A treasure trove of leaked documents from a Chinese state-linked hacking group, namely I-Soon, has signalled the alarming activities of Beijing’s intelligence and military groups in attempting large-scale, systematic cyber intrusions against foreign governments, companies and infrastructure. A GitHub leak on 16 Feb 2024 has provided a first-of-its-kind look at the internal operations of this Shanghai-headquartered Chinese state-affiliated hacking contractor. The Associated Press confirmed the leak’s authenticity with two employees of I-Soon. Among the files uploaded are dozens of marketing documents, images and screenshots, and thousands of WeChat messages between employees and clients of I-Soon.
An analyst based in Taiwan found the document trove on GitHub and shared their findings on social media. The researcher highlighted spying software developed by I-Soon for Windows, Macs, iPhones and Android devices, as well as hardware hacking devices designed to be used in real-world situations that can crack Wi-Fi passwords, track down Wi-Fi devices and disrupt Wi-Fi signals. Photographs and documents also show hardware surveillance kits, including what SentinelLabs describedas “a tool meant to look like a power bank that actually passed data from the victim’s network back to the hackers,” alongside what Malwarebytes Labs said was “special equipment for operatives working abroad to establish safe communication.
TeraBytes of data has been stolen by I-Soon from: Kazakhstan, Kyrgyzstan, Malaysia, Mongolia, Nepal, Türkiye, India, Egypt, France, Rwanda, Nigeria, Indonesia, Vietnam, Myanmar, Philippines, Afghanistan and Hong Kong. Targeted organizations spanned academia, aerospace, government, media, telecommunications, and research and development sectors. Indian organisations like BSNL, Air India, EPFO, Apollo Hospitals have been mentioned in the files. However, no user data connected with them has been leaked. One spreadsheet listed 80 overseas targets that I-Soon hackers appeared to have successfully breached. The haul included 95.2 gigabytes of immigration data from India and a 3 terabyte collection of call logs from South Korea’s LG U Plus telecom provider.
I-Soon claimed in their brand brochure about their ability and proficiency in targeting several Indian government agencies and serve as an APT group to target Tibet related organisations. In December 2021, the group claimed that it had gained access to the intranet of the Tibetan government in exile (CTA, Dharamsala), setting off a frantic search for a buyer. The Chinese hackers also facilitated attempts to extract information from Beijing’s close diplomatic partners including but not limited to Pakistan and Cambodia.
In a bid to get work in Xinjiang–where China continues to subject millions of Ugyhurs to what the UN Human Rights Council has called genocide–the company bragged about past counterterrorism work. The thank-you letter I-Soon received from the network security team of Kashgar region public security bureau in Xinjiang suggests I-Soon has carried out projects for public security officials in the Xinjiang region. The company listed other terrorism-related targets the company had hacked previously as evidence of their ability to perform these tasks, including targeting counterterrorism centres in Pakistan and Afghanistan.
The leak opened the lid on China’s commercial hacking industry and provided unprecedented insight into the world of China’s hackers for hire. In the leaked Sichuan I-Soon contract list, 66 of the 120 contracts served various public security bureaus; 22 contracts served state security agencies’ needs; only one contract served the PLA – and that was also the only contract classified as “secret” – and the remaining 31 contracts served other government agencies, research institutes, state-owned enterprises etc. I-Soon also had connections with universities throughout Sichuan province, through hosting hacking competitions and offering training courses through its I-Soon Institute. It has three subsidiaries and offices located in Nanjing (Jiangsu), Taizhou and Ningbo (Zhejiang).
A variety of cyber threat intelligence (CTI) analyses have pointed out that Sichuan Province is a “known hot spot for hacking” and that Chengdu, the capital of Sichuan Province, has “become a hub for Chinese advanced persistent threat (APT) activity.” CEO Wu Haibo is the sole controller of I-Soon and its subsidiaries. The website of the company reflects his patriotic hacker background. According to the company’s website, he chose the name I-Soon from its tagline, which means cybersecurity has no boundaries, and there is no end to learning. The I-Soon website claims its company culture aspires to “become a solid national defence reserve force with a strong sense of political responsibility and a spirit of high responsibility to the Party and the People.”
The leaks hint at infighting and dissatisfaction in the network of patriotic Chinese hackers, despite the long-standing collaboration between groups. The leaker presented themselves on GitHub as a whistle-blower exposing malpractice, poor work conditions and “low quality” products that I-Soon is using to “dupe” its government clients. In chats marked as featuring worker complaints, employees grumbled about sexism, long hours and weak sales. At one level, this leak does not change anything—it is no secret that China is a prolific cyber espionage actor, so it probably will not change people’s views about the country.
China’s model of mixing state support with a profit incentive has created a large network of actors competing to exploit vulnerabilities and grow their businesses. By participating in government initiatives and working on government contracts, Chinese information security companies have become hackers-for-hire for Beijing. As demonstrated by the leaked documents, third-party contractors like I-Soon play a significant role in facilitating and executing many of China’s offensive operations in the cyber domain. Their connections with Chinese public security bureaus spread across the Party-State shows the disturbing trend of Chinese malaise cyber actions, and the urgent need for countries across the world to strengthen their cyber defence capacities.