The hackers offered a menu of services, at varying prices.
A local government in southwest China paid less than $15,000 to access the private website of Vietnam’s traffic police. Software that helped run disinformation campaigns and hack accounts on X cost $100,000. For $278,000 Chinese customers could get a bunch of personal information behind social media accounts on platforms like Telegram and Facebook.
The deals, detailed in leaked documents, were part of the hacking tools and hidden data sold by a Chinese security firm called I-Soon, one of hundreds of venture firms backing China-funded aggressive hacking efforts. by the State. The project is part of a campaign to break into the websites of foreign governments and telecommunications companies.
The material, which was posted on a public website last week, revealed an eight-year effort to target databases and monitor communications in South Korea, Taiwan, Hong Kong, Malaysia, India and elsewhere in Asia. The files also showed a campaign to closely monitor the activities of ethnic minorities in China and online gambling companies.
The data included files of apparent correspondence between employees, target lists and material that featured cyber-attack tools. Three cyber experts interviewed by The New York Times said the documents appear to be authentic.
Overall, the files offered a rare glimpse into the secretive world of China’s state-backed hackers-for-hire. They showed how Chinese law enforcement and its top spy agency, the Ministry of State Security, reached beyond their own ranks to tap private-sector talent in a hacking campaign that United States officials say targeted American companies. and government agencies.
“We have every reason to believe this is authentic data from a contractor supporting global and domestic cyber espionage operations outside of China,” said John Hultquist, principal analyst at Google’s Mandiant Intelligence.
Mr Hultquist said the leak revealed that I-Soon was working for a range of Chinese government agencies that support hacking, including the Ministry of State Security, the People’s Liberation Army and China’s national police. At times the company’s employees focused on overseas targets. In other cases they helped China’s dreaded Ministry of Public Security track Chinese citizens at home and abroad.
“They are part of a contractor ecosystem that has links to the Chinese patriotic hacking scene, which developed two decades ago and has since become legal,” he added, referring to the emergence of nationalist hackers who have become a kind of cottage industry.
I-Soon did not respond to emailed questions about the leak.
The revelations highlight the extent to which China has ignored, or evaded, US and other efforts for more than a decade to curb widespread hacking operations. And it comes as US officials warn that the country has not only doubled down, but also gone from simple espionage to planting malicious code in vital US infrastructure – perhaps in preparation for a day when conflict erupts over Taiwan.
The Chinese government’s use of private contractors to hack on its behalf borrows from the tactics of Iran and Russia, which for years have turned to non-governmental entities to pursue commercial and official targets. While the dispersed approach to state espionage may be more effective, it has also proven more difficult to control. Some Chinese contractors have used malware to extort ransom from private companies, even while working for China’s spy agency.
In part, the shift is rooted in a decision by China’s top leader, Xi Jinping, to upgrade the role of the Ministry of State Security to engage in more hacking activities, which had previously been primarily the purview of the People’s Liberation Army. While the security ministry emphasizes absolute loyalty to Mr. Xi and the Communist Party’s rule, hacking and espionage operations are often initiated and controlled by provincial-level state security bureaus.
These agencies sometimes, in turn, exploit piracy operations in commercially driven groups—a recipe for occasionally fruitless and even sketchy espionage activities that do not adhere to Beijing’s diplomatic priorities and can upset foreign governments with their tactics.
Parts of the Chinese government are still involved in sophisticated top-down hacks, such as trying to plant code inside key US infrastructure. However, the overall number of hacks originating in China has increased, and the targets range more widely – including information on Ebola vaccines and driverless car technology.
This fueled a new industry of contractors like I-Soon. Although part of the Chinese cyber-espionage world, the Shanghai firm, which also has offices in Chengdu, epitomized the amateurism that many of China’s relatively young hacking contractors bring. The documents showed that at times the company was unsure whether the services and data it was selling were still available. For example, he noted internally that the disinformation software on X was “under maintenance” — despite its $100,000 price tag.
The leak also described the daily grind and struggle of China’s business hacking contractors. Like many of its rivals, I-Soon held cybersecurity competitions to recruit new recruits. Instead of selling to a central government agency, a spreadsheet showed, I-Soon had to turn to China’s police and other city-by-city agencies. This meant advertising and marketing its products. In a letter to local officials in western China, the company boasted that it could help with counterterrorism enforcement because it had hacked Pakistan’s counterterrorism unit.
The leaked materials promoting I-Soon’s hacking techniques described technologies created to break into Outlook email accounts and obtain information such as contact lists and location data from Apple iPhones. One document appears to contain extensive flight records from a Vietnamese airline, including traveler ID numbers, occupations and destinations.
Vietnam’s foreign ministry did not immediately respond to an emailed request for comment.
At the same time, I-Soon said it had built technology that could meet the domestic demands of China’s police, including software that could monitor public sentiment on social media inside China. Another tool, created to target accounts on X, could pull email addresses, phone numbers and other identifiable information associated with user accounts and, in some cases, help hack those accounts.
In recent years, Chinese law enforcement officials have been able to track down activists and government critics who had posted on X using anonymous accounts inside and outside of China. They often then used threats to force X users to remove posts that the authorities deemed too critical or inappropriate.
Mao Ning, a spokeswoman for China’s foreign ministry, said at a press conference on Thursday that she was not aware of any data leaks from I-Soon. “On principle, China firmly opposes and fights all forms of cyber-attacks in accordance with the law,” Ms Mao said.
X did not respond to a request seeking comment. A spokesman said the South Korean government would have no comment.
Although the leak involved only one of China’s many hacking contractors, experts said the vast amount of data could help agencies and companies working to defend against Chinese attacks.
“This represents the most significant data breach linked to a company suspected of providing cyberespionage and targeted intrusion services for Chinese security services,” said Jonathan Condra, director of strategic and persistent threats at Recorded Future, a cybersecurity firm.
Among the information breached was a large database of the road network in Taiwan, an island republic that China has long claimed and threatened to invade. The 459 gigabytes of maps came from 2021 and showed how companies like I-Soon are collecting information that can be useful militarily, experts said. China’s own government has long considered Chinese driving navigation data to be sensitive and has set strict limits on who can collect it.
“Determining the terrain of the road is crucial for planning armored and infantry movements around the island on the way to capture population centers and military bases,” said Dmitri Alperovich, a cybersecurity expert.
Other information included internal email services or intranet access for several Southeast Asian government ministries, including Malaysia’s foreign and defense ministries and Thailand’s national intelligence agency. Immigration data from India covering flight and visa details of national and foreign passengers was also available, according to the records.
In other cases, I-Soon claimed to have accessed data from private companies such as telecommunications companies in Kazakhstan, Mongolia, Myanmar, Vietnam and Hong Kong.
The revelations gained about the Chinese attacks are likely to confirm the fears of policymakers in Washington, where officials have issued repeated dire warnings about such hacks. Last weekend in Munich, the director of the Federal Bureau of Investigation, Christopher A. Wray, said that hacking operations from China were now directed against the United States on “a scale greater than we have seen before” and ranked them among America’s leaders. threats to national security.
He became one of the first senior officials to speak openly about Volt Typhoon, the name of a Chinese hacker network that has planted code on critical infrastructure, setting off alarms across the government. Intelligence officials believe the code was intended to send a message: that at any moment China could cut off electricity, water or communications.
Some of the code has been found near US military bases that rely on civilian infrastructure to continue operating — especially bases that would be involved in any rapid response to an attack on Taiwan.
“It’s the tip of the iceberg,” Mr Wray concluded.
David E. Sanger and Chris Buckley contributed to the report.
