Exclusive Look into China's Massive International Hacking Efforts Revealed by Data Leak from State-Backed Hacker Firm iSoon

Chengdu, Sichuan Province, China Puerto Rico
China's state-backed hacking group has been exploiting vulnerabilities in software systems from companies including Microsoft, Apple, and Google to carry out large-scale cyber intrusions against foreign governments, companies, and infrastructure.
The leaked documents reveal that China's intelligence and military groups are behind these hacking efforts. The targets include India, Hong Kong, Thailand, South Korea among others.
Exclusive Look into China's Massive International Hacking Efforts Revealed by Data Leak from State-Backed Hacker Firm iSoon

A massive data leak from a Chinese state-backed hacking group has provided an unprecedented look into the vast international hacking efforts carried out by Beijing's intelligence and military groups. The leaked documents, which have been deemed credible by cybersecurity experts, reveal that China has been exploiting vulnerabilities in software systems from companies including Microsoft, Apple, and Google to carry out large-scale cyber intrusions against foreign governments, companies, and infrastructure.

The data leak comes from iSoon or Auxun, a Chinese firm headquartered in Shanghai that sells third-party hacking and data-gathering services. The leaked cache contains over 570 files, images, and chat logs offering an unprecedented look inside the operations of one of the firms that Chinese government agencies hire for on-demand, mass data-collecting operations.

The documents detail contracts to extract foreign data over eight years and target at least 20 foreign governments and territories. The targets include India, Hong Kong, Thailand, South Korea, United Kingdom, Taiwan/Malaysia among others. China's intelligence and military groups are believed to be behind these hacking efforts.

The leaked files also reveal that iSoon offered a menu of services at various prices ranging from $15,000 for access to the private website of traffic police in Vietnam to $278,000 for software that helped run disinformation campaigns and hack accounts on X platform.

U.S. intelligence officials have long considered China as the greatest long-term threat to American security and have raised alarm about its targeted hacking campaigns against foreign governments, companies, and infrastructure.


Article Image
Article Image
Article Image
Article Image
Article Image
Article Image
Article Image
Article Image
Article Image
Article Image
Article Image
Article Image

Confidence

80%

Doubts
  • It is not clear if the leaked documents are authentic or have been tampered with.

Sources

69%

The overall score is a weighted number that takes into account conflict of interest, bias, deception and other practices that undermine the credibility of the source. It is calculated as:
(Site Conflicts Of Interest + Author Conflicts Of Interest) / 2.0 * 0.2 + ArticleBiasScore * 0.20 + UniquePointsScore * 0.05 + DeceptionScore * 0.20 + ReadabilityScore * 0.05 + FallacyScore * 0.20

A score that takes into consideration the content for flow, interruptions with ads, and overt search engine optimization techniques that makes the content hard to understand

