Chinese police are investigating an unauthorized and highly unusual leak of cyber documents from a private security contractor with ties to China's top police agency and other parts of the government, documenting apparent hacking and surveillance of Chinese people and Tools for foreigners.
Obvious targets for the tools provided by the company in question include ethnic minorities and dissidents in areas that have seen severe anti-government protests, such as Hong Kong or the heavily Muslim Xinjiang region.
Two Anxun employees confirmed the leak of a trove of documents late last week and the subsequent investigation into the company's ties to China's Ministry of Public Security. Even if no particularly novel or effective tools were exposed, analysts considered the breach serious, which included hundreds of pages of contracts, marketing presentations, product manuals, and customer and employee lists.
They reveal in detail the methods used by Chinese authorities to spy on dissidents abroad, hack other countries, and promote pro-Beijing rhetoric on social media.
The documents show An Xun apparently hacked networks in Central and Southeast Asia, as well as Hong Kong and the self-ruled island of Taiwan, which Beijing claims as its territory.
Chinese state agents use these hacking tools to uncover the identities of users of social media platforms outside China, such as “X,” hack into emails, and hide the online activities of overseas agents. The documents also describe devices disguised as power strips and batteries that could be used to compromise Wi-Fi networks.
Two Anxun employees mentioned above told The Associated Press that the company and Chinese police are investigating how the documents were leaked. One of the employees said that An Xun held a meeting about the leak on Wednesday (February 21), and he was told that it would not have a big impact on the business and that he should "continue to work normally." The AP is not naming the employees out of concern about possible retaliation, but they did provide their last names, as is customary in China.
The source of the leaked documents is unclear. China's Foreign Ministry did not immediately respond to a request for comment.
A far-reaching breach
Jon Condra, an analyst at cybersecurity firm Recorded Future, said it was the first company ever to be involved in "allegedly providing cyber espionage and targeted intrusion services to Chinese security services." of the biggest leaks. He said that according to the leaked materials, An Xun's target organizations included foreign governments and telecommunications companies, as well as online gambling companies in China.
Before the leak, which contained 190 megabytes, there was a page on Anxun's website listing clients, including 11 provincial security departments and about 40 municipal public security departments, led by the Ministry of Public Security.
Another page promotes "advanced persistent threat" and "attack and defense" capabilities, using the acronym APT - a term used by the cybersecurity industry to describe the world's most sophisticated of hacker group, and the page became inaccessible after Tuesday morning. Leaked internal documents describe the Anxun database, which contained data hacked from foreign networks around the world that was used as propaganda and sold to Chinese police.
By late Tuesday, the company's website was completely inaccessible. A representative for Anxun declined an interview request from The Associated Press and said the company would make a formal statement at an unspecified future date.
According to Chinese company records, Anxun was established in Shanghai in 2010 and has subsidiaries in three other cities, including one in Chengdu. According to leaked internal slides, the Chengdu subsidiary is responsible for hacking and research and development.
Anxun's Chengdu subsidiary will operate as usual on Wednesday. Red Chinese New Year lanterns sway in the wind in the alley leading to the company's five-story office building. Employees were milling in and out, smoking and drinking coffee outside. A Communist Party emblem is posted inside the office building, which reads: "Conservative Party and state secrets are the obligations of every citizen."
An Xun’s tools appear to be used by Chinese police to curb dissent on overseas social media and flood these platforms with pro-Beijing content. Authorities can directly monitor Chinese social media platforms and order them to remove anti-government posts. But they lack that ability on overseas sites like Facebook or X, which millions of Chinese users flock to to evade state surveillance and censorship.
“The Chinese government is very interested in social media surveillance and commentary,” said Mareike Ohlberg, a senior fellow in the Asia program at the German Marshall Fund, who reviewed some of the leaked documents.
Olberg said it was crucial to control key posts in the country to control public opinion and stem anti-government sentiment. "Chinese authorities are very interested in tracking users based in China," she said.
John Hultquist, chief threat analyst at Google's Mandiant cybersecurity arm, said the source of the leaked documents could be "a rival intelligence agency, a disgruntled insider, or even another competing firm." contractor". Hutquist said data showed that An Xun's sponsors also included the Ministry of State Security and the People's Liberation Army of China.
With many goals, many countries
A leaked draft contract shows Anxun is selling "anti-terrorism" technical support to Xinjiang police to track Uyghurs from Xinjiang in Central and Southeast Asia, claiming it can access people from countries such as Mongolia, Malaysia, Afghanistan, and Thailand. Airlines, cellphones, and government data were hacked. It is unclear whether the contract has been signed.
“We’re seeing a lot of attacks against organizations associated with ethnic minorities — Tibetans, Uyghurs — and a lot of the attacks against foreign entities can be viewed through the lens of the government’s domestic security priorities,” said cybersecurity firm Sentinel One. (Dakota Cary, China analyst at SentinelOne) said.
He said the documents appeared to be genuine because they fit the expectations of contractors carrying out hacks on behalf of China's security agencies regarding domestic political priorities.
Cary found a spreadsheet containing a list of data repositories collected from victims and targeted 14 governments, including India, Indonesia, and Nigeria. He said the documents showed that An Xun mainly supported the Ministry of Public Security.
Cary was also shocked by the attack on Taiwan's Ministry of Health in early 2021 to determine its COVID-19 case numbers and was impressed by the low cost of some hacks. He said the documents showed An Xun charged clients $55,000 to attack Vietnam's Ministry of Economic Affairs.
An initial review of the data by The Associated Press found that while some chats mentioned NATO, there was no indication that any NATO country had been successfully targeted by the hackers. But that doesn’t mean state-sponsored Chinese hackers won’t try to attack the United States and its allies. If the leaker is based in China, which seems likely, "revealing information about the hacking of NATO would be very, very inflammatory," Kari said, a risk that would make Chinese authorities more determined to identify the hackers.
Mathieu Tartare, a malware researcher at cybersecurity firm ESET, said the firm has linked An Xun to a Chinese state hacking group called Fishmonger, which it actively tracks. , and reported on it in January 2020 after the group invaded the University of Hong Kong during student protests. He said that since 2022, the hacker group has targeted governments, non-governmental organizations and think tanks in Asia, Europe, Central America, and the United States.
French cybersecurity researcher Baptiste Robert also combed through the documents and said An Xun appeared to have found a way to hack accounts on X, even if those accounts had two-factor authentication, as well as another A method for analyzing email inboxes. He said U.S. network operators and their allies were potential suspects in the An Xun leak because it was in their interest to expose Chinese state hacking.
A spokesman for U.S. Cyber Command would not comment on whether the National Security Agency or Cyber Command was involved in the breach. The press office of
In recent years, Western governments, including the United States, have taken steps to prevent China from spying on and harassing government critics abroad. Laura Harth, campaign director for Safeguard Defenders, an advocacy group that focuses on human rights in China, said such tactics instill fear in Chinese and foreign citizens abroad about the Chinese government, suppress criticism, and lead to self-inflicted review. "They are an imminent threat that is always present and difficult to escape," he said.
Last year, U.S. officials charged 40 Chinese police officers assigned to harass the families of Chinese dissidents abroad and spread pro-Beijing content online. Harth said that the indictment describes tactics similar to those detailed in An Xun's documents. Chinese officials accuse the United States of carrying out similar activities. U.S. officials, including FBI Director Christopher Wray, recently accused Chinese state hackers of planting malware that could be used to damage civilian infrastructure.
Chinese Foreign Ministry spokesman Mao Ning said on Monday that the U.S. government has long been working to destroy China's critical infrastructure. She asked the United States to "stop using cybersecurity issues to smear other countries
