Chinese police are currently investigating a massive data breach that originated from a private security contractor with alleged ties to Chinese state security. The data, passed from the contractor called I-Soon to an upload to the Github.com code repository, offers an unprecedented glimpse into the workings of an international cybersecurity operation.
This is not the first time that GitHub has been a source of cybercriminal activity. In January of this year, it was revealed that several bad actors were deploy malicious payloads within legitimate GitHub traffic exploiting its file and code sharing capabilities. Cybercriminals were also able to redirect this traffic to phishing sites.
In addition to describing the hacking activity and some of the tools used by the company, the leaked documents also offered an insider's view of the targets. These include at least fourteen international government agencies, universities and, perhaps unsurprisingly, Hong Kong agencies. It should be noted that the authenticity of the documents is not yet confirmed, although much of the information matches known threat vectors that originated in the PRC in the past.
I-Soon, also known as Shanghai Anxun Information Company, was started in Shanghai in 2010 and has several offices in China. The company website., which is currently offline, showed off a number of cybersecurity services, many of which were described in the 190-megabyte leak. The client page listed several Chinese regional security bureaus and public security departments, as well as the country's Ministry of Public Security.
The leaked data consists of a variety of documents, screenshots and private chat conversations. The list also includes a selection of everyday information, such as complaints about low wages at the company and employees' gaming habits. One of the interesting parts of the leak is the fact that AI translation has opened up the data to many more analysts than was previously possible. The barrier to access is now much lower and people other than specialized sinologists can evaluate the information more quickly and easily. For example, we were able to use ChatGPT Vision to OCR decode and translate some of the document images in seconds, something that would have taken much longer in the past.
Uploads began in mid-February, with thousands of WeChat messages and marketing documents arriving on Github's servers. Among the stack are a large number of sales presentation documents boasting about the company's hacking capabilities and its past exploits. The data reportedly explicitly lists terrorism-related targets that the company has previously hacked, including some in Pakistan and Afghanistan. The illicit documents also allegedly include fees earned from some of these hacking projects. For example, one report says the company earned $55,000 for collecting data from the Ministry of Economy of a foreign country.
There are still few to no clues as to the culprits behind the leak (or even their motives), but it appears that a Taiwanese analyst discovered the leaked stash on Github and immediately shared it on his social media. An anonymous I-Soon employee told the Associated Press that an investigation is currently underway within the company and that employees were told they should “continue working as normal” while it was underway.
While perhaps not earth-shattering in terms of naked content, this breach gives the world a rare and intimate glimpse into reality on the front lines of the murky business of global espionage. It turns out that a lot of this is probably not so much James Bond, but more office parties and petty disputes between employees.