A massive leak of documents from a Chinese tech firm has revealed how the government in Beijing allegedly uses the company to conduct extensive hacking campaigns against targets around the world. The documents, which were posted online anonymously last weekend, include chat logs, employee records, and client contracts of the firm I-Soon. The data shows that the company has hacked into political groups, hospitals, universities, and governments, on behalf of China’s police, intelligence, and military agencies.
The leaked data, which covers the period from 2016 to 2022, provides some of the clearest public evidence of how China’s powerful security agencies outsource hacking operations to tech firms, according to private experts and US officials who spoke to CNN. The data shows that I-Soon has hacked into hundreds of targets in more than 20 countries, including:
- Tibetan exile-run political groups, such as the Central Tibetan Administration and the Tibetan Youth Congress, which advocate for the autonomy and the human rights of Tibetans in China.
- Hospitals in Taiwan and India, such as the Taipei Veterans General Hospital and the Apollo Hospitals, which are involved in the treatment and the research of Covid-19 and other diseases.
- Universities in Hong Kong, such as the University of Hong Kong and the Hong Kong Baptist University, which have witnessed the mass pro-democracy protests in 2019 and the crackdown by the Chinese authorities.
- Governments in Asia, Europe, Africa, and Latin America, such as Japan, Germany, Kenya, and Brazil, which have diplomatic, economic, or strategic relations with China.
The data also shows that I-Soon has used a variety of techniques and tools to hack into the targets, such as:
- Phishing emails, which are designed to trick the recipients into clicking on malicious links or attachments that install malware or steal credentials.
- Zero-day exploits, which are vulnerabilities in software or hardware that are unknown to the developers or the users, and that can be exploited to gain access or control of the systems.
- Web shells, which are malicious scripts or codes that are uploaded to a web server, and that can be used to execute commands or access data remotely.
The reaction and the response of the US
The leak of the data has caught the attention of the US officials, who have been combing through the documents for clues on how China conducts its hacking campaigns, and how to counter them. The Biden administration’s study of the leak is ongoing, but multiple US cybersecurity officials familiar with the matter told CNN that the data could help them to:
- Identify and attribute the hacking activities of China, and to expose and sanction the actors and the entities involved.
- Protect and defend the US and its allies from the hacking threats of China, and to enhance the cybersecurity cooperation and coordination among the partners.
- Deter and disrupt the hacking operations of China, and to impose costs and consequences for the malicious behavior.
The leak of the data comes amid unprecedented tensions in US-China relations in cyberspace, and appears to contradict Beijing’s repeated denials that it sponsors cyberattacks. The US has accused China of being behind some of the most damaging and sophisticated cyberattacks in recent years, such as:
- The SolarWinds hack, which compromised the networks of several US government agencies and private companies, and which the US attributed to Russia and China.
- The Microsoft Exchange hack, which exploited a vulnerability in the email software and affected tens of thousands of organizations worldwide, and which the US blamed on China and its proxies.
- The Colonial Pipeline hack, which disrupted the supply of fuel to the US East Coast, and which the US linked to a ransomware group based in China.
China has strongly denied the allegations, and has in turn accused the US of conducting its own cyberattacks and espionage against China and other countries.
The denial and the defense of China and I-Soon
China and I-Soon have both denied any involvement in the hacking activities exposed by the leaked data, and have questioned the authenticity and the credibility of the documents. The Chinese Embassy in Washington, DC, said in a statement that:
- The claim that “the Chinese authorities surveil dissidents overseas” is completely fabricated, and that China is a major victim of cyberattacks, and keeps a firm stance against all forms of cyberattacks and resorts to lawful methods in tackling them.
- China does not encourage, support, or condone attacks launched by hackers, and that the allegation that China uses tech firms to outsource hacking operations is baseless and groundless, and that China respects and protects the legitimate rights and interests of foreign enterprises in China.
Wu Haibo, the CEO of I-Soon, a privately owned and Shanghai-based tech firm, did not respond to multiple requests for comment from CNN. However, he told the South China Morning Post, a Hong Kong-based newspaper, that:
- The leaked data is fake and fabricated, and that I-Soon is a legitimate and law-abiding company that provides cybersecurity services and solutions to its clients, and that it has never engaged in any hacking activities or violated any laws or regulations.
- The leak is a smear campaign and a cyberattack against I-Soon, and that the company has reported the incident to the relevant authorities, and that it will take legal actions to protect its reputation and interests.
The leak of the data has sparked a heated debate and a fierce controversy among the cybersecurity experts, the media outlets, and the public, who have different views and opinions on the veracity and the significance of the documents. Some have praised the leak as a rare and valuable insight into the inner workings of China’s hacking operations, while others have criticized the leak as a dubious and dubious attempt to discredit China and its tech industry.