Update

That big data leak of 571 files from the hacker firm iS00N had researchers and journalists salivating for five days - but on the sixth day, GitHub, the platform where it was posted, invoked its terms of service to remove it.

The biggest leak of data ever from any Chinese hacking organization was replaced overnight on 21-22 February with this notice:

This repository has been disabled.

Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service. If you are the owner of the repository, you may reach out to GitHub Support for more information.

We asked GitHub's media affairs folks for an interview (just a short drive for me to their San Francisco headquarters) but they preferred to go with this statement:

“We removed the content as it was found to be in violation of GitHub's Acceptable Use Policies on doxxing and invasion of privacy.”

Understandable.

But there is another consideration.

GitHub was acquired by Microsoft in 2018 for $7.5 billion, and Microsoft has operated in China since 1992 when they opened their Beijing office (I was there, representing the US as a Commercial Officer at our embassy).

Nowadays the software giant has about 9,000 employees in the People's Republic.

It is not hard to imagine the conversation that might have occurred between Microsoft's reps in Beijing and the host government (and this may become a game of whack-a-mole for all concerned). We can leave that there.

I asked Drew Thompson, a Visiting Senior Research Fellow at the National University of Singapore, for a comment. He is a keen observer of US-China relations and the tech scene and had this to say:

• The selection of many of the target countries, Thailand, Malaysia, Turkey, Pakistan, Afghanistan, and Central Asian states are all either transit points or destinations for Uighurs fleeing China.
• It is difficult to know from the available data how much the hackers at Anxun (iS00N) were able to exfiltrate, or if they were successful at infiltrating their targets, but it is clear that they have a fraught relationship with their government clients, their financial rewards seem rather low, and the business model was tenuous during the COVID years when the company was losing money and could not pay bonuses to their workers.

So the reach of these efforts is far and wide, but its organization is strained. That may continue, or the CCP, which is good at organizing things, may succeed in improving these collection efforts.

Let's hope for more Snowdens in China. What's good for the goose is good for the gander (insider leaks, that is).

For new subscribers, the original post follows.

Regards,

Matt

​

Background: the original post of 21 February:

Several stories came out this week about a massive data dump from China, including in the New York Times and throughout the cybersecurity press, the overseas anti-communist Chinese press, and the cyber press in Chinese. Not much from the mainland's CCP-approved press, of course.

Posted on GitHub by an unknown party, the data was from iS00N, a contractor for China's Ministry of Public Security. iS00N is also known as the Shanghai Anxun Information Company (上海安洵信息公司). It is headquartered in Shanghai and has offices elsewhere in the People's Republic.

I'm happy to say that we at SpyTalk kept up with the power curve on this one. Our story is no longer behind a paywall as of 12:00 Noon Eastern on 22 February. Please take a look at SpyTalk and consider taking out a free or paid subscription. Your support is how we keep this effort going.

Back to the story: our account of iS00N's operations - hacking into databases and against individuals around the globe - was informed by combing through dozens of chats and documents in Chinese. The material we consulted showed that iS00N works primarily for Public Security Bureaus around China, but other sources believe that they also count the Ministry of State Security in their client base. Links to some of these stories are below.

A salacious bit right up front. Not all of iS00N's workers are happy in their work. One chat exchange in the leaked material went like this:

I’m really drunk…Public Security clients are such stupid c***s,” [公安的客户太傻逼], said one.” I’d like to get the f*** out of the Public Security business this year. Too much heartache. Still no f***ing money.

It was a sharp contrast with the good living that a working-level cybersecurity engineer can make in the U.S. and allied nations.

Other stories on the iS00N leak:

​https://www.malwarebytes.com/blog/news/2024/02/a-first-analysis-of-the-i-soon-data-leak​

A really good one with photos I wish I'd had for the SpyTalk story: https://substack.com/home/post/p-138316145?r=1j0&utm_campaign=post&utm_medium=web. It included this one:

The eight-character slogan behind the desk reads "Professional and in the lead; prestigious and distinguished."

Next month, I will publish a deeper dive into iS00N and its fellow PRC hack jocks firms and how they work with China's security apparatus in the Jamestown China Brief. The goal: to explain as much as possible in readable English (if you've ever tried to understand cyber security articles, you know what I mean). More on that in the next newsletter.

Lessons from this unprecedented look at a hacking contractor in the service of PRC security agencies:

• The baseline of surveillance of society by businesses and governments is so high that a lot of people are concerned to the point of being psychologically disturbed, especially in the US Congress. But it's a fact we must all live with. Yes, corporations plague us all with targeted adverts, but the reach against us all by intelligence agencies is limited by their attention span and mission priorities. More about that in the upcoming book.
• It's time to raise the public's literacy about China and the Chinese language. It's no longer an option to dismiss these as too hard or too exotic to care about because China is too important for such outdated thinking.

​

Best regards, Matt

​​
Matt Brazil, Senior Fellow, The Jamestown Foundation. Contributing Writer, SpyTalk​
San Jose, California, US

Mobile (Signal enabled): +1-408-891-5187 Email: matthew.brazil@gmail.com Encrypted: matt.brazil@hushmail.com​

​https://www.mattbrazil.net/​
​https://www.usni.org/press/books/chinese-communist-espionage​

​

​