China’s Ministry of State Security, its premier spy agency, occasionally makes a splash in the news with bungled spy operations and triumphant hacking operations, especially here in America. Less well known are mishaps abroad by Beijing’s premier law enforcement agency, the Ministry of Public Security, or MPS. Last year, however, saw the exposure of “overseas police stations” run by the MPS in 14 countries, including the U.S., supposedly to help Chinese citizens abroad renew driver’s licenses and the like, but in reality focused on suppressing the activities of Chinese dissidents abroad.
Now comes a bombshell leak revealing why and how China’s national police have been enrolled in state espionage and sabotage operations on the world stage—through hacking.
On February 16 an anonymous party dumped an enormous cache of hacking-related data and internal messages onto GitHub, the web-based platform for software engineers. The data originated with iS00N, also known as the Shanghai Anxun Information Company [上海安洵信息公司]. The dump, cataloged here in Chinese, reveals the worldwide targeting of entities on behalf of various local MPS outposts—as well as iS00N’s role in training police across China to hack into foreign databases.
“This MPS data-breaches mirrored the magnitude of the NTC Vulkan leak, indicating the severity and potential consequences of the incident,” the Firewall Daily reported.
The leak was discovered by a Taiwanese threat intel technical analyst who wasn’t sure of the source, said Adam Kozy, a former FBI cyber expert and Crowdstrike analyst who consults on China threat intelligence and is writing a book on the subject entitled Geeks, Spies, and Criminals: How Chinese Intelligence is Hacking its Way to Hegemony.
“It could be a disgruntled employee of iS00N, or even one of the characters mentioned in the chats…but the things they’re saying align with other investigations on (Chinese) contractors like APT41,” Kozy told SpyTalk. Also known as Double Dragon, the MSS-linked APT41 has gained notoriety for carrying out espionage-related and financial attacks on commercial targets worldwide.
Kozy added that iS00N’s activities are reminiscent of those previously linked to entities that Western cyber experts have given the code names Red Scylla, Poison Carp, and Evileye.
Target Lists
SpyTalk reviewed a portion of this massive assortment of data, now doubtless being mined by numerous intelligence and law enforcement agencies. It revealed a wide range of targets across the globe.
They included Bruneian, Turkish and Thai diplomatic traffic—possibly indicating successful Chinese decryption of their coded messages. Other organizations in the sights of iS00N, according to chats dated 2021 and 2022, included Royal Brunei Airlines, the Indonesian Ministry of Commerce, Thai Airways, Malaysian Air, the Secretariat for European Affairs in North Macedonia, and chats in the message network used by Vietnamese television stations.
Malaysia was revealed to be a major target in the leaked data. A table showed a breakdown of domain users in specific entities in that Southeast Asian nation, including the Ministry of Foreign Affairs, the Ministry of Home Affairs, the national police, Parliament, Malaysia Airlines, and curiously, the Air India office in Kuala Lumpur.
Another table showed target names and related data by country including Pakistan, Malaysia, Kazakhstan, Kyrgyzstan, Mongolia, Nepal, Thailand, Turkey, India, Nigeria, Rwanda, Cambodia, France, Indonesia, Vietnam, Hong Kong, and Taiwan. Tibet was similarly named in another table.
Apparently, Chinese security contractors need not worry if they slip up by calling Hong Kong, Tibet and Taiwan “countries.”
U.K., Indian Contracts
An April-May 2022 discussion about a bid invitation from a client in Chongqing to probe targets in the United Kingdom noted at least one “zero day” exploit (a vulnerability not known to the target that allows for a clandestine intrusion) and asked for results in two weeks. The targets included Chatham House, the Center for Foreign Policy Studies, the Center for Defense and International Security Studies, IISS, the UK Home Office, Justice Ministry, Treasury, the Education Ministry, the Brexit Department, the Department of Health and Social Care, and the National Crime Agency.
One chat, on June 8, 2022, revealed an unspecified client seeking information about the Indian Army’s 14th and 17th Corps, which are based, respectively, in Kargil and along the border with Tibet, where Indian and Chinese forces clashed twice that year with fatal results. The same chat discussed an unspecified client requesting searches and a “small sample” of chat traffic from Vietnam Television using the key words “intelligence, peace, China, and USA [情报、安宁、中国、美国].
