In a groundbreaking revelation, a massive data leak from i-SOON, a top private cybersecurity company in China, has provided unprecedented insight into the commercial dynamics of China’s state-sponsored hacking groups. The leaked cache, which includes over 500 documents published to GitHub last week, sheds light on the extensive cyber espionage campaigns commissioned by various Chinese government agencies and carried out by i-SOON employees.
The leaked documents indicate that i-SOON, headquartered in Shanghai and best known for providing cybersecurity training courses in China, has been responsible for infiltrating government systems in the United Kingdom and various Asian countries. While the cache does not contain raw data stolen from cyber espionage targets, it does include detailed records listing the level of access gained and the types of data exposed in each intrusion. Security experts who reviewed the leaked data believe that i-SOON closely collaborates with China’s Ministry of State Security and the military.
According to Dakota Cary, a China-focused consultant at the security firm SentinelOne, the leaked information provides concrete details revealing the sophisticated nature of China’s cyber espionage activities and the competitive landscape of independent contractor hackers-for-hire. Moreover, Mei Danowski, a former intelligence analyst, and China expert, pointed out that i-SOON has earned the highest secrecy classification that a non-state-owned company can receive, qualifying it to conduct classified research and development related to state security.
Danowski further highlighted that the leaked documents suggest i-SOON’s proactive approach to developing new Advanced Persistent Threat (APT) network penetration methods. One of the leaked documents includes a sales pitch slide showcasing the hacking prowess of the company’s “APT research team.” The leaked data also includes lengthy chat conversations between i-SOON’s founders discussing the need for more employees and government contracts, alongside references to flagging sales.
Interestingly, Danowski detailed how i-SOON was embroiled in a software development contract dispute when it was sued by another Chinese cybersecurity company, Chengdu 404. In addition, she suggested a potential business relationship between the two companies, with one possibly serving as a subcontractor to the other on specific cyber espionage campaigns.
The leaked conversations revealed a competitive industry where companies constantly poach each other’s employees and tools. The leak also provided insight into how i-SOON continuously sought new talent through hacking competitions and various team-building events. However, the conversations indicated low employee morale, with multiple discussions highlighting long hours, low pay, and employee engagement in gambling activities during work hours.
According to Danowski, the leak was likely orchestrated by a disgruntled employee, as the information was strategically released on the first working day following the Chinese New Year. SentinelOne’s Cary shared a similar conclusion, pointing out that the Protonmail account linked to the GitHub profile was registered a month before the leak.
The leak is especially significant given China’s stringent control over online access, which allows authorities to block data on Chinese citizens and companies from leaving the country. This information asymmetry gives China an advantage in cyber operations and underscores the rarity of such a substantial data leak from China’s cybersecurity industry.
The leaked information adds to the growing concern about China’s cyberwarfare goals, with the U.S. government singling out China as the single biggest cyber threat to its interests. While certain aspects of U.S. cyber operations are contracted to private companies, the U.S. does not condone the wholesale theft of state and corporate secrets for the benefit of private industries, as observed in China.
Overall, the leaked data from i-SOON provides a rare and invaluable glimpse into the inner workings of China’s state-sponsored hacking ecosystem, shedding light on the competitive marketplace of independent contractor hackers-for-hire and the increasingly prominent role of China’s private cybersecurity companies in foreign espionage campaigns.