Leaked files show the secret world of China’s hired hackers

The hackers offered a menu of services at different prices.

A local government in southwestern China paid less than $15,000 for access to the private website of Vietnam’s traffic police. The software that helped run disinformation campaigns and hack accounts on X cost $100,000. For $278,000, Chinese customers could get a wealth of personal information behind social media accounts on platforms like Telegram and Facebook.

The offerings, detailed in leaked documents, were a portion of hacking tools and data caches sold by a Chinese security company called I-Soon, one of hundreds of entrepreneurial companies supporting aggressive hacking efforts sponsored by the State of China. The work is part of a campaign to break into the websites of foreign governments and telecommunications companies.

The materials, which were posted on a public website last week, revealed an eight-year effort to attack databases and intercept communications in South Korea, Taiwan, Hong Kong, Malaysia, India and other parts of Asia. The files also showed a campaign to closely monitor the activities of ethnic minorities in China and online gambling companies.

The data included records of apparent correspondence between employees, target lists and material showing cyberattack tools. Three cybersecurity experts interviewed by The New York Times said the documents appeared authentic.

Together, the files offered a rare glimpse into the secret world of China’s state-backed hackers for hire. They illustrated how Chinese authorities and their main spy agency, the Ministry of State Security, have gone beyond their own ranks to tap private sector talent in a hacking campaign that U.S. officials say has targeted US companies and government agencies.

“We have every reason to believe this is authentic data from a contractor supporting domestic and international cyber espionage operations from China,” said John Hultquist, chief analyst at Google’s Mandiant Intelligence.

Hultquist said the leak revealed that I-Soon was working for a variety of Chinese government entities that sponsor the hacking, including the Ministry of State Security, the People’s Liberation Army and China’s national police. At times, company employees focused on overseas targets. In other cases they helped China’s feared Ministry of Public Security monitor Chinese citizens inside and outside the country.

“They are part of an ecosystem of contractors that has ties to the patriotic Chinese hacking scene, which developed two decades ago and has since become legitimate,” he added, referring to the rise of nationalist hackers who have become a species. of cottage industry.

I-Soon did not respond to emailed questions about the leak.

The revelations underscore the extent to which China has ignored or evaded U.S. and other efforts for more than a decade to limit its extensive hacking operations. And it comes as U.S. officials warn that the country has not only doubled down, but also moved beyond mere espionage to implanting malicious code in critical American infrastructure, perhaps to prepare for the day when conflict breaks out. for Taiwan.

The Chinese government’s use of private contractors to hack on its behalf is inspired by the tactics of Iran and Russia, which for years have used non-governmental entities to pursue commercial and official targets. Although the scattered approach to state espionage may be more effective, it has also proven more difficult to control. Some Chinese contractors have used malware to demand ransoms from private companies, even while working for China’s spy agency.

In part, the change is rooted in a decision by China’s top leader, Xi Jinping, to elevate the role of the Ministry of State Security to engage in more hacking activities, which previously fell primarily under the purview of the People’s Liberation Army. . While the Ministry of Security emphasizes absolute loyalty to Xi’s government and the Communist Party, its hacking and espionage operations are often initiated and controlled by state security bureaus at the provincial level.

In turn, those offices sometimes outsource hacking operations to commercial groups, a recipe for occasionally arrogant and even sloppy espionage activities that fail to serve Beijing’s diplomatic priorities and can annoy foreign governments with their tactics.

Parts of China’s government still engage in sophisticated top-down hacking, such as attempting to place code inside America’s core infrastructure. But the total number of hacks originating in China has increased and the targets have varied more widely, including information about Ebola vaccines and self-driving car technology.

That has fueled a new industry of contractors like I-Soon. Although part of the hidden world of Chinese cyber espionage, the Shanghai company, which also has offices in Chengdu, epitomized the lack of professionalism that many of China’s relatively new contractors bring to hacking. The documents showed that at times the company was unsure whether the services and data it sold were still available. For example, it noted internally that software for spreading disinformation about X was “under maintenance,” despite its $100,000 price tag.