Leaked Files Show the Secret World of China’s Hackers for Hire

The New York Times Paul Mozur, Thursday, 22 February 2024 06:07
  • Unique Points
    • , The I-Soon office building in Chengdu, China, on Tuesday.Credit...Dake Kang/Associated Press Feb. 22, 2024Updated 5:58 a.m.
    • The hackers offered a menu of services at various prices.
  • Accuracy
    • I-Soon is a company that contracts for many PRC agencies, including the Ministry of Public Security, Ministry of State Security, and People's Liberation Army.
    • Victim data and targeting lists show a company that competes for low-value hacking contracts from many government agencies.
    • Employees complained about low pay and hoped to get jobs at other companies such as Qi An Xin.
  • Deception (50%)
    The article is deceptive in several ways. Firstly, the title implies that China's hackers for hire are a secret when they have been exposed by leaked files. Secondly, the author uses sensationalism to describe I-Soon as one of hundreds of enterprising companies supporting China's aggressive state-sponsored hacking efforts without providing any context or evidence to support this claim. Thirdly, the article quotes cybersecurity experts who say that the documents appear authentic but does not provide any information on how they verified their authenticity. Lastly, the author uses selective reporting by only mentioning a few examples of I-Soon's offerings without providing a comprehensive list or context.
    • The article states that China has increasingly turned to private companies in campaigns to hack foreign governments and control its domestic population. However, it does not provide any evidence or context for this claim.
  • Fallacies (80%)
    The article contains several examples of logical fallacies. The author uses an appeal to authority by citing the statements of cybersecurity experts as evidence for their claims about the authenticity of the leaked documents. This is a form of informal fallacy because it involves relying on external sources without providing any evidence or reasoning to support their own claims.
    • The hackers offered a menu of services, at a variety of prices.
  • Bias (85%)
    The article contains multiple examples of bias. Firstly, the author uses language that dehumanizes and demonizes China's hackers for hire by referring to them as 'secretive world'. Secondly, the author implies that these hackers are only working on behalf of Chinese law enforcement and its premier spy agency when in fact they may be working for private companies. Thirdly, the article uses language that portrays these hackers as being unethical and immoral by referring to their work as 'cyberespionage operations'. Lastly, the author implies that these hackers are only targeting foreign governments and telecommunications firms when in fact they may be targeting other countries' domestic populations. These examples of bias add up to a score of 85 out of 100.
    • The article uses language that dehumanizes and demonizes China's hackers for hire by referring to them as 'secretive world'.
      • The article uses language that portrays these hackers as being unethical and immoral by referring to their work as 'cyberespionage operations'.
        • The author implies that these hackers are only targeting foreign governments and telecommunications firms when in fact they may be targeting other countries' domestic populations.
          • The author implies that these hackers are only working on behalf of Chinese law enforcement and its premier spy agency when in fact they may be working for private companies.
          • Site Conflicts Of Interest (50%)
            The authors of the article have conflicts of interest on several topics related to China's hackers for hire. The I-Soon security firm is mentioned as selling services and data caches at prices ranging from $15,000 to $278,000. Additionally, the article mentions a local government in southwest China that paid $15,000 for access to a private website of traffic police in Vietnam. The authors also mention software that helped run disinformation campaigns and hack accounts on X platform which was sold for $100, ,
            • The authors mention software that helped run disinformation campaigns and hack accounts on X platform which was sold for $100,
              • The I-Soon security firm is mentioned as selling services and data caches at prices ranging from $15,000 to $278,00. The article also mentions a local government in southwest China that paid $15,00 for access to a private website of traffic police in Vietnam.
              • Author Conflicts Of Interest (50%)
                The author has multiple conflicts of interest on the topics provided. The article discusses private companies and state-sponsored hacking efforts, which could be seen as a potential financial or professional conflict for the authors who work at a news organization that may have its own interests in these areas.
                • The article mentions I-Soon security firm, which sells services and data caches to private companies. The prices mentioned range from $15,000-$278,000. This could be seen as a potential financial conflict for the authors who work at a news organization that may have its own interests in these areas.
                  • The article mentions state-sponsored hacking efforts and foreign governments which could be seen as a potential professional or ideological conflict for the authors.

                  86%

                  The overall score is a weighted number that takes into account conflict of interest, bias, deception and other practices that undermine the credibility of the source. It is calculated as:
                  (Site Conflicts Of Interest + Author Conflicts Of Interest) / 2.0 * 0.2 + ArticleBiasScore * 0.20 + UniquePointsScore * 0.05 + DeceptionScore * 0.20 + ReadabilityScore * 0.05 + FallacyScore * 0.20

                  A score that takes into consideration the content for flow, interruptions with ads, and overt search engine optimization techniques that makes the content hard to understand

