NSA cybersecurity chief: Revelations from Chinese hacking leak are ‘eye-opening’

A vendor sits near a board depicting surveillance cameras during Security China 2023 in Beijing, on June 9, 2023. After years of breakneck growth, China's security and surveillance industry is now focused on shoring up its vulnerabilities to the United States and other outside actors, worried about risks posed by hackers, advances in artificial intelligence and pressure from rival governments. The renewed emphasis on self-reliance, combating fraud and hardening systems against hacking was on display at the recent Security China exhibition in Beijing. (AP Photo/Ng Han Guan)
A vendor sits near a board … more >
By Ryan Lovelace
The Washington Times
Wednesday, February 28, 2024
The revelations of a Chinese contractor’s hacking tools have astonished the world’s top cybersecurity experts, including the U.S. government’s most senior analysts at the National Security Agency.

A trove of documents, images and messages from the Chinese government-affiliated security contractor I-Soon suddenly appeared on the GitHub software development platform this month, offering what experts say is an unprecedented peek into the world of China’s hackers for hire.

NSA Cybersecurity Director Rob Joyce said the I-Soon disclosures have provided a new window into how China hacks. Security professionals continue combing the unprecedented leak of tools by the contractor linked to China’s security services.

You Might Also Like
Intellectual Property Law Firms Offer Expert Guidance
Intellectual Property Law Firms Offer Expert Guidance
Don’t let others infringe on your intellectual property rights. Trust knowledgeable attorneys to safeguard your creations. Schedule a consultation.
Paid | Intellectual Property Law
“It showed you the scope and scale of China’s infrastructure that is enabled by their industry, not only providing infrastructure but actually running operations and stealing data,” Mr. Joyce told the Trellix Cybersecurity Summit on Tuesday. “That’s something we’ve known about, we’ve seen, but I think that large quantity of information out and available for deep analysis was eye-opening to some in the public sector.”

Cybersecurity professionals are poring over the disclosures to understand how China’s cyberespionage industry functions and how to thwart it.

Security company SentinelOne said the I-Soon data dumped on GitHub is the most concrete evidence threat researchers have of the extent and advanced nature of China’s digital espionage efforts. The disclosures show exactly how the communist government’s targets for surveillance and infiltration are driving a market of hackers-for-hire contractors, said SentinelOne’s Dakota Cary and Aleksandar Milenkoski.

“I-Soon — whose employees complain about low pay and gamble over mahjong in the office — appears to be responsible for the compromise of at least 14 governments, pro-democracy organizations in Hong Kong, universities and NATO,” Mr. Cary and Mr. Milenkoski wrote on SentinelOne’s website.

The leaked data includes employees’ internal chats, business pitches and documentation of the company’s tools, products and processes, said cybersecurity researcher Marco Ramilli.

Mr. Ramilli said on his website that I-Soon looks to be connected to the cyberattacker group APT41, which the FBI has identified as Chinese hackers who also use the name Barium. The company is a security contractor for the Chinese Ministry of Public Security, the country’s leading intelligence force, and is registered in Chengdu, the capital city of the Chinese province of Sichuan.

The company is known as Anxun in China. Company officials have not confirmed that the leak of its data was genuine, but numerous Western experts say they appear to be real.

The trove of documents, emails and corporate literature, dozens of marketing documents, business documents and thousands of messages with clients of I-Soon conducted on the WeChat messaging site. Primary areas of interest for the company appeared to be a mix of domestic surveillance targets and regional governments such as Vietnam, Thailand, South Korea and India.

In 2022, the cybersecurity firm Mandiant said its investigation into APT41 found the hackers compromised at least six U.S. state government networks from May 2021 through February 2022.

Cybersecurity professionals are looking to better understand exactly what operations I-Soon conducted. A team at Trellix, a California-based cybersecurity firm, is among those scrutinizing every detail of the newly disclosed data.

Trellix threat intelligence head John Fokker, formerly a cybercrime investigator for the Dutch government, told The Washington Times that early indications underscore the reality that customers need to be especially vigilant working with contractors and understand their relationships with foreign governments.

“For me, it’s not really a surprise, but it’s more of a confirmation that we see that this is happening,” Mr. Fokker said. “It’s an interesting avenue. We have the same suspicions when we look at the Russian government.”

• This article is based in part on wire service reports.

• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.

Copyright © 2024 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.

TOP OF THE TIMES
Follow Us
SEE MORE VIDEOS

FRONT PAGE PODCAST

SPONSORED CONTENT
QUESTION OF THE DAY
Do you approve of the job Mike Johnson is doing as Speaker of the House?
Question of the Day
YES
NO

View results
NEWSLETTERS
Breaking News
Daily
Jennifer Harper
Weekly
Bill Gertz
Today’s Opinion
Front Page Podcast
Charles Hurt
Cheryl Chumley
Higher Ground
On Background
Threat Status

Email Address

Terms of Use / Privacy Policy / Manage Newsletters

FIND US ON FACEBOOK
The Washington Times
Opinion
Local
Sports
FIND US ON X
The Washington Times
Opinion
Local
Sports
All site contents © Copyright 2024 The Washington Times, LLC3600 New York Avenue NE | Washington, DC 20002 | 202-636-3000