Online dump of Chinese hacking documents offers a rare window into pervasive state surveillance

By Dake Kang and Frank Bajak

Feb. 21, 2024

Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to the nation’s top policing agency and other parts of its government — a trove that catalogs apparent hacking activity and tools to spy on both Chinese and foreigners.

Among the apparent targets of tools provided by the impacted company, I-Soon: ethnicities and dissidents in parts of China that have seen significant anti-government protests, such as Hong Kong or the heavily Muslim region of Xinjiang in China’s far west.

The dump of scores of documents late last week and subsequent investigation were confirmed by two employees of I-Soon, known as Anxun in Mandarin, which has ties to the powerful Ministry of Public Security. The dump, which analysts consider highly significant even if it does not reveal any especially novel or potent tools, includes hundreds of pages of contracts, marketing presentations, product manuals, and client and employee lists.

They reveal, in detail, methods used by Chinese authorities used to surveil dissidents overseas, hack other nations and promote pro-Beijing narratives on social media.

The documents show apparent I-Soon hacking of networks across Central and Southeast Asia, as well as Hong Kong and the self-ruled island of Taiwan, which Beijing claims as its territory.

MORE

FireEye CEO: Reckless Microsoft hack unusual for China

By FRANK BAJAK and NATHAN ELLGREN
March 9, 2021

RESTON, Va. (AP) — Cyber sleuths have already blamed China for a hack that exposed tens of thousands of servers running Microsoft’s Exchange email program to potential hacks. The CEO of a prominent cybersecurity firm says it now seems clear China also unleashed an indiscriminate, automated second wave of hacking that opened the way for ransomware and other cyberattacks.

The second wave, which began Feb. 26, is highly uncharacteristic of Beijing’s elite cyber spies and far exceeds the norms of espionage, said Kevin Mandia of FireEye. In its massive scale it diverges radically from the highly targeted nature of the original hack, which was detected in January.

“You never want to see a modern nation like China that has an offense capability — that they usually control with discipline — suddenly hit potentially a hundred thousand systems,” Mandia said Tuesday in an interview with The Associated Press.

Mandia said his company assesses based on the forensics that two groups of Chinese state-backed hackers — in an explosion of automated seeding — installed backdoors known as “web shells” on an as-yet undetermined number of systems. Experts fear a large number could easily be exploited for second-stage infections of ransomware by criminals, who also use automation to identify and infect targets.

MORE