Leaked files reveal the secret world of Chinese hackers

Leaked files reveal the secret world of Chinese hackers

The hackers offered a range of services at different prices.

A local government in southwest China paid less than $15,000 to access the private website of Vietnam's traffic police. Software that helped run disinformation campaigns and hack accounts on X cost $100,000. For $278,000, Chinese customers could get a wealth of personal information behind social media accounts on platforms like Telegram and Facebook.

The offerings, detailed in leaked documents, were a portion of hacking tools and data caches sold by a Chinese security firm called I-Soon, one of the hundreds of entrepreneurial companies targeting China's aggressive, support state-sponsored hacking efforts. The work is part of a campaign to break into the websites of foreign governments and telecommunications companies.

The materials, posted on a public website last week, revealed eight-year efforts to attack databases and tap communications in South Korea, Taiwan, Hong Kong, Malaysia, India and elsewhere in Asia. The files also revealed a campaign to closely monitor the activities of ethnic minorities in China and online gambling companies.

The data included records of apparent correspondence between employees, lists of targets and material demonstrating cyberattack tools. Three cybersecurity experts interviewed by The New York Times said the documents appeared to be authentic.

Taken together, the files offered a rare glimpse into the secretive world of Chinese state-backed hackers. They illustrated how Chinese law enforcement and its top spy agency, the Ministry of State Security, have reached beyond their own ranks to recruit talent from the private sector as part of a hacking campaign that U.S. officials said targeted American companies and government agencies to attract.

“We have every reason to believe that this is the authentic data from a contractor supporting global and domestic cyber espionage operations from China,” said John Hultquist, principal analyst at Google’s Mandiant Intelligence.

Mr. Hultquist said the leak revealed that I-Soon was working for a number of Chinese government entities that support hacking attacks, including the Ministry of State Security, the People's Liberation Army and the Chinese National Police. At times, the company's employees focused on foreign destinations. In other cases, they helped China's feared Ministry of Public Security monitor Chinese citizens at home and abroad.

“They are part of an ecosystem of contractors that has ties to China's patriotic hacking scene that emerged two decades ago and has been legitimate ever since,” he added, referring to the emergence of nationalist hackers who have become something of a cottage industry became.

I-Soon did not respond to emailed questions about the leak.

The revelations underscore the extent to which China has ignored or circumvented American and other efforts to limit its extensive hacking operations for more than a decade. And it comes at a time when American officials warn that the country has not only redoubled its efforts but also moved from mere espionage to planting malicious code into critical American infrastructure – perhaps preparing for a day when the Conflict over Taiwan breaks out.

The Chinese government's use of private contractors to hack on its behalf echoes tactics used by Iran and Russia, which have for years turned to nongovernmental organizations to pursue commercial and official goals. Although the scattershot approach may be more effective in state espionage, it has also proven more difficult to control. Some Chinese contractors have used malware to extort ransoms from private companies even while working for China's spy agency.

The change is due in part to China's Supreme Leader Xi Jinping's decision to strengthen the role of the Ministry of State Security to engage in more hacking activities that previously fell primarily under the purview of the People's Liberation Army. While the Security Ministry emphasizes absolute loyalty to Mr. Xi and the Communist Party's rule, its hacking and espionage operations are often initiated and controlled by provincial-level state security agencies.

These offices, in turn, sometimes outsource hacking operations to commercially-oriented groups – a recipe for occasionally cavalier and even sloppy espionage activities that could disregard Beijing's diplomatic priorities and anger foreign governments with their tactics.

Parts of the Chinese government are still engaging in sophisticated top-down hacks, such as attempting to integrate code into core U.S. infrastructure. But the total number of hacking attacks originating in China has risen, and the targets are broader – including information about Ebola vaccines and self-driving car technology.