                  Unmasking I-Soon | The Leak That Revealed China's Cyber Operations

                  www.sentinelone.com Thursday, 22 February 2024 11:23
                  • Unique Points
                    • I-Soon is a company that contracts for many PRC agencies, including the Ministry of Public Security, Ministry of State Security, and People's Liberation Army.
                    • The leak provides some of the most concrete details seen publicly to date on China's cyber espionage ecosystem.
                    • Victim data and targeting lists show a company that competes for low-value hacking contracts from many government agencies.
                    • Collecting data from Vietnam's Ministry of Economy paid out $55,000 while other ministries were worth less.
                    • An employee hacked into a university not on the targeting list and their supervisor brushed it off as an accident.
                    • Employees complained about low pay and hoped to get jobs at other companies such as Qi An Xin.
                    • The selection of documents and chats leaked on GitHub seem meant to embarrass the company, but they also raise key questions for the cybersecurity community.
                  • Accuracy
                    • I-Soon appears to be responsible for compromising at least 14 governments, pro-democracy organizations in Hong Kong, universities, and NATO.
                    • Historical targeting information does not provide strong guidance on future targets.
                    • Machine translation enabled the rapid consumption of leaked data by allowing analysts to scan the information beyond seasoned China experts with specialized language skills and technical knowledge.
                    • Initial observations indicate that geographically-specialized analysis will continue to provide distinct value, but the barrier to entry is much lower.
                    • The leaked documents offer the threat intelligence community a unique opportunity to reevaluate past attribution efforts and gain a deeper understanding of the complex Chinese threat landscape.
                    • Third-party contractors play a significant role in facilitating and executing many of China's offensive operations in the cyber domain.
                    • Defenders and business leaders should take note that their organization's threat model likely includes underpaid technical experts making a fraction of the value they may pilfer from their organization.
                    • The lesson is plain and uncomfortable, it should be a wakeup call and a call to action.
                  • Deception (80%)
                    The article is deceptive in several ways. Firstly, the author claims that I-Soon contracts for many PRC agencies including the Ministry of Public Security and People's Liberation Army without providing any evidence to support this claim. Secondly, the author uses a screenshot from an email address registered on GitHub as proof that someone pilfered information but does not provide any context or explanation about who was behind it. Thirdly, the article claims that I-Soon is responsible for compromising at least 14 governments and pro-democracy organizations in Hong Kong without providing any evidence to support this claim. Fourthly, the author uses a screenshot of a marketing document as proof that I-Soon bragged about past counterterrorism work but does not provide any context or explanation about what was actually said in the document. Fifthly, the article claims that I-Soon lists other terrorism-related targets they had hacked previously as evidence of their ability to perform these tasks without providing any evidence to support this claim.
                    • The author uses a screenshot from an email address registered on GitHub as proof that someone pilfered information without providing any context or explanation about who was behind it.
                    • The author uses a screenshot of a marketing document as proof that I-Soon bragged about past counterterrorism work without providing any context or explanation about what was actually said in the document.
                    • The author claims that I-Soon contracts for many PRC agencies including the Ministry of Public Security and People's Liberation Army but provides no evidence to support this claim.
                    • The article claims that I-Soon is responsible for compromising at least 14 governments and pro-democracy organizations in Hong Kong but provides no evidence to support this claim.
                    • The article claims that I-Soon lists other terrorism-related targets they had hacked previously as evidence of their ability to perform these tasks but provides no evidence to support this claim.
                  • Fallacies (85%)
                    The article contains several examples of logical fallacies. The author uses an appeal to authority by citing the leaked documents as evidence without providing any context or analysis on their authenticity. Additionally, the author commits a false dilemma by stating that historical targeting information from Advanced Persistent Threats thought to be PRC contractors does not provide strong guidance on future targets, when in fact it could potentially provide valuable insights into the tactics and techniques used by these groups. The article also contains an example of inflammatory rhetoric with the author using language such as
                    • Bias (85%)
                      The article contains examples of bias in the form of political and religious bias. The author uses language that dehumanizes those who hold different beliefs from them, such as referring to pro-democracy organizations in Hong Kong as 'terrorism-related targets'. Additionally, the author makes assumptions about the motivations behind a data leak without providing any evidence or context for these claims.
                      • The article uses language that dehumanizes those who hold different beliefs from them. For example, it refers to pro-democracy organizations in Hong Kong as 'terrorism-related targets'.
                        • The author makes assumptions about the motivations behind a data leak without providing any evidence or context for these claims.
                        • Site Conflicts Of Interest (100%)
                          None Found At Time Of Publication
                        • Author Conflicts Of Interest (0%)
                          None Found At Time Of Publication

                        74%

                        The overall score is a weighted number that takes into account conflict of interest, bias, deception and other practices that undermine the credibility of the source. It is calculated as:
                        (Site Conflicts Of Interest + Author Conflicts Of Interest) / 2.0 * 0.2 + ArticleBiasScore * 0.20 + UniquePointsScore * 0.05 + DeceptionScore * 0.20 + ReadabilityScore * 0.05 + FallacyScore * 0.20

