The hackers offered a range of services, at varying prices.
A local government in southwest China paid less than $15,000 to access Vietnam’s private traffic police website. The software that made it possible to launch disinformation campaigns and hack accounts on X costs $100,000. For $278,000, Chinese customers could get a wealth of personal information behind their social media accounts on platforms like Telegram and Facebook.
The deals, detailed in leaked documents, were among hacking tools and data caches sold by a Chinese security company called I-Soon, one of hundreds of enterprising companies supporting aggressive hacking efforts sponsored by the Chinese state. This work is part of a campaign to break into the websites of foreign governments and telecommunications companies.
The documents, which were posted on a public website last week, revealed an eight-year effort to target databases and exploit communications in South Korea, Taiwan, Hong Kong, Malaysia, India and elsewhere in Asia. The files also showed a campaign to closely monitor the activities of China’s ethnic minorities and online gaming companies.
The data included records of apparent correspondence between employees, target lists and material showing cyberattack tools. Three cybersecurity experts interviewed by The New York Times said the documents appeared authentic.
Taken together, the files offer a rare glimpse into the secretive world of Chinese state-backed hackers. They illustrated how Chinese law enforcement and its main spy agency, the Ministry of State Security, have reached beyond their own ranks to exploit private sector talent in a hacking campaign that U.S. officials say targeted U.S. companies and government agencies.
“We have every reason to believe that this is authentic data from a contractor supporting international and domestic cyberespionage operations from China,” said John Hultquist, chief analyst at Google’s Mandiant Intelligence.
Mr. Hultquist said the leak revealed that I-Soon worked for a number of Chinese government entities that sponsor hacking, including the Ministry of State Security, the People’s Liberation Army and the National Police. Chinese. Sometimes the company’s employees focused on foreign targets. In other cases, they have helped China’s feared Ministry of Public Security monitor Chinese citizens at home and abroad.
“They are part of an ecosystem of contractors linked to the Chinese patriotic hacking scene, which developed two decades ago and has since become legitimate,” he added, referring to the emergence of nationalist hackers who have become a sort of cottage industry.
I-Soon did not respond to emailed questions about the leak.
These revelations underscore the extent to which China has ignored, or evaded, U.S. and other efforts for more than a decade to curb its vast hacking operations. And it comes as US officials warn that the country has not only redoubled its efforts, but also moved from simple espionage to planting malicious code in US critical infrastructure – perhaps to prepare for the day when a conflict would break out over Taiwan.
The Chinese government’s use of private contractors to hack on its behalf is modeled on the tactics of Iran and Russia, which have for years turned to non-governmental entities to attack commercial targets and official. Although the dispersed approach to state espionage may prove more effective, it also proves more difficult to control. Some Chinese entrepreneurs have used malware to extort ransoms from private companies, even while working for China’s spy agency.
The shift was driven in part by a decision by China’s top leader, Xi Jinping, to elevate the role of the Ministry of State Security to engage in more hacking activities, which fell under previously primarily the jurisdiction of the People’s Liberation Army. While the Security Ministry emphasizes absolute loyalty to Mr. Xi and the Communist Party regime, its hacking and espionage operations are often initiated and controlled by state-level security bureaus. provincial.
These offices sometimes in turn outsource hacking operations to commercially oriented groups – a recipe for sometimes cavalier, even sloppy, espionage activities that disregard Beijing’s diplomatic priorities and can antagonize foreign governments with their tactics.
Parts of the Chinese government still engage in sophisticated hacking, descending, for example, by trying to insert code into America’s central infrastructure. But the overall number of hacks originating from China has increased, and the targets are more varied, including information about Ebola vaccines and driverless car technology.
This has fueled a new industry of entrepreneurs like I-Soon. Although part of China’s cyberespionage world, the Shanghai company, which also has offices in Chengdu, embodies the amateurism exhibited by many relatively new Chinese hacking entrepreneurs. The documents showed that sometimes the company was unsure whether the services and data it sold were still available. For example, it noted internally that software intended to spread disinformation about X was “under maintenance” – despite its $100,000 price tag.
