BEIJING (news agencies) — The hotel was spacious. It was upscale. It had a karaoke bar. The perfect venue, the CEO of the Chinese hacking company thought, to hold a Lunar New Year banquet currying favor with government officials. There was just one drawback, his top deputy said.
“Who goes there?” the deputy wrote. “The girls are so ugly.”
So goes the sordid wheeling and dealing that takes place behind the scenes in China’s hacking industry, as revealed in a highly unusual leak last month of internal documents from a private contractor linked to China’s government and police. China’s hacking industry, the documents reveal, suffers from shady business practices, disgruntlement over pay and work quality, and poor security protocols.
Private hacking contractors are companies that steal data from other countries to sell to the Chinese authorities. Over the past two decades, Chinese state security’s demand for overseas intelligence has soared, giving rise to a vast network of these private hackers-for-hire companies that have infiltrated hundreds of systems outside China.
Though the existence of these hacking contractors is an open secret in China, little was known about how they operate. But the leaked documents from a firm called I-Soon have pulled back the curtain, revealing a seedy, sprawling industry where corners are cut and rules are murky and poorly enforced in the quest to make money.
Leaked chat records show I-Soon executives wooing officials over lavish dinners and late night binge drinking. They collude with competitors to rig bidding for government contracts. They pay thousands of dollars in “introduction fees” to contacts who bring them lucrative projects. I-Soon has not commented on the documents.
Mei Danowski, a cybersecurity analyst who wrote about I-Soon on her blog, Natto Thoughts, said the documents show that China’s hackers for hire work much like any other industry in China.
“It is profit-driven,” Danowski said. “It is subject to China’s business culture — who you know, who you dine and wine with, and who you are friends with.”
China’s hacking industry rose from the country’s early hacker culture, first appearing in the 1990s as citizens bought computers and went online.
I-Soon’s founder and CEO, Wu Haibo, was among them. Wu was a member of China’s first hacktivist group, Green Army — a group known informally as the “Whampoa Academy” after a famed Chinese military school.
Wu and some other hackers distinguished themselves by declaring themselves “red hackers” — patriots who offered their services to the Chinese Communist Party, in contrast to the freewheeling, anarchist and anti-establishment ethos popular among many coders.
In 2010, Wu founded I-Soon in Shanghai. Interviews he gave to Chinese media depict a man determined to bolster his country’s hacking capacity to catch up with rivals. In one 2011 interview, Wu lamented that China still lagged far behind the United States: “There are many technology enthusiasts in China, but there are very few enlightened people.”
With the spread of the internet, China’s hacking-for-hire industry boomed, emphasizing espionage and intellectual property theft.
High-profile hacks by Chinese state agents, including one at the U.S. Office of Personnel Management where personal data on 22 million existing or prospective federal employees was stolen, got so serious that then-President Barack Obama personally complained to Chinese leader Xi Jinping. They agreed in 2015 to cut back on espionage.
For a couple of years, the intrusions subsided. But I-Soon and other private hacking outfits soon grew more active than ever, providing Chinese state security forces cover and deniability. I-Soon is “part of an ecosystem of contractors that has links to the Chinese patriotic hacking scene,” said John Hultquist, chief analyst of Google’s Mandiant cybersecurity unit.
These days, Chinese hackers are a formidable force.
In May 2023, Microsoft disclosed that a Chinese state-sponsored hacking group affiliated with China’s People’s Liberation Army called “Volt Typhoon” was targeting critical infrastructure such as telecommunications and ports in Guam, Hawaii, and elsewhere and could be laying the groundwork for disruption in the event of conflict.
Today, hackers such as those at I-Soon outnumber FBI cybersecurity staff by “at least 50 to one,” FBI director Christopher Wray said January at a conference in Munich.
Though I-Soon boasted about its hacking prowess in slick marketing PowerPoint presentations, the real business took place at hotpot parties, late night drinking sessions and poaching wars with competitors, leaked records show. A picture emerges of a company enmeshed in a seedy, sprawling industry that relies heavily on connections to get things done.
I-Soon leadership discussed buying gifts and which officials liked red wine. They swapped tips on who was a lightweight, and who could handle their liquor.