Documents purporting to have been stolen from a subcontractor of China’s Ministry of Public Security have been published on GitHub. These commercial documents (whose authenticity, impossible to confirm completely, is nevertheless highly probable, given their nature and volume) describe a small arsenal of cyber espionage products.
On Friday February 16, an anonymous source posted hundreds of pages linked to the Chinese company i-Soon on the code-sharing website GitHub. This rather discreet company has proven links with China’s Ministry of Public Security: since 2019, it is one of its “official suppliers”.
This leak has stirred the cybersecurity community worldwide. The disclosure provides an in-depth look into the operations of a state-affiliated hacking contractor, marking a rare occasion where the internal workings of such an organization have been made public.
I-Soon, also referred to as Anxun, is a Chinese cybersecurity contractor known for its affiliations with the People’s Republic of China (PRC) agencies, including the Ministry of Public Security, Ministry of State Security, and the People’s Liberation Army. It has been implicated in a range of cyber espionage activities targeting various entities across the globe, including governments, NGOs, and think tanks in Asia, Europe, Central America, and the United States. The leaked documents, which appeared on GitHub, include internal communications, contracts, product manuals, and lists of clients and employees, revealing the company’s extensive cyber espionage toolkit designed to infiltrate and manipulate digital infrastructure across the world.
The documents highlight I-Soon’s capabilities in creating and deploying advanced hacking tools. These include malware capable of targeting both Android and iOS devices, custom Remote Access Trojans (RATs) for Windows, and devices designed to breach Wi-Fi networks. The breadth of I-Soon’s operations, as exposed by the leaks, demonstrates the company’s significant role in supporting Beijing’s hacking endeavors, targeting a wide range of strategic and potentially lucrative targets for intelligence gathering.
The international community, particularly cybersecurity researchers, has taken a keen interest in the leak. It offers a unique insight into the competitive and secretive nature of the cybersecurity industry within China, shedding light on low employee morale and financial pressures that could potentially influence the quality and ethics of cyber operations. Moreover, the leak points to a broader ecosystem of cyber espionage cultivated by China, with contractors like I-Soon playing pivotal roles in the state’s cyber operations.
The diplomatic ramifications of this leak are substantial, highlighting vulnerabilities in national security across several countries and potentially affecting diplomatic ties. The exposure of I-Soon’s cyber espionage activities underscores the global reach and impact of China’s cyber operations, which could strain diplomatic relations and contribute to an escalating cycle of cyber conflict.
The United States and Western governments have taken steps to block Chinese state surveillance and harassment of government critics overseas in recent years. U.S. officials, including FBI Director Chris Wray, have raised concerns about Chinese state hackers planting malware that could be used to damage civilian infrastructure. In response, Chinese officials have accused the United States of similar activities, further complicating the cybersecurity landscape.
In conclusion, the leak from I-Soon offers a rare and comprehensive look into the inner workings of a key player in China’s cyber espionage activities. It underscores the sophisticated nature of state-backed cyber operations and their far-reaching implications for global cybersecurity and international diplomacy. As the cybersecurity community continues to analyze the leaked documents, the insights gained will undoubtedly influence the strategic approach to counteracting such threats and bolstering digital defenses worldwide.
