The Download: What to Think About the I-Soon Chinese Hacker Contractor Leak

I-Soon, a hacking-for-hire contractor affiliated with Chinese government agencies and military, suffered a major leak of its internal documents in the last few weeks, revealing hundreds of files on its operations, targeting, and capabilities, as well as internal employee chat logs. Beyond the details of the leak itself, this incident reveals several aspects of the Chinese government’s cyber operations that are noteworthy. 

1. Strategic objectives underlie China’s cyber operations. The types of contracting work that this leak revealed—monitoring dissent of Chinese domestic and diasporic populations and conducting espionage against neighboring countries—underscores how important control over the domestic (and broader) information environment is to the Chinese government. The primary goal of the Chinese Communist Party (CCP), China’s ruling entity, is to maintain its own governing power, and it leverages cyber operations as a means to ensure or bolster complementary strategic priorities, such as: 

• Information control, propaganda/advancing alternative narratives, and targeting of domestic sources of potential unrest. These are all important to maintain domestic stability and protect the governing power of the CCP. I-Soon documents aligned with these principles, indicating the capability to monitor discourse domestically and among the Chinese diaspora population and publish tweets to a victim’s X feed.
• Preparing for military scenarios and ensuring military superiority. I-Soon documents indicated that clients requested or obtained infrastructure data, such as road-mapping data from Taiwan. Such information would be greatly useful for military campaigns or logistics in the event of a conflict. 
• Traditional espionage goals of understanding potential adversaries’ infrastructure, motivations, capabilities, and limitations. I-Soon documents revealed, among other things, spreadsheets with 80 overseas targets that have been breached and contract data that described targets of numerous foreign governments, primarily in the Asia-Pacific region. 

2. The centrality of data is key to success at home and abroad. One can’t underscore the importance of data and information to the CCP. Numerous large-scale breaches—including the Office of Personnel Management hacks between 2014 and 2015, the Equifax data breach in 2017, and the Marriott data breach in 2018—have been attributed to the Chinese government and military. The data compromised in these breaches—sensitive personally identifiable information, financial data, security clearance information, and travel and lodging activity—have the potential to reveal patterns on American intelligence, security, and business dealings. The Chinese government also routinely collects data on its citizens and can use that data to refine data analysis practices or improve collections capabilities, which are useful practices to both refining national security planning and exerting greater control over its citizens.

Perhaps driven by an understanding of what its clients want, I-Soon’s own documents also convey the importance of data and how it feeds into China’s broader strategic goals. In one sales document, I-Soon noted that “[i]nformation has increasingly become the lifeblood of a country and one of the resources that countries are scrambling to seize. In information warfare, stealing enemy information and destroying enemy information systems have become the key to defeating the enemy.” In other words, both the CCP and companies like I-Soon that serve the government understand that data is seen as one of the key drivers of economic, military, and political success at home and abroad and build supporting operations to assist in its collection.

3. China is not a monolithic actor. News and politician portrayals of the Chinese state often make it seem like China is an impenetrable hacking machine. The Chinese government has been able to use this portrayal to its advantage, burnishing its image as a world-class hacking empire. However, leaks like this also indicate that there are holes, contradictions, and conflicts within China’s cyber operations infrastructure. Further, I-Soon employee dissatisfaction with working conditions also indicate that there are shortcomings in the work that they do, whether it be pay, infighting, or workload. It is important to remember that humans are behind the keyboards, often doing repetitive or menial work that has repercussions on morale and profitability. This underscores, in part, why the CCP prioritizes domestic information control and advancing alternative narratives: to quell potential swells of dissent. 

4. More details about China’s cyber contractor ecosystem emerged. The leak is also significant in that it revealed the ecosystem of government contractors who conduct operations on behalf of the Chinese government. The marketing and proposal materials leaked also provide insight into what contracted services and products the state seeks: surveillance and monitoring, targeted espionage, network penetration, and data collection. This may mean that the Chinese government uses contractors to focus on areas where in-house talent may be lacking, or it allows the government agencies to focus on other priorities. Leaked documents also indicate a competitive business environment, requiring companies such as I-Soon to either provide premier services, actionable intelligence, and/or target broad swathes of potential clients.

We still don’t know many details about the nature of the leak and the ramifications on China’s hacking operations, such as how much of I-Soon’s business was encapsulated in the leak, who conducted the leak, and how the Chinese government may respond. Despite this, a continued analysis of the leaked files may reveal more patterns and linkages in China’s cyber operations ecosystem.