US officials have been scouring a trove of newly leaked documents from a Chinese tech firm for clues on how the government in Beijing allegedly uses the company in extensive hacking campaigns, multiple US cybersecurity officials familiar with the matter told CNN.
The Biden administration’s study of the leak is ongoing, but private experts told CNN it offers some of the clearest public evidence yet of how they believe China’s powerful security agencies outsource hacking operations to tech firms to target victims around the world.
The documents, posted anonymously online last weekend for anyone to access, include screenshots of chat logs, as well as records of employees and Chinese government clients of the tech firm I-Soon. The company’s hacking victims range from Tibetan exile-run political groups, hospitals in Taiwan and India to Hong Kong’s universities following the city’s mass pro-democracy protests in 2019, according to the leaked data. More than a dozen, mostly Asian, foreign governments are listed as targets.
I-Soon’s clients include China’s police, intelligence service and military, according to a spreadsheet listing 183 contracts signed between 2016 and 2022 by I-Soon’s subsidiary in the southwestern province of Sichuan.
“This is some of the best visibility we’ve had into Chinese hacking operations outside of a government SCIF,” said Adam Kozy, who used to track Chinese hackers for the FBI, using an acronym for classified facilities.
“I’m not aware of the specifics you mentioned. In principle, I want to emphasize that China firmly opposes the unwarranted denigration and smearing against China,” Liu Pengyu, spokesperson for the Chinese Embassy in Washington, DC, said in an emailed statement when asked for comment.
“The so-called claim that ‘the Chinese authorities surveil dissidents overseas’ is completely fabricated,” Liu’s statement continued. “China is a major victim of cyber attacks. We keep a firm stance against all forms of cyber attacks and resort to lawful methods in tackling them. China does not encourage, support or condone attacks launched by hackers.”
Wu Haibo, the CEO of privately owned and Shanghai-based I-Soon, did not respond to multiple requests for comment.
The leak comes amid unprecedented tensions in US-China relations in cyberspace and appears to fly in the face of Beijing’s repeated denials that it sponsors cyberattacks.
FBI Director Christopher Wray and other top US officials warned Congress last month that another set of Chinese hackers unrelated to I-Soon have infiltrated critical US infrastructure and could use that access to disrupt any US military response to a potential Chinese invasion of Taiwan.
Beijing has strongly denied the allegations and in turn accuses the US of conducting its own cyberattacks.
“The Chinese government is really trying to change this narrative that China hacks other countries,” Dakota Cary, a consultant at security firm SentinelOne who focuses on China, told CNN. “So I think [the leaks will] really upset them.”
GitHub, the popular software developer platform where the leaked data appeared, took the documents down late Thursday, saying the data was a “violation of GitHub’s terms of service.”
‘Praise’ from Chinese officials
I-Soon allegedly focused on cyber-espionage, including against governments across Asia, according to a CNN review of the data and interviews with private experts.
Telecom companies also featured heavily in the list. Hundreds of gigabytes of call logs and user data were hacked from operators in countries including South Korea, Kazakhstan and Afghanistan.
In a leaked marketing presentation, I-Soon touted its participation in an unspecified hacking project for China’s Ministry of Public Security in 2018. The project “achieved significant results” and received “recognition and praise” from Chinese officials, according to a presentation slide.
The leak also shows how its business of scooping up intelligence for Chinese security services is thriving years after some Wu associates were indicted by the US Justice Department and added to the FBI’s “Cyber Most Wanted List” for a worldwide hacking spree that targeted more than 100 companies around the world.
In September 2020, according to the leaked chat logs, Wu shared a news article describing the additions to the FBI’s “Cyber Most Wanted List.” Four of those people were in the same WeChat group with Wu, according to the leaks. The executive responded suggesting they celebrate being “verified by the FBI.”
Chinese court documents show that I-Soon later developed business relations with the FBI-wanted hacking group.
In sharp contrast to the private boasting from I-Soon, the Chinese government has gone to great lengths to hide its alleged affiliation with hacking operations carried out on behalf of Beijing, according to private cybersecurity executives who have tracked the activity for years.
After the Obama administration secured an agreement in 2015 from Chinese leader Xi Jinping that Beijing would not “conduct or knowingly support cyber-enabled theft of intellectual property,” the Chinese government has increasingly tapped contractors like I-Soon to give an element of plausible deniability to its hacking operations, Adam Meyers, a senior vice president at US cybersecurity firm CrowdStrike, told CNN.
The reorganization of the Chinese military in recent years, and the need to cover the tracks of its hackers, Meyers said, has prompted the Chinese government to “lean more heavily on these companies for direct involvement in offensive operations.”