A version of this story appeared in the daily Threat Status newsletter from The Washington Times. Click here to receive Threat Status delivered directly to your inbox each weekday.
The revelations of a Chinese contractor’s hacking tools have astonished the world’s top cybersecurity experts, including the U.S. government’s most senior analysts at the National Security Agency.
A trove of documents, images and messages from the Chinese government-affiliated security contractor I-Soon suddenly appeared on the GitHub software development platform this month, offering what experts say is an unprecedented peek into the world of China’s hackers for hire.
NSA Cybersecurity Director Rob Joyce said the I-Soon disclosures have provided a new window into how China hacks. Security professionals continue combing the unprecedented leak of tools by the contractor linked to China’s security services.
“It showed you the scope and scale of China’s infrastructure that is enabled by their industry, not only providing infrastructure but actually running operations and stealing data,” Mr. Joyce told the Trellix Cybersecurity Summit on Tuesday. “That’s something we’ve known about, we’ve seen, but I think that large quantity of information out and available for deep analysis was eye-opening to some in the public sector.”
Cybersecurity professionals are poring over the disclosures to understand how China’s cyberespionage industry functions and how to thwart it.
SEE ALSO: U.S. launches investigation into Chinese-made ‘smart cars’ for national security threats
Security company SentinelOne said the I-Soon data dumped on GitHub is the most concrete evidence threat researchers have of the extent and advanced nature of China’s digital espionage efforts. The disclosures show exactly how the communist government’s targets for surveillance and infiltration are driving a market of hackers-for-hire contractors, said SentinelOne’s Dakota Cary and Aleksandar Milenkoski.
“I-Soon — whose employees complain about low pay and gamble over mahjong in the office — appears to be responsible for the compromise of at least 14 governments, pro-democracy organizations in Hong Kong, universities and NATO,” Mr. Cary and Mr. Milenkoski wrote on SentinelOne’s website.
The leaked data includes employees’ internal chats, business pitches and documentation of the company’s tools, products and processes, said cybersecurity researcher Marco Ramilli.
Mr. Ramilli said on his website that I-Soon looks to be connected to the cyberattacker group APT41, which the FBI has identified as Chinese hackers who also use the name Barium. The company is a security contractor for the Chinese Ministry of Public Security, the country’s leading intelligence force, and is registered in Chengdu, the capital city of the Chinese province of Sichuan.
The company is known as Anxun in China. Company officials have not confirmed that the leak of its data was genuine, but numerous Western experts say they appear to be real.
The trove of documents, emails and corporate literature, dozens of marketing documents, business documents and thousands of messages with clients of I-Soon conducted on the WeChat messaging site. Primary areas of interest for the company appeared to be a mix of domestic surveillance targets and regional governments such as Vietnam, Thailand, South Korea and India.
In 2022, the cybersecurity firm Mandiant said its investigation into APT41 found the hackers compromised at least six U.S. state government networks from May 2021 through February 2022.
Cybersecurity professionals are looking to better understand exactly what operations I-Soon conducted. A team at Trellix, a California-based cybersecurity firm, is among those scrutinizing every detail of the newly disclosed data.
Trellix threat intelligence head John Fokker, formerly a cybercrime investigator for the Dutch government, told The Washington Times that early indications underscore the reality that customers need to be especially vigilant working with contractors and understand their relationships with foreign governments.
“For me, it’s not really a surprise, but it’s more of a confirmation that we see that this is happening,” Mr. Fokker said. “It’s an interesting avenue. We have the same suspicions when we look at the Russian government.”
• This article is based in part on wire service reports.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.
Please read our comment policy before commenting.