Last updated on April 4th, 2024 at 11:07 am

Data from cybersecurity firm I-Soon provides a rare insight into the inner workings of China’s hacking program

A massive data leak from a Chinese cybersecurity firm has provided a rare glimpse into the inner workings of hackers linked to Beijing. Analysts view the leak as a valuable source of information on the day-to-day operations of China’s hacking program, which the FBI considers the largest of any country. I-Soon, the company involved, has not yet verified the authenticity of the leak and has not responded to requests for comment. As of Friday, the leaked data had been removed from the online software repository GitHub, where it was originally posted.

The leaks offer various insights, from staff complaints about pay and office gossip to claims of hacking foreign governments.

Who got hacked?

Every day, employees at I-Soon were targeting major entities. The leak revealed that government agencies of China’s neighbors, including Kyrgyzstan, Thailand, Cambodia, Mongolia, and Vietnam, had websites or email servers compromised. The leaked data also included long lists of targets, ranging from British government departments to Thai ministries. I-Soon staff also claimed in leaked chats that they had secured access to telecom service providers in Pakistan, Kazakhstan, Mongolia, Thailand, and Malaysia, among others. They identified the government of India—a geopolitical rival of Beijing’s—as a key target for “infiltration.” Additionally, they claimed to have gained back-end access to higher education institutions in Hong Kong and self-ruled Taiwan, which China claims as part of its territory. However, they also admitted to having lost access to some of their data seized from government agencies in Myanmar and South Korea.

Other targets included domestic entities, from China’s north-western region of Xinjiang to Tibet, and from illegal pornography to gambling rings.

Who was paying I-Soon?

Based on the leaks, it appears that most of I-Soon’s clients were provincial or local police departments, along with province-level state security agencies responsible for protecting the Communist party from perceived threats to its rule. The company also provided assistance to clients in protecting their devices from hacking and securing their communications, with many contracts listed as “non-secret”.

The leaks also contained references to official corruption. In one chat, salesmen discussed selling the company’s products to police and planned to provide kickbacks to those involved in the sale.

There were also mentions of a client in Xinjiang, where Beijing faces accusations of grave human rights abuses. However, workers complained about the challenges of conducting business in the tense region.

“Everyone thinks of Xinjiang like a nice big cake … but we have suffered too much there,” one worker wrote.

What hacking tools were for sale?

In their conversations, employees at I-Soon discussed their primary focuses as creating “Trojan horses” – malicious software that masquerades as legitimate software, allowing hackers to access private data – and compiling databases of personal information.

“At present, the Trojan horses are primarily tailored for use by Beijing’s state security department,” one employee said.

The leak also detailed how the company’s hackers could remotely access and take control of a person’s computer, enabling them to execute commands and monitor keystrokes, a technique known as keylogging. Other services included methods to breach Apple’s iPhone and other smartphone operating systems, as well as custom hardware – such as a power bank capable of extracting data from a device and transmitting it to the hackers.

In one conversation screenshot, an individual describes a client request for exclusive access to the “foreign secretary’s office, foreign ministry’s ASEAN office, prime minister’s office, national intelligence agency,” and other government departments of an unspecified country.

I-Soon provides a tool that claims to allow clients to access accounts on the social media platform X (formerly Twitter), purportedly able to obtain a user’s phone number and access their private messages.

Additionally, I-Soon boasts a technique to circumvent two-step authentication, a common login method that provides an extra layer of security to the account.

Who are the hackers?

The leak also provides insight into the less-than-ideal work environment at a mid-level Chinese cybersecurity firm.

Employee chats reveal complaints about office politics, a lack of basic tech expertise among colleagues, low pay, and poor management. The company also faced challenges in attracting clients. Screenshots show arguments between an employee and a supervisor over salaries.

In another leaked chat, a staffer lamented to a colleague that their boss had recently purchased a car worth over 1 million yuan ($139,000) instead of providing a pay raise for their team.