Explained: The massive data leak from a Chinese cybersecurity agency, whose targets include India

Large amounts of data from a Chinese cybersecurity company have been leaked online, showing its contracts and communications with the Chinese government for collecting important digital information at home and abroad — including in countries such as India, Nigeria, Indonesia and the United Kingdom.

I-Soon, a Shanghai-based company (also transliterated from the Mandarin as Auxun), is believed to be one of the many private contractors that help the Chinese state conduct its intelligence-gathering, hacking and other surveillance activities.

Last week, 190 megabytes of information were posted on the software and code-sharing platform GitHub. What do we know about the leak so far, and how does it fit into China’s larger surveillance activities? We explain.

First, what’s in the leaked data and whom does it target?

The data trove shared on GitHub contains emails, images, conversations and a trove of documents. According to a report in The Washington Post, they “detail contracts to extract foreign data over eight years and describe targets within at least 20 foreign governments and territories, including India, Hong Kong, Thailand, South Korea, the United Kingdom, Taiwan and Malaysia”.

These documents do not contain the actual information that was secured. But they have details about the targets of the surveillance, and the contracts that were awarded to I-Soon.

“One spreadsheet listed 80 overseas targets that iSoon hackers appeared to have successfully breached,” the report said. This included “95.2 gigabytes of immigration data from India and a 3 terabyte collection of call logs from South Korea’s LG U Plus telecom provider”.

In Explained | China is watching — Hybrid warfare: What data they collect, why it’s cause for concern

Also, “459GB of road-mapping data from Taiwan, the island of 23 million that China claims as its territory,” was listed, according to The Post report.

Within China, the targets seemed to include “ethnicities and dissidents in parts of China that have seen significant anti-government protests, such as Hong Kong or the heavily Muslim region of Xinjiang in China’s far west”, the Associated Press reported.

Where did the leaked data come from?

John Hultquist, the Chief Threat Analyst of Google’s Mandiant cybersecurity division, told the AP that the source of the leak could be “a rival intelligence service, a dissatisfied insider, or even a rival contractor.”

He added that the company I-Soon’s sponsors are likely to be China’s Ministry of State Security, which is the state intelligence and security agency, and the Chinese military, called the People’s Liberation Army (PLA).

What does the leak tell us about China’s cyberintelligence-gathering techniques?

The information reveals the hacking tools used to find identities on social media platforms such as X (formerly Twitter), and to access emails and hide the online activity of overseas agents, the AP reported. Platforms such as Facebook and X are blocked in China.

While users in China have accounts on China-based social media apps, accessing foreign social media websites helps monitor and target foreign citizens and Chinese nationals abroad, and spread pro-China information to global audiences through user posts.

A French cybersecurity researcher told the AP that it seemed I-Soon had the capabilities to hack X accounts, even if they had two-factor authentication (such as a password in addition to OTP verification). Devices resembling batteries were used to attack Wi-Fi networks. The AP report added that I-Soon and Chinese police were looking for the reason behind the leak.

What is I-Soon, and what does it typically do?

On an archived webpage of its website, the company describes itself as being “deeply involved in the field of cyberspace security” and as “a public network security and digital intelligence solution service provider”.

Explained | Why China harvests India data, why track public figures

Founded in 2010, it is headquartered in Shanghai and has branches and offices in Beijing, along with the provinces of Sichuan, Jiangsu and Zhejiang. “Its business scope covers 32 provinces, municipalities and autonomous regions,” it says.

In recent days, I-Soon’s website was seemingly offline, but it previously included names of its clients — the Chinese Ministry of Public Security, 11 provincial-level security bureaus and some 40 municipal public security departments.

The AP cited a leaked draft contract as saying that the company sought to offer “anti-terror” technical support to Xinjiang police for tracking the Uyghur Muslim population. This ethnic minority group has faced several restrictions in mobility, been a target of state surveillance and has been subjected to human rights violations.

The company also claimed to have hacked airline, cellular and government data from countries such as Mongolia, Malaysia, Afghanistan and Thailand. A few of these countries have housed some Uyghur refugees in the past.

So, what’s the larger context here?

The leaks are not the first confirmation of the Chinese state’s significant cyberintelligence and cybersecurity apparatus. In 2020, an investigation by The Indian Express found that a company based in the city of Shenzhen, with links to the Chinese government, was monitoring over 10,000 Indian individuals and organisations that were part of a global database of “foreign targets”.

Express Investigation | China watching: President, PM, key Opposition leaders, Cabinet, CMs, Chief Justice of India…the list goes on

The list of targets ranged from then President Ram Nath Kovind and Prime Minister Narendra Modi to Congress leader Sonia Gandhi and their families; then Chief Ministers Ashok Gehlot, Amarinder Singh, and Uddhav Thackeray; Cabinet Ministers Rajnath Singh, Nirmala Sitharaman, Smriti Irani, and Piyush Goyal; the late Chief of Defence Staff Bipin Rawat and at least 15 former Chiefs of the Army, Navy, and Air Force; then Chief Justice of India Sharad A Bobde; and top industrialists Ratan Tata and Gautam Adani.

The company also reportedly collected the personal details of more than 35,000 Australians and at least 50,000 Americans.

“Every country does this in one way or the other; that’s the job of foreign intelligence. But using big data science and technology, Beijing has, clearly, taken it to the next level,” Robert Potter, a Canberra-based cyber security, tech and data expert, who helped verify the electronic antecedents of the Zhenhua data set at the time, had said at the time.

On Thursday (February 22), The Indian Express reported that a 2018 data breach that impacted the systems of the Employees’ Provident Fund Organisation (EPFO), containing the personal data of Indians, had been “repackaged” by a Chinese cyber agency, according to a preliminary investigation by the Indian Computer Emergency Response Team (Cert-In), India’s cybersecurity agency.

Besides EPFO, the compromised data contained information on BSNL users, and information that is available with companies including Air India and Reliance.

For the latest news from across India, Political updates, Explainers, Sports News, Opinion, Entertainment Updates and more Top News, visit Indian Express. Subscribe to our award-winning Newsletter Download our App here Android & iOS