KnowBe4 Security Awareness Training Blog

Exposed: Global Espionage Unleashed by China's Police in Groundbreaking Leak

Written by Stu Sjouwerman | Feb 21, 2024 9:12:11 PM

[DEVELOPING STORY] I get my news from a very wide variety of sources. One is the venerable SpyTalk news that lives in Substack. They just reported something pretty astounding. Here are the first few paragraphs and at the end is the link to substack with the rest.

A Chinese Snowden?

Massive leak from Shanghai hacking firm shows China’s police are spying worldwide

China’s Ministry of State Security, its premier spy agency, occasionally makes a splash in the news with bungled spy operations and triumphant hacking operations, especially here in America. Less well known are mishaps abroad by Beijing’s premier law enforcement agency, the Ministry of Public Security, or MPS. Last year, however, saw the exposure of “overseas police stations” run by the MPS in 14 countries, including the U.S., supposedly to help Chinese citizens abroad renew driver’s licenses and the like, but in reality focused on suppressing the activities of Chinese dissidents abroad.

Now comes a bombshell leak revealing why and how China’s national police have been enrolled in state espionage and sabotage operations on the world stage—through hacking.

On February 16 an anonymous party dumped an enormous cache of hacking-related data and internal messages onto GitHub, the web-based platform for software engineers. The data originated with iS00N, also known as the Shanghai Anxun Information Company [上海安洵信息公司]. The dump, cataloged here in Chinese, reveals the worldwide targeting of entities on behalf of various local MPS outposts—as well as iS00N’s role in training police across China to hack into foreign databases. 

“This MPS data breach data-breaches mirrored the magnitude of the Russian company NTC Vulkan leak, indicating the severity and potential consequences of the incident,” the Firewall Daily reported.

The leak was discovered by a Taiwanese threat intel technical analyst who wasn’t sure of the source, said Adam Kozy, a former FBI cyber expert and Crowdstrike analyst who consults on China threat intelligence and is writing a book on the subject entitled Geeks, Spies, and Criminals: How Chinese Intelligence is Hacking its Way to Hegemony.

“It could be a disgruntled employee of iS00N, or even one of the characters mentioned in the chats…but the things they’re saying align with other investigations on (Chinese) contractors like APT41,” Kozy told SpyTalk. Also known as Double Dragon, the MSS-linked APT41 has gained notoriety for carrying out espionage-related and financial attacks on commercial targets worldwide. 

Kozy added that iS00N’s activities are reminiscent of those previously linked to entities that Western cyber experts have given the code names Red Scylla, Poison Carp, and Evileye.

Target Lists

SpyTalk reviewed a portion of this massive assortment of data, now doubtless being mined by numerous intelligence and law enforcement agencies. It revealed a wide range of targets across the globe. 

More at Substack: https://open.substack.com/pub/spytalk/p/a-chinese-snowden?r=1ujsj

FEB 24-27 UPDATES:

Sentinel LABS has more interesting data

Malwarebytes published a first analysis of the data:

WIRED reported about a "hack-for-hire" leak that Exposed Chinese Hacking Secrets

Associated Press "notes that the leaked documents "reveal, in detail, methods used by Chinese authorities to surveil dissidents overseas, hack other nations, and promote pro-Beijing narratives on social media."

The CyberWire has published a summary of the breach and its ramifications.

The data was deleted from GitHub, but let's just hope that nothing gets weaponized. Remember the NSA "ETERNALBLUE?" It was leaked by the Shadow Brokers hacker group on April 14, 2017, and then used in the worldwide WannaCry ransomware attack on May 12, 2017, targeting unpatched computers and exploiting vulnerabilities in Microsoft Windows. 

The total monetary damage caused by the WannaCry ransomware attack is estimated to have reached around $4 billion globally. This figure encompasses the financial losses due to the disruption of operations, recovery costs, and other related expenses across various sectors affected by the attack​​.

The Guardian - Hackers for sale: what we’ve learned from China’s enormous cyber leak