Chinese authorities have initiated an investigation into an unprecedented online leak of documents from a leading private security company, I-Soon, which maintains close links to the country’s top law enforcement agency as well as other government sectors. The dump includes details of alleged hacking activities and spying tools used against both locals and foreigners.
According to the revealed documents, I-Soon supplied tools for targeting ethnicities and dissidents in regions of China noted for significant anti-government demonstrations, including Hong Kong and Xinjiang, a predominantly Muslim area in China’s far west.
The document cache, confirmed by two I-Soon employees, was leaked last week and consists of various documents such as contracts, marketing presentations, product guides, and lists of clients and employees. While not exposing any particularly unique or potent tools, the breach is still seen as being of high importance, revealing details of indigenous and overseas surveillance methods, foreign hacking strategies, and pro-Beijing narratives on social media.
I-Soon’s involvement in hacking network systems across Central and Southeast Asia, Hong Kong, and Taiwan, which Beijing claims as its own territory, are outlined in the documents. Furthermore, they describe the tools employed by Chinese state agents to identify users of overseas social media platforms, hack into emails, and disguise the online activity of overseas agents. Devices masquerading as power strips and batteries intended to compromise Wi-Fi networks are also mentioned.
The I-Soon staff and Chinese police are probing how these files were leaked. However, the employees—who revealed that the incident wouldn’t greatly impact the company’s operations—requested that their identities not be disclosed due to potential retaliation. The source of the leak remains unidentified, and the Chinese Foreign Ministry has yet to comment.
Jon Condra, an analyst with cybersecurity firm Recorded Future, referred to the leak as the most substantial one connected to a company “thought to provide cyber espionage and targeted intrusion services for the Chinese security forces.” The leaked material indicates that I-Soon targeted foreign governments, telecommunications companies, and online gambling businesses within China.
I-Soon’s website, which is now offline, previously displayed a list of clients that included the Ministry of Public Security, 11 provincial-level security bureaus, and about 40 municipal public security departments.
Based on corporate records, I-Soon was established in Shanghai in 2010 and has subsidiaries in three other cities. Its Chengdu subsidiary, responsible for hacking, research, and development, is noted in the leaked internal slides.
The leaked documents suggest the tools created by I-Soon are used by Chinese police to control dissent on overseas social media and to inject them with pro-Beijing content. They also outline the successful marketing of “anti-terror” technical support to Xinjiang police for Uyghur surveillance, although it remains unclear whether the contract was signed.
Dakota Cary, a China analyst with cybersecurity firm SentinelOne, concludes that the leaked documents seem genuine and align with what can be expected from a contractor hacking on behalf of China’s security services, prioritizing domestic political issues.
Despite the extensive information uncovered by the leak, it remains uncertain whether the perpetrator is a rival intelligence service, an unhappy insider, or a competing contractor. Furthermore, although there are a few references to NATO in the records, there is no evidence of a successful breach of any NATO nation. However, this doesn’t mean that state-backed Chinese hackers are not targeting the U.S. and its allies.
Companies and activists focusing on human rights in China note that measures taken by western governments to prevent Chinese state surveillance and harassment of government critics overseas have increased in recent years. This kind of activity imposed by the Chinese Government instills a constant, hard-to-shake off fear, suppresses criticism, and prompts self-censorship among Chinese and foreign citizens abroad.
Chinese officials have accused the U.S. of engaging in similar activities. On Monday, Mao Ning, a Chinese Foreign Ministry spokeswoman, declared that the U.S. government has consistently sought to compromise China’s critical infrastructure. She demanded the U.S. “desist from using cybersecurity matters to disparage other nations.”
___
Kang reported from Chengdu, China. AP journalists Didi Tang in Washington, D.C., and Larry Fenn in New York contributed to this report.