The leak also depicted the daily hustle and struggle of hacking entrepreneurs in China. Like many of its competitors, I-Soon has held cybersecurity competitions to recruit new recruits. Instead of selling to a centralized government agency, a spreadsheet shows, I-Soon had to court Chinese police and other agencies on a city-by-city basis. This meant advertising and marketing its products. In a letter to local authorities in western China, the company boasted that it could contribute to the fight against terrorism because it had broken into Pakistan’s anti-terrorism unit.
Materials included in the leak promoting I-Soon’s hacking techniques described technologies designed to break into Outlook email accounts and obtain information such as contact lists and location data from people’s iPhones. ‘Apple. One document appeared to contain numerous flight records from a Vietnamese airline, including travelers’ ID numbers, occupations and destinations.
Vietnam’s Foreign Ministry did not immediately respond to an emailed request for comment.
At the same time, I-Soon said it has developed technology that can meet domestic demands from Chinese police, including software that can monitor public opinion on social media in China. Another tool, designed to target accounts on X, could extract email addresses, phone numbers and other identifiable information linked to user accounts and, in some cases, help hack those accounts.
In recent years, Chinese law enforcement has successfully identified activists and government critics who posted to X using anonymous accounts in China and abroad. Often, they then used threats to force X users to delete posts that authorities deemed too critical or inappropriate.
Mao Ning, a spokesperson for China’s Foreign Ministry, said at a news conference on Thursday that she was not aware of any data leak from I-Soon. “As a matter of principle, China firmly opposes and suppresses all forms of cyberattacks in accordance with law,” Mao said.
X did not respond to a request for comment. A spokesperson said the South Korean government would not comment.
Even though the leak involved just one of many Chinese hackers, experts said the enormous amount of data could help agencies and companies working to defend against Chinese attacks.
“This is the largest data breach linked to a company suspected of providing cyberespionage and targeted intrusion services to Chinese security services,” said Jonathan Condra, director of strategic and persistent threats at Recorded Future , a cybersecurity company.
Among the hacked information was a vast database on the road network of Taiwan, an island democracy that China has long claimed and threatened with invasion. The 459 gigabytes of maps date from 2021 and show how companies like I-Soon collect information that can be useful militarily, experts say. The Chinese government itself has long considered Chinese drivers’ browsing data to be sensitive and sets strict limits on who can collect it.
“Determining road terrain is crucial for planning armor and infantry movements around the island to occupy population centers and military bases,” said cybersecurity expert Dmitri Alperovitch.
Other information included internal email services or intranet access for several Southeast Asian government ministries, including Malaysia’s foreign and defense ministries and Thailand’s national intelligence agency. Immigration data from India, which covered flight and visa details of domestic and foreign passengers, was also up for grabs, records show.
In other cases, I-Soon claimed to have access to data from private companies such as telecommunications companies in Kazakhstan, Mongolia, Myanmar, Vietnam and Hong Kong.
The revelations about the Chinese attacks are likely to confirm the fears of policymakers in Washington, where officials have repeatedly issued dire warnings about such hacks. Last weekend in Munich, Federal Bureau of Investigation Director Christopher A. Wray said hacking operations from China were now being directed against the United States on “a larger scale than we have had.” seen before,” and listed them among the major U.S. attacks. threats to national security.
He became one of the first senior officials to speak openly about Volt Typhoon, the name of a Chinese hacker network that placed code in critical infrastructure, causing alarm within the government. Intelligence officials believe the code was intended to send a message: At any time, China could disrupt supplies of electricity, water or communications.
Some of the code was found near U.S. military bases that rely on civilian infrastructure to continue operating — particularly bases that would be involved in any rapid response to an attack on Taiwan.
“This is the tip of the iceberg,” Mr Wray concluded.
David E. Sanger And Chris Buckley reports contributed.