This has spawned a new industry of contractors like I-Soon. Although part of the cloak-and-dagger world of Chinese cyber espionage, the Shanghai company, which also has offices in Chengdu, embodied the amateurism that many of China's relatively new contractors display when it comes to hacking. The documents revealed that at times the company was unsure whether the services and data it sold was still available. For example, it was noted internally that the software used to spread disinformation about X was “under maintenance” – despite its $100,000 price tag.

The leak also highlighted the everyday hustle and struggle of China's entrepreneurial hacking contractors. Like many of its competitors, I-Soon organized cybersecurity competitions to recruit new employees. Instead of selling to a centralized government agency, I-Soon had to court Chinese police and other authorities city by city, according to a spreadsheet. This meant advertising and marketing his goods. In a letter to local officials in western China, the company boasted that it could help enforce counterterrorism efforts because it had broken into Pakistan's anti-terrorism unit.

Materials included in the leak promoting I-Soon's hacking techniques described technologies designed to break into Outlook email accounts and obtain information such as contact lists and location data from Apple's iPhones. One document appeared to contain extensive flight records from a Vietnamese airline, including travelers' identity numbers, occupations and destinations.

Vietnam's Foreign Ministry did not immediately respond to an emailed request for comment.

At the same time, I-Soon said it has developed technologies that can meet the domestic needs of China's police force, including software that can monitor public sentiment on social media in China. Another tool that works on accounts

In recent years, Chinese law enforcement agencies have managed to identify activists and government critics who posted on X through anonymous accounts inside and outside China. They often then used threats to force X-users to remove posts that authorities deemed overly critical or inappropriate.

Mao Ning, a spokeswoman for China's Foreign Ministry, said at a news conference Thursday that she was unaware of a data leak at I-Soon. “As a matter of principle, China firmly opposes all forms of cyberattacks and cracks down on them in accordance with the law,” Ms. Mao said.

X did not respond to a request for comment. A spokesman said the South Korean government would have no comment.

Although the leak only involved one of China's many hacking contractors, experts said the vast amounts of data could help authorities and companies defend against Chinese attacks.

“This represents the largest data breach associated with a company suspected of providing cyber espionage and targeted intrusion services to the Chinese security services,” said Jonathan Condra, director of strategic and persistent threats at Recorded Future, a cybersecurity firm.

The hacked information included a large database of the road network in Taiwan, an island democracy that China has long claimed and threatened to invade. The 459 gigabytes of cards were from 2021 and showed how companies like I-Soon collect information that can be useful militarily, experts said. China's government itself has long considered Chinese driving navigation data to be sensitive and has placed strict restrictions on who can collect this data.

“Identifying road terrain is critical for planning tank and infantry movements around the island en route to occupying population centers and military bases,” said Dmitri Alperovitch, a cybersecurity expert.

Other information included internal email services or intranet access for several Southeast Asian government ministries, including Malaysia's foreign and defense ministries and Thai intelligence. According to the files, immigration data from India covering flight and visa details of domestic and foreign passengers was also available.

In other cases, I-Soon claimed to have access to data from private companies such as telecommunications companies in Kazakhstan, Mongolia, Myanmar, Vietnam and Hong Kong.

The revelations about Chinese attacks are likely to confirm the fears of policymakers in Washington, where officials have repeatedly warned against such hacks. Federal Bureau of Investigation Director Christopher A. Wray said last weekend in Munich that hacking operations from China were now targeting the United States “to a greater extent than before,” calling them among the most important in America national security threats.

He was one of the first senior officials to speak openly about Volt Typhoon, the name of a Chinese hacking network that injected code into critical infrastructure, causing alarm across the government. Intelligence officials believe the code was intended to send a message: that China could cut off power, water or communications at any time.

Some of the code was found near American military bases that rely on civilian infrastructure to operate – particularly bases that would be involved in a rapid response to an attack on Taiwan.

“This is just the tip of the iceberg,” Mr Wray concluded.

David E. Sanger and Chris Buckley contributed reporting.