Leaked Documents Expose China’s Hacking Capabilities, Targets

‘There is a war without gunpowder, and it is happening in cyberspace,’ an expert says.
Leaked Documents Expose China’s Hacking Capabilities, Targets
A hacker uses his computer in Dongguan, China's southern Guangdong Province, on Aug. 4, 2020. (Nicolas Asfouri/AFP via Getty Images)
Frank Fang

A massive cache of leaked documents from a Chinese hacking contractor further underscores the global cybersecurity threats posed by China’s communist regime, experts say.

The documents, which were posted on GitHub by unknown individuals on Feb. 16, include product manuals, marketing materials, employee lists, chat records, financial information, and details about foreign infiltration.
The Associated Press confirmed in a Feb. 21 report that the documents originated from China-based cybersecurity vendor I-S00n, known as Anxun in Mandarin, after speaking to two of the company’s employees.
Based on the documents, I-S00n boasts a product line that includes offensive cyber tools and spyware systems. Also included in the documents is a list of contracts that the company signed from July 2016 to June 2022, showing that most of its clients are China’s regional security bureaus. The revelation adds to what is known from the company’s website, which touts the CCP’s Ministry of Public Security as one of its partners.

“The I-S00n incident should once again remind everyone that network security is national security. There is a war without gunpowder, and it is happening in cyberspace,” tech expert Chiang Ya-chi told The Epoch Times on Feb. 21.

Ms. Chiang is the president of the Taiwan Law and Technology Association and a professor who specializes in internet technology and intellectual property law at National Taiwan Ocean University.

The leaked documents show that I-S00n is funded by the Chinese Communist Party (CCP), Ms. Chiang said, noting that Bejing uses tools developed by firms such as I-S00n to infiltrate foreign governments and entities.

A victim list is included in the leaked documents, showing that I-S00n has targeted telecommunications companies, hospitals, universities, organizations, and government entities from many countries. These nations include France, Egypt, India, Indonesia, Kazakhstan, Malaysia, Mongolia, Nepal, South Korea, Taiwan, Thailand, the Philippines, and Vietnam.
One document reveals that I-S00n charged more money for hacking into Vietnam’s Ministry of Economy than for hacking into two other Vietnamese government ministries.


Since the online dump last week, many researchers and experts have published their analysis of the documents written in simplified Chinese.
Malwarebytes, a California company that provides real-time cyber protection, published an analysis of the leaked data on Feb. 21, saying the documents “provide an inside look in the operations that go on in a leading spyware vendor and APT-for-hire.” APT refers to advanced persistent threat.

The analysis highlights some of the I-S00n products revealed by the documents, including what it calls a “Twitter stealer.”

“Features [of the Twitter stealer] include obtaining the user’s Twitter email and phone number, real-time monitoring, reading personal messages, and publishing tweets on the user’s behalf,” the analysis reads.

In one document page, I-S00n boasts that it had studied Twitter’s safety mechanism for years; thus, its product can allegedly bypass security features to target a Twitter user’s account.

The leaked documents also reveal the cost of the “Twitter stealer” product. A one-year usage of the product costs 700,000 yuan (about $97,000), and a three-year usage costs 1.5 million yuan (about $208,000).

The Malwarebytes analysis shows the following product description: “Custom Remote Access Trojans (RATs) for Windows x64/x86: Features include process/service/registry management, remote shell, keylogging, file access logging, obtaining system information, disconnecting remotely, and uninstallation.”

There are iOS and Android versions of the RATs. The iOS model claims to support all iOS device versions without jailbreaking, with features ranging from hardware information to GPS data, contacts, media files, and real-time audio records as an extension, according to the analysis.

I-S00n also has portable devices for “attacking networks from the inside,” it states.

According to the leaked documents, the portable devices come in two different sizes—a standard version that can be disguised as a cellphone battery, power strip, or power adapter and a mini version that can be disguised as a printed circuit board.

The user lookup databases, which include users’ phone numbers, names, and email addresses, can be correlated with social media accounts, according to the Malwarebytes analysis.

The CCP can potentially use the user lookup databases to track and locate dissidents in China. According to the leaked documents, databases have been built for different Chinese platforms, including Weibo, Baidu, and WeChat.


Su Tzu-yun, director at the Taiwan-based Institute for National Defense and Security Research, told The Epoch Times on Feb. 21 that the I-S00n documents are the latest evidence supporting claims by the United States and NATO that the Chinese regime is a threat to their cybersecurity.
In its strategic concept agreed upon in 2022, NATO stated that the regime’s “malicious hybrid and cyber operations and its confrontational rhetoric and disinformation target Allies and harm Alliance security.”
Earlier this month, the Cybersecurity and Infrastructure Security Agency issued a warning that the CCP is pre-positioning malware in the U.S. systems in preparation for a conflict. The warning came just days after FBI Director Christopher Wray told lawmakers that a multiagency operation had dismantled “Volt Typhoon,” a major state-sponsored hacking group based in China, which began targeting a wide range of networks across U.S. critical infrastructure in 2021.
Last year, Mr. Wray warned that Chinese hackers outnumber U.S. cyber specialists by at least 50 to one.
Some researchers have suggested that I-S00n could have ties to APT41, a Chinese state-sponsored hacking group, based on their analysis of the leaked documents.
In 2020, five Chinese nationals from APT41 were indicted on charges relating to hacking campaigns to steal trade secrets and sensitive information from more than 100 companies and entities worldwide. The five individuals are currently on the FBI’s wanted list.
Cybersecurity firm Mandiant stated in a 2022 report that APT41 had exploited vulnerabilities in the online systems of at least six U.S. state governments to gain access to those networks.
“The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem,” California-based cybersecurity company SentinelLabs said in its analysis of I-S00n’s leaked data published on Feb. 21.

“It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.”

Chung Yuan contributed to this report. 
Frank Fang is a Taiwan-based journalist. He covers U.S., China, and Taiwan news. He holds a master's degree in materials science from Tsinghua University in Taiwan.
Related Topics