it becomes valuable.

Woodward observed that Chinese cyber activity differs from that of Russian state-affiliated hackers, as they tend to target mass data collection rather than ransomware attacks or other disruptive acts. Woodward also mentioned that this behavior could potentially be seen as a preparation for future disruptive actions.

skip past newsletter promotion

The previous year, a report from the parliamentary intelligence and security committee regarding China stated that their cyber abilities enable them to focus on a wide variety of organizations and data sets, including those that are uncommon. Specialists speculate that the purpose of collecting data may be to uncover potential targets for human intelligence missions.

I-Soon also focused on domestic targets. In an agreement with a local government in Xinjiang, the company mentioned offering assistance in “anti-terrorism” efforts to the police in surveilling Uyghurs. They claimed to have over ten years of experience in obtaining access to servers and intranet permissions in multiple countries.

The company stated that they received information from anti-terrorism agencies and the postal service of Pakistan. The embassy of Pakistan in London did not reply to a comment request.

Some of the commitments made to customers may have been exaggerated sales talk. During a conversation, an employee posed the question: “Are our customers misleading us or are we misleading them?” The worker went on to say that it is common to deceive customers about the company’s capabilities, but it is detrimental for the company to deceive its own employees.

According to Mei Danowski, a cybersecurity expert from China who writes the Natto Thoughts newsletter, the common perception of Chinese hackers being funded by the government is not entirely accurate. If the leaked documents are genuine, it suggests that these hackers have to actively seek out business and earn their reputation.

Other chat logs were strikingly mundane. Employees discussed Covid-19 and the financial pressures at I-Soon. “Originally, everyone knew that the company was having a hard time, and they all understood. After all, the epidemic is so severe,” wrote one worker in March 2021. But, they complained, I-Soon “didn’t say they wouldn’t pay us wages”.

In the following year, the stress at the company appeared to have increased. The CEO, Wu Haibo (also known as Shutd0wn), stated that the departure of key employees had weakened customer trust, resulting in a decline in business. Wu did not reply to a comment request.

In September 2022, an employee expressed concern about the boss’s high levels of anxiety and questioned the company’s ability to stay afloat until the end of the year. In a separate conversation, colleagues discussed the company’s declining sales and the negative atmosphere in the office. One employee suggested turning to alcohol as a source of comfort, stating that they may scream if they are unable to have a drink.

Source: theguardian.com