Purported leaks show global reach of China-sponsored hacking
A HUGE trove of documents on GitHub appeared to outline in extraordinary detail the scope of China’s state-sponsored cyberattacks on foreign governments, transfixing the global security community.
Hundreds of internal files attributed to the Shanghai-based cybersecurity vendor I-Soon, which works with Chinese government clients, were posted to the developers’ community owned by Microsoft Corp. this week. The documents, which industry experts believe to be authentic, appeared to reveal successful attacks on a series of high-value government targets in 2021 and 2022 from the UK foreign office to the Royal Thai Army and even NATO Secretary General Jens Stoltenberg, according to a review by Bloomberg News. Offices for the alleged targets didn’t immediately respond to requests for comment.
Washington and Beijing have accused each other for years of cyber-espionage, including the use of state-sponsored actors to infiltrate sensitive databases. If genuine, the documents underscore the incredible diversity of targets as well as the commercial transactions that help fuel such cyber-activity behind the scenes.
“We have every reason to believe this is the authentic data of a contractor supporting global and domestic cyber-espionage operations out of China,” said John Hultquist, chief analyst at Mandiant Intelligence, a unit of Google Cloud. “We rarely get such unfettered access to the inner workings of any intelligence operation.”
The origins of the files are unclear, and Bloomberg News couldn’t independently verify their authenticity. Experts who have studied the documents highlight communications from the vendor — officially known as Shanghai Anxun Information Technology Co. — about selling stolen data to clients including the Ministry of Public Security and the Chinese military. This included data apparently obtained from Western governments such as the UK and Australia, as well as China-friendly countries like Pakistan.
Also notable were documents claiming the company could breach accounts and devices from US tech companies from Microsoft Corp. to Apple Inc. and Alphabet Inc.’s Google. I-Soon, Apple and Microsoft representatives didn’t respond to requests for comment. The Ministry of Public Security didn’t respond to a faxed request for comment.
Google said that the documents did not mention specific vulnerabilities in its software and instead described malware techniques that are familiar to its security teams.
China Foreign Ministry spokeswoman Mao Ning said she wasn’t familiar with the matter when asked about it Thursday at a regular press briefing in Beijing. “In principle, China firmly opposes and cracks down on all forms of cyberattacks in accordance with law,” she added.
Security researchers say the documents offer a rare glimpse into the ecosystem of contractors that perform cyberattacks for the Chinese government. I-Soon, founded in 2010, has touted its contributions to national cybersecurity defenses, including posting an appreciation letter from the Communist Party’s branch in Chengdu, Sichuan, on social media.
“It is a very curated leak, which looks like a reprisal type job from someone out to get the victim in trouble with authorities around the world,” said David Robinson, co-founder of the Australian cybersecurity company Internet 2.0. “It makes a difficult situation for China’s central government on what to do about it.”
To be sure, there was little hyper-sensitive or potentially dangerous information contained in the documents, experts said. But it seemed to be the first major one from this type of Chinese cyber vendor, which in itself is significant and potentially embarrassing for Beijing, said Dakota Cary, a China-focused consultant at the US cybersecurity company SentinelOne.
“The Chinese government is quite concerned about global public opinion regarding attacking and they very clearly have a media strategy to promote narratives that China is the victim of Western hacking,” he said. “It’s not a Snowden moment, but it’s really going to be an issue internally — there is now leaked public data that other countries, including the US, can reference.” – Bloomberg