Recently, a major data leak was discovered on GitHub possibly exposing documents tied to the cyber spying activities of the Chinese company i-SOON.  Although it is unclear if the data dump was the result of an insider, disgruntled employee, competitor, or even a nation state, the material seems to confirm that Beijing contracts work out to “hacker-for-hire” companies to support some of its cyber collection efforts.  The discovery of this information has ignited interest from China watchers and appears to further solidify arguments that China is a pervasive cyber threat actor intent on conducting its activities via a variety of spying means.  It also comes at a time when U.S. intelligence and security officials have testified about the cyber threat posed by China, and when the United States has disrupted Chinese cyber operations that tried to implant malware that could have been used to disrupt civilian critical infrastructure.  The timing is fortuitous, or at least raises eyebrow, to say the least.

Nonetheless, the treasure trove of information has exposed how a “private” company such as i-SOON operates, and what types of activities and services it provides for those willing to employ the company.  Indeed, according to one sitereporting on the find, material provided in the leak include files of “internal chats, business pitches, documentation describing the company’s products,” and even data stolen from targeted victims.  Even the call detail records from compromised telecommunications companies were a part of the leak.  Moreover, the documents showed the services and capabilities of the company, which even contained the types of tools employed by the company, development of malware to be used on multi operating systems, social media monitoring, and platforms to collect email data, among others.  Notably, there was even information as to the company’s clients, many of which appear to be Chinese government agencies.

This is not a complete surprise, as previous reporting in late 2023 pointed out that i-SOON was a contractor for the Chinese government, ostensibly doing the very types of espionage and monitoring work detailed in the recent leak.  If anything, the leak has confirmed that fact that i-SOON is not alone in this endeavor and must compete for government work against other Chinese companies looking for a piece of the larger Chinese cyber espionage pie.  As a result, these companies must compete for government work, a practice that seems as common in China as it does in the United States.  What is not clear is how these companies are vetted, if at all, and what qualifies them to bid for such contracts in the first place.  Reporting has suggested that Chengdu, the area where many tech companies are based has become a recruitmenthotspot for Chinese entities looking to hire out jobs cheaply.  There is validity in that supposition given the amount of exposure given to Chengdu as a prominent IT hub, especially for agencies like the Ministry of State Security.  This has undoubtedly helped foster a competitive market for such services.

One thing is abundantly clear: the targets and services performed by i-SOON according to the leaks shows diversity in services and targets consistent with the pervasive cyber activities attributed to Beijing.  Indeed, according to one cybersecurity company reviewing the documents, i-SOON appears to have been involved in cyber espionage operations against at least 14 foreign governments, Hong Kong pro-democracy entities, universities, and even NATO.  There was even information pertaining to bidding on future work against counterterrorist targets of interesting where i-SOON showcased previous experience doing similar types of operations against organizations in Afghanistan and Pakistan. What the leak does not portend is the extent to which Beijing relies on the activities of such companies, although one company believes it is for “low-value hacking projects,” though it does not provide further explanation of what “low value” means. 

Unsurprisingly, the leak has drawn comparisons to Edward Snowden, the U.S. intelligence contractor who exposed the alleged global surveillance activities of the United States via the activities and collaboration between its agencies, other states, and technological companies.  To be fair, this leak only sheds light on one aspect of the larger Chinese cyber espionage program, rather than presenting a bigger picture view of the entire cyber spying apparatus.  Use of companies like i-SOON may indicate that Beijing lacks the capabilities and global partnership required of a more extensive and comprehensive surveillance akin to what the Snowden leaks purported.  Even if they are going after “low value” targets, these companies would be doing the grunt work that other state assets would have had to pursue or else ignore.  Beijing may use this initial effort to collect information that can be synthesized, aggregated, and then used by more advanced state actors to engage a “next level” cyber espionage operation.  Having multiple companies doing the work compels them to be efficient and impactful or else risk getting cut off from government funding.  Quite a motivating factor.

At its base, the i-SOON leak tells us nothing new perhaps as much as solidify points that have long been suspected and acknowledged of Chinese cyber operations.  Beijing tasks out orders on areas of interest to a variety of collection means, much like any other government.  In this case, one company has been identified, and there are likely other companies doing similar work, as well.  The extent of which a company like i-SOON expressly contracts to Chinese government agencies is not as well known.  Providing similar services to other foreign governments or companies would likely put i-SOON in the category of private sector cyber spying industrial complex, more so than solely a Chinese state asset.  But more information will be needed to determine that finding.

Unlike Snowden leaks that exposed alleged cyber activities at the highest levels, the i-SOON leak is exactly the opposite.  And while the U.S. press has downplayed the former, it has elevated the latter, perhaps in an attempt to keep the pressure on China.  However, the i-SOON revelations will do little to move the needle on global opinion about China with respect to cyber spying, as nothing new was uncovered.  For those tracking Chinese cyber operations, another company has been identified, but that will do little to either alter the way China uses companies like these.  There are a lot of tech companies in China, and newer ones emerge every day.  In 2022, there were approximately 35,000 “tech” companies in China, according to Statista.  With new startups emerging, especially in the tech center which has been driven by Xi Jinping’s push to drive Chinese tech innovation and development.  These “private” company resources will likely not go away, no matter how many get exposed for these activities.