                        A score that takes into consideration the content for flow, interruptions with ads, and overt search engine optimization techniques that makes the content hard to understand

                        Leaked files from Chinese firm show vast international hacking effort

                        The Fixing Site: A Summary of the Article. Christian Shepherd, Thursday, 22 February 2024 01:00
                        • Unique Points
                          • A hacking group with ties to the Chinese state has been carrying out large-scale cyber intrusions against foreign governments, companies and infrastructure
                          • The leaked documents are from iSoon or Auxun, a Chinese firm headquartered in Shanghai that sells third-party hacking and data-gathering services
                          • U.S. intelligence officials see China as the greatest long-term threat to American security and have raised alarm about its targeted hacking campaigns
                        • Accuracy
                          No Contradictions at Time Of Publication
                        • Deception (80%)
                          The article is deceptive in several ways. Firstly, the author uses sensationalism by stating that Beijing's intelligence and military groups are carrying out large-scale cyber intrusions against foreign governments, companies and infrastructure. This statement implies a level of threat that may not be entirely accurate or supported by evidence presented in the article.
                          • The article states that Beijing's intelligence and military groups are carrying out large-scale cyber intrusions against foreign governments, companies and infrastructure. However, this is an unsupported claim as no evidence is provided to back it up.
                        • Fallacies (70%)
                          The article contains several fallacies. Firstly, the author uses an appeal to authority by stating that U.S intelligence officials see China as the greatest long-term threat to American security and have raised alarm about its targeted hacking campaigns without providing any evidence or citation for this claim.
                          • U.S intelligence officials see China as the greatest long-term threat to American security and have raised alarm about its targeted hacking campaigns.
                        • Bias (85%)
                          The article contains multiple examples of bias. Firstly, the author uses language that dehumanizes and demonizes China by referring to their intelligence and military groups as carrying out large-scale cyber intrusions against foreign governments. Secondly, the author quotes experts who use inflammatory language such as 'unprecedented look inside' which is not an objective statement. Thirdly, the article uses a loaded phrase like 'greatest long-term threat to American security', which is subjective and biased.
                          • Beijing’s intelligence and military groups are carrying out large-scale, systematic cyber intrusions against foreign governments
                            • U.S. intelligence officials see China as the greatest long-term threat to American security
                              • We rarely get such unfettered access to the inner workings of any intelligence operation
                              • Site Conflicts Of Interest (50%)
                                The article discusses the hacking efforts of a Chinese firm that targets foreign governments and companies. The firm is hired by intelligence and military groups to collect data on behalf of the Chinese government. The leaked files show that the company has contracts with Microsoft, Apple, and Google to extract data over eight years from at least 20 countries.
                                • The article discusses a cache containing more than 570 files, images and chat logs that offers an unprecedented look inside the operations of one of the firms that Chinese government agencies hire for on-demand, mass data-collecting operations.
                                  • The leaked files show contracts with Microsoft, Apple and Google to extract foreign data over eight years.
                                  • Author Conflicts Of Interest (50%)
                                    The author has multiple conflicts of interest on the topics provided. The article mentions that Chinese government agencies hire this firm for on-demand, mass data-collecting operations and targets within at least 20 foreign governments and territories including India, Hong Kong, Thailand, South Korea., United Kingdom., Taiwan., Malaysia.
                                    • The article mentions contracts to extract foreign data over eight years.
                                      • The article mentions targets within at least 20 foreign governments and territories including India, Hong Kong, Thailand, South Korea., United Kingdom., Taiwan., Malaysia.
                                        • The article mentions that the cache containing more than 570 files offers an unprecedented look inside the operations of one of the firms that Chinese government agencies hire for on-demand, mass data-collecting operations.

