China is turning to private firms for offensive cyber operations
Leaked documents reveal prices, clients, targets, and more.
Recent leaks and other revelations about Beijing’s use of hacking companies are shedding light on how privatization with Chinese characteristics is changing the government’s intelligence operations.
In February, 577 documents stolen from the Chinese hacking firm iS00N were dumped onto GitHub. The Microsoft-owned developer hub quickly removed the files, but not before analysts and media around the world were touting the “first-of-its-kind” look.
The leak was hardly the first revelation that private companies have been handling the kind of offensive cyber operations that were once the exclusive purview of government agencies. In 2015, a 400GB data dump exposed such efforts by the Italian Hacking Team. In 2021, a worldwide news consortium documented efforts by the Israeli NSO Group and others to help authoritarian regimes and private clients target tech firms and democracies around the world. And last year, the Carnegie Endowment compiled a list of 193 publicly reported instances of privatized offensive cyber-attacks executed by 40 firms, including six Chinese companies.
Nevertheless, the iSoon document dump revealed activities of unexpected scope. Working on behalf of China’s Public Security Bureaus and State Security Departments, the company has spied on targets all over Europe, Asia, and North America. The leak was “narrow, but it is deep,” said John Hultquist, the chief analyst at cyber security firm Mandiant. “We rarely get such unfettered access to the inner workings of any intelligence operation.”
Origins
China’s turn to private-sector hackers comes amid a two-decade expansion of espionage operations that target not just potential adversary governments and militaries, but foreign government officials, dissidents abroad, Hong Kong activists, China-focused journalists, and foreign businesses in critical sectors, including defense industrial bases. Particular efforts are made to learn about military and space technologies, whose secrets are increasingly held in digital form. As Peter Mattis put it in Chinese Communist Espionage, “the craft of technical operations (has) shifted from the elegance of the device and its delivery to the elegance of software,” which “marked the clear emergence of computer network exploitation as a go-to part of the Chinese intelligence toolkit.” The digital shift has enabled several astounding successes, such as harvesting information on 20 million U.S. government employees from the Office of Personnel Management from 2013 to 2015, hacking into the U.S. Commerce Secretary’s emails, and numerous other exploits.
However, China’s cyber operations have also been plagued by uneven training and occasional sloppy practices. A decade ago, the infamous PLA Unit 61398 (APT 1) did not even bother to hide their IP addresses; in 2021, a unit of Recorded Future, using “common analytical techniques,” mapped the extensive infrastructure and foreign targets of PLA Unit 69010 in Urumqi, Xinjiang. That same year, they discovered that another SSF PLA Unit, 61419, had failed to keep its purchases of foreign antivirus software from being publicly posted for all to see.
Such blunders are notable but probably were not the reason for the recent privatization trend, and they were multiplied by this year’s poor OPSEC at iS00N, along with the public drama of Chengdu 404 suing that firm. More likely, it was an increase in the scale of Beijing’s intelligence operations, leading to the transfer of what appears to be a substantial portion of work from state security agencies to contractors (the leaked documents show only a few iS00N clients were military). Some of the known companies include independent operators such as iS00N and Chengdu 404, as well as Ministry of State Security fronts such as Hunan Xiaoruizhi S&T and Hainan Xiandun Technology (the latter is still listed online).
The origins of iS00N–type companies may be traced to the “patriotic hacking” of the 1990s, which featured figures like Lin Yong and his “Honker Union” and Wu Haibo, who founded the 1990s hacking group “Green Army.” By the early 2000s, more sophisticated military entities, notably PLA Unit 61398 (APT 1), were carrying out sophisticated attacks, and it seemed that hacking had become the province of the military.
But looking back, the path to privatized operations appears to have been laid amid the downswing in U.S.-China relations that began with Obama’s 2010 “pivot” to Asia and Xi Jinping’s ascent to power in 2012. After Wu launched iS00N in 2010, other private firms began popping up, including Chengdu 404 in 2014. The trend may have been accelerated by Xi’s aggressive foreign and domestic policies, particularly in his second term in 2017-22, which generated additional intelligence requirements. Today, private intelligence companies offer the ability to hire people quickly for emerging requirements. In particular, they can hire for unclassified jobs without waiting on the kind of security clearances that the government would require of its own employees. (Almost none of iS00N’s contracts in the leaked client table are marked as classified.) This likely helps Beijing maintain a worldwide intelligence and influence offensive whose “scope and intensity…is overwhelming Western defenses,” writes Nigel Inkster, the former director of operations and intelligence at MI-6.
Revelations
The leaked iS00N documents provide a range of insights into this business of hacking for the PRC. The company’s rates for monitoring individual email addresses are listed at $125,000 per year or $300,000 for three years. A five-page table documents contracts going back to 2016 with a variety of clients, starting with the Chengdu Public Security Bureau and spreading to other PSBs across China. One contract with the Ministry of Public Security Number 3 Institute in Beijing, hired the firm to provide a “remote evidence inquiry system” for use on the China Unicom Network. Intriguingly, the table reveals iS00N’s work for technology companies across China. For example, the Shaanxi Xianxiang Network Technology Company was provided “data acquisition service” for $22,800, while the Fujian Zhongrui Electronic Technology Company received “sharp eye data analysis services.” This raises the possibility that iS00N has become the provider of spying and other software to other contractors favored by the PSBs in their localities.
Actual full-text agreements among the documents are rare, but there is an iS00N contract with the Bayingol Public Security Bureau in Xinjiang, which hired the company to hack the email accounts of Uyghur emigres and their families back home in Bayingol—and also the databases of airlines and telecom companies that emigres might use in Macau, Malaysia, Kazakhstan, and Pakistan. Other jobs had iS00N monitoring NATO and government ministries in Indonesia, Kazakhstan, Korea, Malaysia, Mongolia, Thailand, and the UK.
The dump also reveals that some of iS00N’s operators are paid very little—which may help explain the February leak. Such firms appear to allow operators to work for the party-state by day but use company equipment and software to commit lucrative fraud by night. That permissive lack of control might represent part of the thousands of cybercrime arrests inside China by the Ministry of Public Security during 2022 and 2023.
It's unknown just how many private hacking firms like iS00N and Chengdu 404 can provide software solutions to smaller ones, though the local firms listed in iS00N’s tally number over 100. At a more basic level, we remain in the dark about the steps in the PRC intelligence cycle, how tasking is allocated, and what, if any, mechanism exists to manage conflicts. It is also uncertain if the CCP leadership creates redundant tasking and rivalries on purpose, to keep the organs of state security from conspiring together against top leaders.
While the massive airing of their secrets must have been embarrassing to all involved in the PRC hacking industry, both the business and overall CCP cyber operations continue to chug along. While the leaks implicated Chengdu 404 in a bid-rigging conspiracy to cheat the Ministries of State Security and Public Security, as of this writing, the company is still open for business and even looking to hire more engineers to develop websites, big data, and web crawler technology.
Matt Brazil is a senior analyst with BluePath Labs, a Fellow at the Jamestown Foundation, and a former U.S. Army officer and diplomat. He is a co-author of Chinese Communist Espionage: An Intelligence Primer (Naval Institute Press, 2019).
P.W. Singer is a best-selling author of such books on war and technology as Wired for War, Ghost Fleet, and Burn-In; senior fellow at New America; and co-founder of Useful Fiction, a strategic narratives company.