More specificity came with an unsigned and undated draft contract between the Sichuan office of iS00N and the Xinjiang Bayingol Public Security Bureau, located in southeast Xinjiang. According to the document, the PSB was concerned about religious extremists in Central Asia and the Middle East training terrorists originally from the PRC and dispatching them back to China.
The contract stipulated that iS00N would provide “practical network attack and defense capabilities” to the Bayingol PSB, including target acquisition and network defense training, and the fit-out of operations centers to conduct cyber operations, including: a network attack and defense training platform; a WiFi proximity attack system; an automated testing platform; remote control management systems for Android, Mac, Windows, and Linux; a “Twitter control evidence collection platform;” and a password-cracking platform.
Price War Complaints
The ranking of these targets was only fleetingly revealed, but the incentives were clear. “Military and diplomatic targets are good to sell,” one analyst remarked on July 5, 2022. In that same conversation, two iS00N contractors discussed fees for their hacking work, which they noted were falling. Prospective clients were offering 70,000 to 80,000 yuan a month ($9,700 to $11,100), a price point that the chatmates complained was too low to make a profit. Their asking price of 100,000 yuan ($13,907) was “difficult to get in recent days,” they said.
But such sums, apparently multiplied many times across China’s Public Security Bureaus over the last few years, indicate that the Ministry of Public Security in Beijing may be shelling out tens of millions of dollars each year and outsourcing important international intelligence-gathering tasks to provincial and municipal public security bureaus and departments—possibly in the same way the MSS has done with its local state security departments and bureaus. The Shanghai State Security Bureau, for example, targets the U.S. Intelligence Community, and the Jiangsu State Security Department, residing in a province with an aerospace industry, goes after foreign export-controlled high technology valued by their local interests.
In spite of the money being spent, at least some people doing the work seem less than satisfied. A rant from June, 2022 was blunt but not atypical. “I’m really drunk…Public Security clients are such stupid c***s,” [公安的客户太傻逼], said one.” I’d like to get the f**k out of the Public Security business this year. Too much heartache. Still no f**king money.” It’s a sharp contrast with the good living that a working level cybersecurity engineer can make in the U.S. and allied nations.
Hacker Socialism
A graphic showing iS00N’s development reveals that the firm started up in 2010 in Shanghai, and began operating a “security research unit,” followed by an APT Network Infiltration Research Division in 2013. In 2015 it established a wholly-owned subsidiary in Sichuan, obtaining angel-round financing in 2016 and Series A financing in September 2018. It established a Jiangsu branch in May 2020 and also has offices in Kunming, Chengdu, and Nanjing.
In October 2018, iS00N participated in the Ministry of Public Security’s “special case network work,” and in April 2019 they were selected to be part of the first batch of units embedded into the Cyber Security Bureau of MPS. Between October 2018 and 2021, the company hosted the first through fourth National Public Security System Cyber Security TZ Practical Training sessions. (TZ is short for Training Zone, meaning hands-on, practical training involving threat intelligence, incident response, and other skills needed to protect digital assets).
The leaks show how many of these groups “still rely on close personal connections, many of which date back to the early 2000s patriotic hacking scene,” said Kozy, the former FBI and Crowdstrike analyst, who is closely analyzing the leaked data. “They often met at university, online via forums or shared online technical interest groups, and bonded helping one another with technical problems or carried out early intrusion operations against foreign targets,” and even against rival domestic groups, operating “fairly loosely by comparison to Western contractors that act within legal and contractual constraints.”
“Not only MPS, but also MSS and perhaps the PLA Strategic Support Force,” Kozy added, “shell out millions of dollars to smaller contractors like iS00N…but SSF is more supervised.”
The fact that China’s national police are now gathering massive amounts of intelligence overseas—previously thought to be the turf of the MSS and the PLA Strategic Support Force—is notable. It is no surprise that the Chinese Communist Party is worried to the point of paranoia about events and opinions abroad. It has long been said that the CCP is focused less on what we call “national security” than on the party’s own security and its position in society, which it rolls together as ”state security.” The scattershot approach to gathering intelligence reflected in these leaks by a firm that seems less than accountable in its operations deserves thorough scrutiny to determine how effective Beijing’s spying really is.
SpyTalk contributing writer Matthew Brazil is co-author, with Peter Mattis, of the authoritative Chinese Communist Espionage, An Intelligence Primer.
This article first appeared on Spytalk.co.