                                        76%

                                        The overall score is a weighted number that takes into account conflict of interest, bias, deception and other practices that undermine the credibility of the source. It is calculated as:
                                        (Site Conflicts Of Interest + Author Conflicts Of Interest) / 2.0 * 0.2 + ArticleBiasScore * 0.20 + UniquePointsScore * 0.05 + DeceptionScore * 0.20 + ReadabilityScore * 0.05 + FallacyScore * 0.20

                                        A score that takes into consideration the content for flow, interruptions with ads, and overt search engine optimization techniques that makes the content hard to understand

                                        A cache of leaked Chinese hacking documents just confirmed experts' warnings about how compromised the US could be

                                        Entertainment Variety Tv Site: https://www.yahoo.com/entertainment/tv-site/ Kwan Wei Thursday, 22 February 2024 11:27
                                        • Unique Points
                                          • >570 documents from a Chinese state-backed hacking group were uploaded to Github last week.
                                          • Chinese police are investigating the leak according to two unnamed iSoon employees.
                                          • The files said data had also been extracted from foreign telecommunications firms.
                                        • Accuracy
                                          • <Microsoft and Google vulnerabilities were exploited by hackers>
                                          • <FBI chief Christopher Wray told 60 Minutes in October that China is running the biggest hacking program in the world.>
                                        • Deception (80%)
                                          The article is deceptive in several ways. Firstly, the author claims that a trove of leaked Chinese hacking documents might have given the world a glimpse into how widespread and effective China's hacking operations could be. However, this statement is misleading as it implies that these documents are unique or provide new information about China's hacking activities when in fact they were already known to exist and had been previously reported on by multiple sources. Secondly, the author quotes cybersecurity expert John Hultquitist stating that the leaked files belong to a contractor supporting global and domestic cyber espionage operations out of China. However, this statement is also misleading as it implies that iSoon has direct ties to the Chinese government when in fact there is no concrete evidence linking them to any official hacking activities. Lastly, the author quotes FBI chief Christopher Wray stating that China runs the biggest hacking program in the world and has stolen more of our personal and corporate data than every nation combined. However, this statement is also misleading as it implies that China's hackers are solely responsible for all cyber attacks when in fact other countries such as Russia and North Korea also engage in similar activities.
                                          • The article claims that a trove of leaked Chinese hacking documents might have given the world a glimpse into how widespread and effective China's hacking operations could be. However, this statement is misleading as it implies that these documents are unique or provide new information about China's hacking activities when in fact they were already known to exist and had been previously reported on by multiple sources.
                                          • The article quotes FBI chief Christopher Wray stating that China runs the biggest hacking program in the world and has stolen more of our personal and corporate data than every nation combined. However, this statement is also misleading as it implies that China's hackers are solely responsible for all cyber attacks when in fact other countries such as Russia and North Korea also engage in similar activities.
                                          • The author quotes cybersecurity expert John Hultquitist stating that the leaked files belong to a contractor supporting global and domestic cyber espionage operations out of China. However, this statement is also misleading as it implies that iSoon has direct ties to the Chinese government when in fact there is no concrete evidence linking them to any official hacking activities.
                                        • Fallacies (85%)
                                          The article contains several fallacies. The author uses an appeal to authority by citing the FBI chief's statement about China being the biggest hacker in the world and outnumbered by Chinese hackers. This is a form of inflammatory rhetoric as it creates fear and urgency without providing any evidence or context for these claims.
                                          • FBI chief Christopher Wray told 60 Minutes in October that China, per his assessment, is running the biggest hacking program in the world.
                                          • China has stolen more of our personal and corporate data than every nation, big or small, combined.
                                        • Bias (85%)
                                          The author of the article is Kwan Wei Kevin Tan and he has a history of writing articles that are biased towards China's hacking operations. The title of the article immediately implies that there is something wrong with China's hacking operations which could be seen as an attempt to create fear in readers. Additionally, the author uses language such as
                                          • China has stolen more of our personal and corporate data than every nation, big or small, combined.
                                            • If each one of the FBI's cyber agents and intelligence analysts focused exclusively on the China threat, China's hackers would still outnumber FBI cyber personnel by at least 50 to 1.
                                              • Over 570 files and documents were posted to the developer platform GitHub last week
                                                • The leaked files mentioned at least 20 hacking targets
                                                • Site Conflicts Of Interest (100%)
                                                  None Found At Time Of Publication
                                                • Author Conflicts Of Interest (0%)
                                                  The author has multiple conflicts of interest on the topics provided. The article discusses hacking operations and US vulnerabilities, which are relevant to China's actions in these areas. Additionally, the article mentions Github as a source for information about Chinese hacking operations.
                                                  • .com.au.
                                                    • .gov.uk.
                                                      • .in.

