Earlier this month, we looked at the way that Chinese hackers infiltrate critical infrastructures in the U.S. They can preposition code to disable systems such as clean water supply and electrical power grid on command. Because current targets are, among other things, near military bases, intelligence agencies believe that the hacks anticipate a conflict in the South China Sea over Taiwan.

Since 2010, China has scaled up cyberespionage and cybertheft to such an extent that at a recent meeting, FBI Chief Christopher Wray said that China’s state-backed hackers outnumber U.S. cyber intelligence personnel 50-to-1.

Cracks in the hackers’ loyalty?

At first, the hackers seem like a daunting challenge. But a recent trove of leaked documents shows that China’s hacking community is not as monolithic and organized as it appears. The Chinese Communist Party likes to boast of its technological prowess — including world-class “patriotic hackers.” But behind the scenes lie sloppy security practices, disgruntled employees, and top-down corruption.

The leak, likely from a disgruntled employee of Chinese cybersecurity company I-Soon (called Anxun in China), provides one of the most extensive behind-the-scenes look at China’s hacking ecosystem. That includes the cutthroat competition between private cybersecurity and hacker-for-hire firms to gain government contracts. According to Infosecurity Magazine, the leak appeared on the open-sourced programmers’ development tool GitHub, beginning on February 16. A Taiwanese analyst found the documents there and posted them on X (formerly Twitter) on February 18. The documents were taken down on February 23, but not before several cybersecurity analysts had accessed the information.

The magazine reports that 577 files were found, containing 170 MB of data, with some dated as recently as 2022. The trove included everything from employee chat logs to marketing presentations, and included stolen victim data and call logs. The Associated Press was able to confirm with two I-Soon employees that the documents are legitimate.

I-Soon’s targets revealed

Among the targets in I-Soon’s portfolio are several government telecommunications operators in Central and Southeast Asia, as well as government logins and city traffic data in Hong Kong, Taiwan, and Xinjiang. I-Soon has also hacked online gambling and gaming operators within China.

More significantly, the company had been commissioned by the Chinese government to hack into social media accounts of overseas Chinese (the Chinese diaspora). AP reports, “I-Soon’s tools appear to be used by Chinese police to curb dissent on overseas social media and flood them with pro-Beijing content.”

The major government contractors are the Ministry of Public Security (police) and to a lesser extent the Ministry of State Security (intelligence). Analysts say that makes sense because the police do not have the cyberespionage resources that the Ministry of State Security has. Local police bureaus have also contracted I-Soon, including some in Xinjiang, for services that include surveilling cell phones in areas with a large Muslim Uyghur population.

A corrupt business from the top down

I-Soon was founded in Shanghai in 2010 by Wu Haibo, who was involved in China’s patriotic hacker group known as the “green army” in the 1990s. Today there’s an I-Soon office in Chengdu, where several other commercial cybersecurity and tech companies have also congregated. I-Soon has been connected to hacking activities dating back to 2012, including a group called Chengdu 404, which is associated with the APT41 group. In 2020, three hackers associated with APT41 were indicted for cybertheft by the U.S. State Department.

Both I-Soon and Chengdu 404 were registered in Chengdu in 2015. Notably, that’s the same year that Xi Jinping and President Obama signed an agreement that China would no longer engage in cybertheft. Beijing then turned to commercial and private businesses to conduct cyberespionage and cybertheft.

The Wire China and Associated Press reported on how the I-Soon documents shed light on the corrupt business practices inherent in the Chinese hacker ecosystem. The Wire China, which focuses on business news in China, said that one of the largest investors in the hackers-for-hire arm of I-Soon is also one of China’s largest cybersecurity agencies, QiAnXin Technology Group, whose clients include large companies and the Chinese government. QiAnXin, a spinoff of Quihoo360, was a sponsor and service provider for the 2022 Beijing Olympics.

The Wire China talked to Dakota Cary with SentinelOne, who said that in most countries it would be unusual for a cybersecurity firm, whose job is to protect clients, to also invest in an illegal hacking:

“Western cybersecurity firms do offensive hacking against their clients to improve their security, so it’s not outlandish to see offensive and defensive capabilities end up in the same place,” he says. “But to see [a cybersecurity firm] doing operations on behalf of the state is quite unique.”

Eliot Chen, “Hacking the Hackers” The Wire China, March 3, 2024

The Chinese government as the number one customer

Recorded Future notes that these documents show how “incestuous and fluid” the community of information security companies is, with companies in China subcontracting to other companies and third parties facilitating agreements. Besides helping each other out, they also compete for government contracts. For example, the I-Soon documents included Power Point marketing presentations exhibiting how the group infiltrated several Asian government entities and “anti-terrorism” services including hacking examples from Muslim-majority countries. The Chinese government describes its heavy-handed surveillance in Xinjiang and singling out Uyghurs as “anti-terrorism.”

In the chat files, employees discussed exaggerating their capabilities to government officials who do not have the technical expertise to know better. They also complained about money and landing government clients. The AP report shows that the priority is “currying favor rather than delivering a good product” with government officials and that ideological loyalty is more important than competence.

One outcome has been an exodus of talent from China’s tech industry because of CCP’s restrictive rules and takeover of private tech businesses, along with a flagging economy that has resulted in lower pay. Predictably, some of the employee chat records are complaints about their pay, including quips that “the government has no money” and they could find jobs elsewhere.

Perhaps they’d be wise to.