The leak also described the daily hustle and struggle of China’s corporate hacking contractors. Like many of its rivals, I-Soon organized cybersecurity contests to recruit new employees. Instead of selling to a centralized government agency, a spreadsheet showed, I-Soon had to court Chinese police and other agencies on a city-by-city basis. That meant advertising and marketing their products. In a letter to local officials in western China, the company boasted that it could help with counterterrorism enforcement because it had broken into Pakistan’s counterterrorism unit.

Materials included in the leak promoting I-Soon’s hacking techniques described technologies created to break into Outlook email accounts and obtain information such as contact lists and location data from Apple iPhones. One document appeared to contain extensive flight records from a Vietnamese airline, including travelers’ identity numbers, occupations and destinations.

Vietnam’s Foreign Ministry did not immediately respond to an emailed request for comment.

At the same time, I-Soon said it had created technology that could meet the internal demands of Chinese police, including software that could monitor public opinion on social media within China. Another tool, designed to target accounts on X, could extract email addresses, phone numbers and other identifiable information related to user accounts and, in some cases, help hack those accounts.

In recent years, Chinese law enforcement officials have managed to identify activists and government critics who had posted on X using anonymous accounts from inside and outside China. They often used threats to force X users to remove posts that authorities deemed too critical or inappropriate.

Mao Ning, a spokesman for China’s Foreign Ministry, said at a news conference on Thursday that he was not aware of a data leak from I-Soon. “On principle, China firmly opposes and cracks down on all forms of cyber attacks in accordance with the law,” Ms. Mao said.

X did not respond to a request for comment. A spokesman said the South Korean government would have no comment.

Although the leak involved just one of China’s many hacking contractors, experts said the huge amount of data could help agencies and companies working to defend against Chinese attacks.

“This represents the largest data breach linked to a company suspected of providing targeted cyberespionage and intrusion services to Chinese security services,” said Jonathan Condra, director of strategic and persistent threats at Recorded Future, a cybersecurity firm.

Among the hacked information was a large database of the road network of Taiwan, an island democracy that China has long claimed and threatened with invasion. The 459 gigabytes of maps come from 2021 and show how companies like I-Soon collect information that can be useful militarily, experts said. China’s own government has long considered Chinese drivers’ browsing data sensitive and has placed strict limits on who can collect it.

“Determining the road terrain is crucial for planning infantry and armor movements around the island on their way to occupying population centers and military bases,” said Dmitri Alperovitch, a cybersecurity expert.

Other information included internal email services or intranet access for multiple Southeast Asian government ministries, including Malaysia’s foreign and defense ministries and Thailand’s national intelligence agency. According to the files, Indian immigration data covering flight and visa details of domestic and foreign passengers were also at stake.

In other cases, I-Soon claimed to have access to data from private companies such as telecommunications companies in Kazakhstan, Mongolia, Myanmar, Vietnam and Hong Kong.

The revelations obtained about the Chinese attacks are likely to confirm the fears of policymakers in Washington, where officials have issued repeated dire warnings about such attacks. Last weekend in Munich, Federal Bureau of Investigation Director Christopher A. Wray said hacking operations from China were now directed against the United States on “a larger scale than we had seen before.” and classified them among the main ones in the United States. threats to national security.

He became one of the first senior officials to speak openly about Volt Typhoon, the name of a Chinese hacking network that has planted code in critical infrastructure, raising alarms across the government. Intelligence officials believe the code was intended to send a message: that at any moment China could cut off power, water supplies or communications.

Some of the code has been found near US military bases that rely on civilian infrastructure to continue functioning, especially bases that would be involved in any rapid response to an attack on Taiwan.

“It’s the tip of the iceberg,” Wray concluded.

David E. Sanger and Chris Buckley contributed reports.