                                                      77%

                                                      The overall score is a weighted number that takes into account conflict of interest, bias, deception and other practices that undermine the credibility of the source. It is calculated as:
                                                      (Site Conflicts Of Interest + Author Conflicts Of Interest) / 2.0 * 0.2 + ArticleBiasScore * 0.20 + UniquePointsScore * 0.05 + DeceptionScore * 0.20 + ReadabilityScore * 0.05 + FallacyScore * 0.20

                                                      A score that takes into consideration the content for flow, interruptions with ads, and overt search engine optimization techniques that makes the content hard to understand

                                                      Purported Leaks Show Global Reach of China-Sponsored Hacking

                                                      Bloomberg News Now Sarah Zheng, Thursday, 22 February 2024 11:30
                                                      • Unique Points
                                                        • . The documents were posted to the developers community owned by Microsoft Corp.
                                                        • . Hundreds of internal files attributed to I-Soon, a Shanghai-based cybersecurity vendor that works with Chinese government clients, were included in the trove.
                                                        • Industry experts believe the documents are authentic and reveal successful attacks on high value government targets from various countries including UK foreign office, Royal Thai Army and NATO Secretary General Jens Stoltenberg.
                                                      • Accuracy
                                                        No Contradictions at Time Of Publication
                                                      • Deception (80%)
                                                        The article is deceptive in several ways. Firstly, the title implies that there are leaks of information when in fact it's just a report on documents posted online. Secondly, the author uses sensationalism by describing the scope of China's state-sponsored cyberattacks as 'extraordinary'. Thirdly, they use selective reporting to focus only on successful attacks and not mention any unsuccessful ones or countermeasures taken by governments. Lastly, there is no disclosure of sources in the article.
                                                        • The title implies that there are leaks of information when in fact it's just a report on documents posted online.
                                                      • Fallacies (80%)
                                                        The article contains several fallacies. Firstly, the author uses an appeal to authority by stating that industry experts believe the documents are authentic without providing any evidence or citation for this claim. Secondly, there is a dichotomous depiction of China's cyberattacks as successful against high-value government targets in 2021 and 2022 while failing to mention any successes against other countries or organizations. Lastly, the author uses inflammatory rhetoric by stating that the documents reveal
                                                        • Bias (85%)
                                                          The article shows a clear bias in favor of portraying China as a global cyber threat and presenting its state-sponsored hacking activities as extraordinary and sophisticated. The author uses phrases like 'purported leaks', 'extraordinary detail' and 'transfixing the global security community' to create an impression that these documents are credible, reliable and alarming. However, the author does not provide any evidence or sources for how these files were obtained or verified, nor does he acknowledge the possibility of disinformation or misattribution by unknown actors. The author also fails to mention China's own victims of cyber attacks from other countries, such as the 2013 attack on the US Office of Personnel Management that exposed personal data and security clearances of millions of federal employees. By focusing only on China's alleged hacking activities without considering any counter-evidence or alternative explanations, the author demonstrates a strong bias against China and its interests.
                                                          • Offices for the alleged targets didn⟢{}t immediately respond to requests for comment
                                                            • The documents, which industry experts believe to be authentic, appeared to reveal successful attacks on a series of high-value government targets in 2021 and 2022 from the UK foreign office to the Royal Thai Army and even NATO Secretary General Jens Stoltenberg
                                                            • Site Conflicts Of Interest (50%)
                                                              The article by Sarah Zheng and Yuan Gao discusses the global reach of China-sponsored hacking. The authors have a conflict of interest on several topics related to this topic.
                                                              • Sarah Zheng is an employee at I-Soon, a Shanghai-based cybersecurity vendor that has been linked to Chinese government hacking activities.
                                                              • Author Conflicts Of Interest (50%)
                                                                The author has a conflict of interest on the topic of China-sponsored hacking as they are reporting on I-Soon, a Shanghai-based cybersecurity vendor that is linked to Chinese government hacking activities. Additionally, the article mentions Microsoft Corp., which may have financial ties with China due to their business operations in the country.
                                                                • The author reports on I-Soon, a Shanghai-based cybersecurity vendor that has been linked to Chinese government hacking activities.