Play Live Radio
Next Up:
0:00 0:00
Available On Air Stations

Chinese hacking scheme focused on harassing dissidents, leaked documents show


Cybersecurity researchers have had some sleepless nights over the last several days.


They're digging into a major leak of documents from a Chinese technology company that appears to be conducting global hacking operations for the Chinese government.

MARTÍNEZ: For more, we've got NPR cybersecurity correspondent Jenna McLaughlin here to help us sort all of this out. Jenna, so what exactly is in the leak, and does it seem legit?

JENNA MCLAUGHLIN, BYLINE: Yeah, so there are about 500 documents and they're all in Mandarin. There's a lot of nerdy technical details in there. It got leaked to GitHub, which is a coding platform that's popular with programmers. But so far, cybersecurity experts I've spoken to say it does look legitimate. Based on their analysis, it looks like this is a collection of documents stolen from one specific Chinese technology company called I-Soon. So they're a contractor for Chinese agencies like the Ministry of State Security and the People's Liberation Army. There's some public information on the company, but this gives us a really rare look into more of their sensitive business. The documents include marketing materials, details about hacking technology and some of their hacking operations, as well as some other targets. And this is all work for the Chinese government.

MARTÍNEZ: So I got to say, Jenna, I'm not too bowled over or shocked that a Chinese company would be hacking for the Chinese government. So what about this makes it interesting and juicy?

MCLAUGHLIN: Yeah, the revelations aren't exactly shocking, but it does give us this rare peek behind the curtain. I spoke to John Hultquist. He leads intelligence analysis for Google's Mandiant. Here was his answer.

JOHN HULTQUIST: I think the most interesting part of this is we're getting kind of a really deep look at the Chinese cyberespionage contractor ecosystem. We are all the way into the organization. We're looking at their documentation, their chats. And you're getting a real unfettered access to an intelligence operation you just don't see very often.

MCLAUGHLIN: Plus, he said that in cases where researchers have already analyzed a certain breach in the past, made some educated guesses about who was behind it, these documents can help them kind of fact-check their work. Hultquist also said that learning about the prices of these operations is really interesting. He said apparently this company was selling hacked documents from NATO for only 10,000 USD, which is pretty cheap.

MARTÍNEZ: Yeah. So who are the targets here?

MCLAUGHLIN: It's not exactly a surprising list again, but it is pretty long. It includes about 14 different government agencies from Western competitors, like Australia and the U.K., to countries that have a closer relationship with China, like Pakistan. It also includes pro-democracy organizations in places like Hong Kong, you know, academic institutions. And there's some details about them bidding for a project to surveil the Uyghur people in Xinjiang. Human rights groups have strongly condemned Chinese government repression of this Muslim population. In fact, a lot of this tech company's work appears to be focused on surveilling and harassing dissidents around the world. That includes monitoring and hacking social media platforms like X, or what we used to call Twitter.

MARTÍNEZ: Yeah. The leak, Jenna, the leak. Who is behind the leak?

MCLAUGHLIN: That's the big question. We don't know yet, but there are a few clues here. So the leak itself includes employee chats about low pay, other kinds of complaints. So there's this possibility that it could be a disgruntled employee, but it could be a really clever intelligence operation or even a competitor within China.

MARTÍNEZ: All right, NPR cybersecurity correspondent Jenna McLaughlin. Jenna, thanks.

MCLAUGHLIN: Thank you.


NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.

A Martínez is one of the hosts of Morning Edition and Up First. He came to NPR in 2021 and is based out of NPR West.
Jenna McLaughlin
Jenna McLaughlin is NPR's cybersecurity correspondent, focusing on the intersection of national security and technology.