Leaked documents open the lid on China’s commercial hacking industry

A trove of leaked documents appearing to be from a Chinese security company is shedding light on the country’s commercial cyberespionage industry — revealing hacking contracts with public agencies, a repository of targets and years of chats among employees.

While the source of the leak is unknown, researchers with knowledge of the Chinese cyber industry say the contents appear to be genuine. Their authenticity was also attested by the Associated Press, which spoke to two of the company’s employees who said the company and Chinese law enforcement were investigating the leak.

The files first appeared on GitHub, a code and file repository, on February 16, after which they were publicized on social media by a Taiwanese analyst.

They pertain to a company called I-Soon — also known as Anxun — which was founded in Shanghai in 2010 but has a subsidiary in the city of Chengdu, where a cottage industry of hacking-for-hire companies has developed. I-Soon’s CEO, Wu Haibo, was a member of China’s first hacktivist group and is a well-known hacker.

In a report on the leaks, SentinelLabs researcher Dakota Cary said the documents show the company “appears to be responsible for the compromise of at least 14 governments,” as well as pro-democracy organizations in Hong Kong and universities.

In what seems to be a list of targeted domains, agencies within the governments of Rwanda, Indonesia, Malaysia, Thailand, Vietnam, Cambodia, Nigeria, Mongolia, Myanmar, Taiwan and India are listed, among others. The leaks also include a full database of hacked call logs in Kyrgyzstan.

In one translated chat log, two employees discuss hacking NATO targets but appear to decide it’s too difficult or “not worth it.”

“Client says NATO is not exactly possible… they had already tried NATO before… also they’re not exactly interested,” one employee says.

After responding that they already had “stuff” from NATO Secretary General Jens Stoltenberg, the other employee wrote: “what about making it cheaper? I’m running low on money”.

The majority of the contracts shown in the documents are with various branches of the Ministry of Public Security — China’s police authority — with a few contracts signed with the country’s Ministry of State Security spy agency, and with a military branch in Yunnan province.

“The Ministry of Public Security is less likely to have in-house talent to perform offensive operations, which means they’ll be using contractors to do that,” Cary told Recorded Future News.

Marketing materials pitch I-Soon’s “counterterrorism” work in what appears to be a deck tailored to pursue contracts for Beijing’s activities targeting ethnic minorities in Xinjiang and Tibet, where a massive surveillance apparatus has been set up to monitor locals. In the materials, the company boasts of its past hacks on targets purportedly connected to terrorism in Pakistan and Afghanistan. The Chinese government has rejected concerns by the U.N. Human Rights Council about its human rights abuses in these regions.

“If you look at the targets, a lot of them have to do with political security, violence by Muslim extremists, or just the outright surveillance of Uyghurs in Xinjiang,” Cary said.

The documents also contain detailed descriptions of the technical services I-Soon offers its clients, including the capability to obtain a Twitter (now X) user’s email address and phone number, as well as full access to their account, including reading direct messages and publishing tweets to the users’ feed.

They offer several remote access trojans (RATs) targeting Windows, iOS, and Android devices. The malware for Android is capable of harvesting messages from all of the popular messaging apps in China, which would be of primary interest to the Ministry for State Security.

Photographs and documents also show hardware surveillance kits, including what SentinelLabs described as “a tool meant to look like a powerbank that actually passed data from the victim’s network back to the hackers,” alongside what Malwarebytes Labs said was “special equipment for operatives working abroad to establish safe communication.

Due to the volume of material in the leak, the analysts’ current insights from it are not exhaustive. Generally, they say the primary focus of the hacking group’s activities appear to be monitoring dissent by the diaspora Chinese population, although I-Soon also appears to have been contracted for espionage targeting government ministries principally in the Asia Pacific region.

Some of the targets are perhaps more surprising, including two academics connected to Sciences Po in France. Vincent Fertey, who was head of a campus in Le Havre focusing on the Asia-Pacific region, told Recorded Future News he found out about the hacks on Monday.

“I did not know why I could have been a target and as campus director, my activity was only about education and trainings for undergraduate students,” he said.

While I-Soon has been quiet about the leaks, and did not respond to a request for comment, its website was taken down on Tuesday. Employees told the AP that the company held a meeting on Wednesday about the leak during which staff were told that it would not significantly affect the business.

An incestuous industry

Mei Danowski, a threat intelligence researcher who wrote about I-Soon last October on the well-respected blog Natto Thoughts, said the leaks are a reminder that similar to any enterprise, the cyberespionage companies are primarily interested in their bottom line.

“We understand they’re hackers-for-hire — but, the thing is it’s a business. The chat shows the struggle,” she said. “They’re trying to find contracts, and they try to work with local governments, from the provincial level to the municipal level to even third-tier cities to try to get business.”

These contracts aren’t particularly lucrative, the documents show. As Cary points out, exfiltrating data from Vietnam’s Ministry of Economy appears to have paid out $55,000, and other targets were valued at much less.

“That’s pretty damn cheap. The price point shows us a) how many buyers there are and b) the supply,” Cary said. “It says a lot about the security of the target they were going after. If it’s your job to make sure that hackers can't get into your network, I think the goal should be to increase that price as much as possible.”

Throughout the logs, disgruntled employees complain about pay, threatening to leave the company in search of other work.

The documents also show that the ecosystem among information security companies in China is incestuous and fluid. Contracts are often not made directly with public agencies but instead involve subcontractors and third parties within the security space.

“They’re kind of helping each other in a way, and they also compete with each other,” Danowski said.

In October, Danowski discovered that Chengdu 404 — a hacker-for-hire company associated with the threat group tracked as APT41 — had sued I-Soon in a contract dispute, suggesting that the two companies had some business overlap. Three executives from the company were indicted in 2020 by the U.S. Department of Justice.

According to the Washington Post, chat messages between executives from 2022 show I-Soon was late in paying Chengdu 404 about $140,000.

Reacting to the U.S. indictments in a chat shared in the leaks, an I-Soon executive asked if the company had any important business with Chengdu 404, Danowski said, to which they were told they did not but that the indicted men were from the “governing board of the drinking committee.”

“So that means they are buddies, right?” Danowski said. “They're like ‘so the next time when we see them we’ll ask them to drink 41 shots of baijiu liquor.’”