Chinese company hacked UK government, NATO, GitHub leak claims

Leaked data claiming to be from Shanghai's I-Soon reveals huge appetite among Chinese government, law enforcement.
By Gigi Lee for RFA Cantonese
2024.02.22
Chinese company hacked UK government, NATO, GitHub leak claims The main entrance door to the I-Soon office is seen after office hours in Chengdu in southwestern China's Sichuan Province on Feb. 20, 2024.
(Dake Kang/AP)

Chinese hackers have been targeting government departments, academic institutions and human rights groups in the United Kingdom and across Asia, gaining covert access to sensitive information on behalf of the country's law enforcement and spy agencies, according to a recent data dump on developer platform GitHub.

Files posted to the site claiming to be leaked from the privately owned Shanghai-based commercial surveillance company I-Soon reveal, if verified, a massive appetite among police and state security agencies for confidential data, which they buy from specialized companies, keeping themselves at one remove from their sophisticated hacker operations.

A screenshot of a list of U.K. targets that forms part of a file of leaked internal messages lists the Foreign, Commonwealth & Development Office, Home Office and His Majesty's Revenue and Customs, alongside other major government departments as targets for data acquisition.

The Chatham House think tank, Human Rights Watch and Amnesty International are also listed as targets, but I-Soon's clients appeared most interested in British "diplomatic" data, according to a leaked exchange of messages.

"Director Lu," asks the head of a newly formed team. "What was needed from the U.K. – is diplomatic [data] the top priority?"

"Yes," comes the reply. "It's the most important one to secure – definitely needed."

"The team has just told me there's a way to secure it," the employee says in messages dated May 6, 2022. "[They say] there's a zero-day [exploit] that will ensure we can get it, with results in two weeks. Can we apply for an up-front payment from the client?"

Zero-day exploits refer to security vulnerabilities that the target either doesn't know about or hasn't gotten around to patching yet.

They can include security vulnerabilities in web browsers, malicious email attachments, particularly those using common file types, that then infect a system with malware that steals confidential data.

Targeting government agencies

In another message, the team leader wants to know if Lu's client has any interest in NATO data. One rejects the offer, saying they've seen it before, while another requests a bigger sample.

While a page listing I-Soo's "partners" had been deleted from the company's website on Thursday, an archived copy of the site named the Ministry of Public Security, and dozens of provincial and municipal police departments, government agencies and major state-owned companies like PetroChina, China Mobile, China Unicom and Peking University as its "partners."

ENG_CHN_ShanghaiHackers_02222024.2.JPG
Pedestrians walk past His Majesty's Revenue and Customs – one of the hackers’ targets – in London, Dec. 14, 2012. (Suzanne Plunkett/Reuters)

The company offers "a full range of network products and services to the government" and other key industries, as well as "all-round support for law enforcement agencies," according to a snapshot of its website from May 2023 available on the Internet Archive. 

Other messages reveal that the company has targeted government departments, universities and telecommunications providers across Hong Kong, Taiwan, Malaysia, Thailand and Vietnam, as well as major regional gambling websites.

According to the data leak, I-Soon develops and purchases spyware and tools from a number of Chinese technology companies that also target Gmail, X, Microsoft Exchange, IOS, Android and Windows, as well as domestic social media platforms like Weibo, Baidu and WeChat.

The company specializes in "public opinion control," or online influence operations, penetration and remote monitoring, as well as "Advanced Persistent Threat" attacks on specific targets, with some software inserted into target systems through portable wifi devices that look like battery power banks.

Sensitive information

It can acquire sensitive information including GPS locations, contacts, media files, email, phone numbers, and even real-time monitoring or recording of private messages, as well as impersonating someone's social media posts.

The majority of its listed clients are linked either to the Ministry of State Security, the Ministry of Public Security, the People's Liberation Army or other Chinese Communist Party and government agencies across China.

One spreadsheet lists hundreds of government departments, military intelligence agencies, universities, political groups, airlines, and telecommunications providers in mainland China, Hong Kong, Taiwan, NATO, Thailand, Vietnam, India, Myanmar, South Korea, Kazakhstan, Afghanistan, and the United Kingdom, reporting successful infiltration of India's Ministry of Defence, NATO, and the British National Crime Agency, as well as human rights organizations.

Hong Kong targets include Hutchison, CSL and PCCW, the Examinations Authority, the Food and Environmental Hygiene Department, population and immigration data, the Chinese University of Hong Kong and the University of Science and Technology, as well as civil and political organizations such as Association for Democracy and People’s Livelihood and the defunct pro-democracy Confederation of Trade Unions.

I-Soon's clients appear to be deeply interested in Hong Kong. One of the employee conversation records shows that Heyuan Domestic Security “is only interested in Hong Kong."

RFA Cantonese contacted I-Soon for comment on this report, but had received no reply at the time of publication.

Green Corps hacker group

Network engineer and blogger Zuola said I-Soon's founder Wu Haibo was once a member of the Green Corps hacker group, also known by the nickname Whampoa Military Academy, and uses the online handle "shutdown."

"He has this reputation, then he starts this business, and 14 years of development later, their main job is to work for the government," he said. "Many of the government-sponsored attacks on overseas institutions or human rights workers over the past few years have come from companies like this."

"These hacker organizations actually aren't part of the military ... but are private companies, because they're more efficient and flexible," he said, adding that they often act opportunistically, then try to sell data after they have downloaded it.

An analysis of the messages relating to overseas operations by ChatGPT found that they are focused in particular on targets for data acquisition, "potentially for surveillance or data analysis purposes."

There are references to data concerning specific regions, including Xinjiang, suggesting a focus on acquiring data from or about this region, as well as an interest in data from academic settings, the telecommunications industry, defense and security, the output said, after being asked to “summarize while highlighting data acquisition targets.”

In July 2022, an anonymous hacker claimed to have the personal data of 1 billion Chinese nationals leaked from a Shanghai police database available for sale, according to a post by user "ChinaDan" on the hacker forum Breach Forums that was widely shared on Telegram. 

Translated with additional reporting by Luisetta Mudie. Edited by Malcolm Foster.

POST A COMMENT

Add your comment by filling out the form below in plain text. Comments are approved by a moderator and can be edited in accordance with RFAs Terms of Use. Comments will not appear in real time. RFA is not responsible for the content of the postings. Please, be respectful of others' point of view and stick to the facts.