Massive data leak exposes Chinese infosec vendor's cyberattacks-for-hire

Documents outline the use of hardware hacking devices, including a malicious power bank designed to surreptitiously upload data into victims' systems

A massive data leak originating from Chinese cybersecurity vendor I-Soon has exposed the extent of its involvement in global surveillance operations, including targeting countries such as Taiwan, India, Indonesia, Nigeria and the UK.

The leaked information, comprising approximately 190 megabytes of data, recently surfaced on code-sharing platform GitHub, offering a glimpse into the inner workings of China's state-sponsored cyber apparatus.

I-Soon is a Shanghai-based company believed to be among numerous private contractors aiding the Chinese government in intelligence gathering, hacking and surveillance endeavours.

Among the trove shared on GitHub are emails, conversations, images and a plethora of documents detailing contracts and communications between I-Soon and Chinese authorities.

An analysis of the leaked documents by cybersecurity experts indicated a systematic campaign spanning eight years, revealing targets within at least 20 foreign governments and territories, including the UK, India, Taiwan, South Korea, Hong Kong, Malaysia and other Asian nations.

One spreadsheet lists 80 overseas targets allegedly breached by I-Soon hackers, including the acquisition of 95 gigabytes of immigration data from India and a staggering 3 terabytes of call logs from South Korea's LG U Plus telecom provider.

Additionally, 459 gigabytes of road-mapping data from Taiwan, a territory claimed by China, were also reportedly obtained.

Within China, the leaked documents suggest targets include ethnic minorities and dissidents in regions where anti-government protests have taken place, such as Hong Kong and Xinjiang.

According to SentinelOne's assessment, I-Soon competes for "low-value hacking contracts" from various government agencies, positioning itself as a go-to resource for Beijing's clandestine cyber activities.

The leaked information exposes the hacking tools employed by I-Soon to gather intelligence, including methods to uncover identities on social media platforms and access emails, despite platforms like Facebook being inaccessible in China.

What sets I-Soon apart is its arsenal of sophisticated Remote Access Trojans (RATs) capable of infiltrating major operating systems, including Linux, Windows, macOS, iOS and Android.

Particularly alarming is the Android attack code, which purportedly enables the extraction of extensive messaging histories from Chinese chat applications and Telegram.

Furthermore, documents outline the use of hardware hacking devices by I-Soon, including a malicious power bank designed to surreptitiously upload data into victims' systems.

While I-Soon's website has seemingly gone offline in recent days, archived pages describe the company as deeply involved in cyberspace security, providing digital intelligence solutions since its founding in 2010.

John Hultquist, chief analyst at Google's Mandiant Intelligence, affirmed the authenticity of the leaked data, asserting that I-Soon's activities are supported by various Chinese government entities, including the Ministry of State Security, the People's Liberation Army and China's national police.

"They are part of an ecosystem of contractors that has links to the Chinese patriotic hacking scene, which developed two decades ago and has since gone legit."

He speculated that the source of the leak could be a rival intelligence service, a disgruntled insider, or even a competitor contractor.

Chinese authorities have denied knowledge of the data leak.

At a press briefing on Thursday, Mao Ning, a spokesperson for the Chinese Ministry of Foreign Affairs, stated that she was unaware of any data leak from I-Soon.

"As a matter of principle, China firmly opposes and cracks down on all forms of cyberattacks in accordance with the law," Mao said.

In a blog post, Malwarebytes said the leak would "certainly rattle some cages at the infiltrated entities" and "as such it could possibly cause a shift in international diplomacy and expose the holes in the national security of several countries."

Cyber threats are rising, and IT leaders need the latest information to stay ahead of the curve. Join us at the Cybersecurity Festival on 2nd May, where we bring together the most senior and influential voices from security leaders throughout the UK. Click here to secure your free place.