Feb 27, 2024 - Technology

Leaked documents detail inner-workings of China's vast hacking operations

Illustration of a magnifying glass inspecting a briefcase that looks like the Chinese flag.

Illustration: Gabriella Turrisi/Axios

A trove of leaked documents is providing government officials and security researchers a rare public glimpse inside I-Soon, a private China-based offensive cybersecurity company.

Why it matters: The documents — which were posted and removed from GitHub last week — provide details about whom I-Soon has targeted, which Chinese government agencies it has worked with, and conversations between executives and employees about financial hardships.

The big picture: It's long been known that China had outsourced some of its hacking operations to private companies, just like other world powers.

  • But many of the details about how China's hacking program works have been kept top secret.

What's inside: An Axios review of the documents — translated into English by security researcher Michael Taggart — found a detailed list of the victims I-Soon is believed to have targeted and whom it worked with.

  • I-Soon targeted government agencies in Taiwan, Malaysia, Kazakhstan, South Korea, Thailand and several other countries at the request of its customers.
  • The company advertised that it worked with China's Ministry of Public Security, and internal conversations show it worked with some of Beijing's own hacking teams, as well as the Ministry of State Security.

Zoom in: The leaked documents include a product manual from 2020 that details the specific hacking tools that I-Soon either used itself in operations or sold to customers.

  • According to the manual, I-Soon offers tools that the company says allowed hackers to remotely control and surveil Apple, Android, Windows and Linux systems — as well as tools that let hackers encrypt and exfiltrate data from hacked devices.
  • Other tools allow hackers to track someone's precise location, take screenshots of their desktops, and intercept text messages before a victim notices.
  • The documents also offer tools they claim let hackers crack victims' passwords and bypass two-factor authentication.

Yes, but: Researchers are still working to determine the legitimacy of the documents, although many suspect that the level of detail and types of documents shared mean they're real.

  • I-Soon's website has gone offline, and the company has not publicly said anything regarding the leaks.

Catch up quick: U.S. government agencies have increasingly disclosed details about China's vast hacking prowess and the threats it poses in recent months.

  • This month, government agencies released an advisory detailing how Chinese government hackers have gained and maintained access to U.S. critical infrastructure for years.
  • Top officials warned Congress last month that China has also shown a persistent willingness to maintain that access to American infrastructure.

Between the lines: I-Soon's stock of stolen documents shows that it's also been helping the Chinese government spy on Taiwan ahead of a potential invasion.

  • One spreadsheet shows that I-Soon hacked National Taiwan University's applied mechanics program and hospital.
  • Another indicates that I-Soon has hundreds of gigabytes of data about Taiwan's road maps and Taiwanese telecommunications and cloud providers.

The intrigue: The leaked screenshots of text conversations and emails detail not only what kinds of strategic operations China is pursuing, but also the internal strife that the offensive cyber firm has been facing.

  • In one text conversation from 2022, an apparent I-Soon employee shares how they hadn't received a raise in three years and was now looking for a new job.
  • An employee also said in a text that "everyone else is looking at opportunities" to leave the company in 2021.

What we're watching: Chinese authorities are actively investigating the leak, according t0 the Associated Press.

  • It also remains unclear who leaked the documents and for what reason.
Go deeper