Feb 22, 2024
8 mins read
8 mins read

iSoon Data Leak Reveals CCP’s International Espionage Operations

iSoon Data Leak Reveals CCP’s International Espionage Operations

Prince, a member of the hacking group Red Hacker Alliance who refused to give his real name, uses a website that monitors global cyberattacks on his computer at their office in Dongguan, China's southern Guangdong province, on Aug. 4, 2020. (Nicolas Asfouri/AFP via Getty Images)

By Lisa Lin and Cindy Li

News Analysis

A trove of internal documents from the Chinese cybersecurity company iSoon was leaked, exposing close ties between company executives and the Chinese Communist Party’s (CCP) public security departments and international espionage operations.

iSoon, also known as Auxun, is a Chinese cybersecurity company that works for the Chinese Communist Party’s (CCP) Ministry of Security. Last week, the company’s internal documents, including chat logs, operational information, and presentations detailing the infiltration, Indian defense, and UK intelligence, were posted by an anonymous user on the software development platform GitHub.

The Epoch Times could not independently verify the authenticity of the documents.

Wu Haibo (also known as shutdown), the CEO of iSoon, is a first-generation Honker (a patriotic “red hacker”) and an early member of China’s first underground hacking group, the Green Army, founded in 1997. iSoon also established connections with universities in Sichuan Province through hosting hacker competitions and offering training courses at the iSoon Research Institute. While iSoon is registered in Shanghai, its headquarters are located in Sichuan.

2/3 of iSoon’s Clients From CCP’s Public Security Bureau

According to work chat logs between Mr. Wu and iSoon’s second-in-command, Chen Cheng (also known as lengmo), Wu requested on Sept. 15, 2020, that each sales project be reviewed individually to ensure the order rate, stating that projects from China’s public security bureau account for 2/3 of the company’s total sales projects.

iSoon’s website explains its involvement in various areas such as public safety, anti-fraud, blockchain forensics, enterprise security solutions, and training. In 2013, the company established the APT Network Penetration Research Department. It has partnered with all levels of public security agencies, including the Ministry of Public Security, 10 provincial-level public security bureaus, and over 40 municipal public security bureaus.

As a designated supplier for China’s Ministry of State Security, the company also holds qualifications for the CCP’s national security work. In 2019, it became one of the first certified suppliers of the Network Security Protection Bureau of the Ministry of Public Security, providing technology, tools, and equipment. In 2020, it was awarded the “Second-class Confidentiality Qualification for Weapons and Equipment Research and Production Units” by the Ministry of Industry and Information Technology.

The second-class confidentiality qualification is the highest level of confidentiality that non-state-owned enterprises can obtain, enabling iSoon to conduct confidential research and development related to national security. Following these certifications, in July 2021, iSoon was shortlisted for the network security protection project of the Aksu District Public Security Bureau in the Xinjiang region.

It’s widely reported that the CCP authorities are intensively monitoring the Xinjiang region (where Muslims are the majority), including through the installation of malicious software on residents’ phones for surveillance.

In 2021, the Sichuan provincial authorities ranked iSoon as one of the “Top 30 Excellent Information Security Enterprises” in the province.

iSoon’s website published 15 appreciation letters from partners and clients, most from provincial and municipal public security bureaus.

During a chat on Sept. 15, 2020, Mr. Wu mentioned that the Ministry of Public Security leadership told him to persevere.

“The leaders in the department told me to persevere,” he typed in Chinese. “Although we are not making money now and barely making ends meet, we have done well in niche areas. They told me to persevere.”

“The leaders said they would support us in the future.”

Attacking Southeast Asian Countries

Based on the leaked documents, iSoon boasted in presentations and other documents that they had infiltrated or attacked the Indian Ministry of Defense, NATO, and the UK’s National Crime Agency, as well as having long-term deep access to telecommunications companies, government departments, research institutions, and military systems in neighboring countries around China.

The documents also include malicious software targeting various platforms, including Microsoft Exchange and Android, X (formerly Twitter) public opinion control system, and custom hardware for network penetration.

A map of China is seen through a magnifying glass on a computer screen showing binary digits on Jan. 2, 2014. (Edgar Su/Reuters)

A map of China is seen through a magnifying glass on a computer screen showing binary digits on Jan. 2, 2014. (Edgar Su/Reuters)

On Aug. 25, 2021, Mr. Chen suggested that Mr. Wu go overseas to obtain data of interest to the communist regime. According to the chat log, Mr. Chen told Mr. Wu, “There will definitely be demands for overseas landing. Get local people to do it will do … It’s all good when you start making money.”

On Nov. 1, 2021, the two discussed specific targets for attacks: the Burma (also known as Myanmar) Military Security Bureau, the Federal United Government of Burma, and the Burma Commander-in-Chief’s Office. The intermediary for this project and the one footing the bill is the Yunnan Provincial Public Security Department. “The provincial public security is offering over 80,000 [yuan] a month for it.” Mr. Wu said, “The Public Security has verified it. It’s valuable.”

Public Security’s Overseas Intelligence Collection in East Asia

The internal chat records of iSoon’s top executives confirm that the Ministry of Public Security’s 11th Bureau, 10th Division, is responsible for intelligence in Hong Kong, Macau, Taiwan, Southeast Asia, and Northeast Asia.

The CCP’s Ministry of Public Security, 11th Bureau, also known as the Network Security Protection Bureau, is an internal institution responsible for handling illegal and criminal cases involving computers and information networks, managing the national public information network security surveillance police, commonly known as “Internet Police.”

AI (artificial intelligence) security cameras using facial recognition technology are displayed at the 14th China International Exhibition on Public Safety and Security at the China International Exhibition Center in Beijing, China, on Oct. 24, 2018. (Nicolas Asfouri/AFP via Getty Images)

AI (artificial intelligence) security cameras using facial recognition technology are displayed at the 14th China International Exhibition on Public Safety and Security at the China International Exhibition Center in Beijing, China, on Oct. 24, 2018. (Nicolas Asfouri/AFP via Getty Images)

Mr. Wu: “I don’t know if we can produce anything now. According to the new reform within the department, we are expected to have more contacts with the 10th Division in the future.”

“The 10th Division is now responsible for Hong Kong, Macau, Taiwan, and the neighboring countries in Southeast Asia and Northeast Asia.”

According to a China Digital Times report in May 2023, the CCP’s Ministry of Public Security, 11th Bureau issued a notice in March 2023, requiring various public security bureau network security defense teams to participate in the online public opinion struggle with overseas “net armies” to maintain political security online. The project organized more than 40 “network special detectives, big data system construction and data mining backbone personnel” from March 27 to April 27 in Beijing for a month-long “special investigation battle.”

The undertaking unit of this special operation is the 11th Bureau’s 24th Division, with Hu Fengming as the person in charge, and internal numbers and mobile contact information are provided. Several “public security bureau network security defense teams” are mentioned at the beginning, and the “list of participating personnel” is listed at the end, with 32 participating police officers’ real names.

China Digital Times stated that through network searches and cross-verification, it independently verified the identities of some participating police officers on the list and confirmed that 11 were Internet police officers from various places, confirming the authenticity of the documents.