Chinese police are currently investigating a large data leak that originated with a private security firm with apparent ties to Chinese state security. The data, which came from the contractor I-Soon and was uploaded to the coding repository Github.com, provides unique insight into the workings of a worldwide cybersecurity operation.
This is not the first time GitHub has been used to facilitate cybercrime. In January of this year, it was discovered that many bad actors were leveraging GitHub’s file and code sharing capabilities to distribute malicious payloads within legitimate traffic. The fraudsters were also able to direct this traffic to phishing websites.
In addition to documenting hacking operations and some of the tools utilized by the company, the released documents provided an insider’s view of the targets. These include at least fourteen foreign government bodies, institutions, and, rather unsurprisingly, Hong Kong-based organizations. It should be highlighted that the legitimacy of the documents has yet to be validated, despite the fact that most of the information corresponds to known threat vectors that have previously originated in the PRC.
I-Soon, also known as Shanghai Anxun Information Company, was founded in Shanghai in 2010 and has multiple offices throughout China. The company’s website, which is now offline, advertised a variety of cybersecurity services, many of which were detailed in the 190 megabyte breach. The client page included a list of Chinese regional security bureaus and public security departments, as well as the Ministry of Public Security.
The disclosed material consists of a variety of papers, screen shots, and private chat discussions. The list also includes some basic facts, such as complaints about the company’s poor salary and employee gambling tendencies. One of the most intriguing aspects of the breach is that AI translation has made the data available to far more analysts than before. The barrier to access is now significantly lower, allowing persons other than experienced Sinologists to examine the information more quickly and easily. For example, we were able to use ChatGPT Vision to OCR decode and interpret some of the document images in seconds, whereas it would have taken considerably longer previously.
The uploads began in mid-February, with hundreds of WeChat messages and marketing papers hitting Github servers. A vast number of sales presentation documents highlighting the company’s hacking expertise and previous vulnerabilities are amid the pile. According to sources, the material expressly names terrorism-related targets that the organization has previously hacked, including those in Pakistan and Afghanistan. The illegal documents purportedly include the fees collected for some of these hacking initiatives. According to one source, the business received $55,000 for gathering data from a foreign country’s Ministry of Economy.
There are currently little or no clues as to the leakers’ identities—or even their motivations—but it appears that a Taiwanese analyst spotted the secret stockpile on Github and quickly publicized it on social media. An unidentified I-Soon employee informed the Associated Press that an internal investigation is now underway, and that employees were instructed to “continue working as normal” while the investigation was ongoing.
While certainly not groundbreaking in terms of raw information, this breach provides the world with a unique and personal glimpse into the realities on the front lines of the murky global espionage industry. It turns out that much of it is probably not so much James Bond, but rather office parties and petty employees feuds.
