China's i-Soon data leak exposes risks of outsourcing state spy operations to hackers for hire

A massive data leak that hit a Chinese cybersecurity firm earlier this month, exposing alleged hacking and intelligence operations, has showcased how even China's spy agencies rely on private contractors to do its bidding.

On February 16, a total of 571 files allegedly containing hacking exploits and internal conversations from Shanghai Anxun Information Company (i-Soon) appeared on open-source repository GitHub, revealing what The New York Times called "a rare look inside the secretive world of China's state-backed hackers for hire".

Like past incidents involving compromising data leaks, this data set took on a life of its own. Despite swift action by GitHub to block access to the leaked data over policy violations, the repercussions will echo across intelligence agencies, media circles, academia and security pundits for the foreseeable future.

Do you have questions about the biggest topics and trends from around the world? Get the answers with SCMP Knowledge, our new platform of curated content with explainers, FAQs, analyses and infographics brought to you by our award-winning team.

According to specialists that have analysed the data dump, it exposes global operations to target entities on behalf of various Ministry of Public Security outposts - as well as Shanghai Anxun's role in training police across China to hack into foreign databases, in a case reminiscent of Edward Snowden's revelations.

Blurring the line between security and military functions is a perilous boundary easily breached by private security firms in cyberspace. Unconcerned with being labelled as private military entities or worse, cyber mercenaries, they operate with impunity.

Unlike their counterparts with boots on the ground, who face swift repercussions for enhancing the foreign military capabilities of sanctioned governments or non-state actors, those in the cyber realm operate in a murky landscape devoid of enforceable international regulations.

An example is the ongoing debate surrounding Israeli company NSO Group's spyware, Pegasus, which has been found to be misused by criminal syndicates and authoritarian regimes to stifle dissent and suppress human-rights activism.

Western nations, champions of private-sector supremacy in efficiency and economy, faced a stark awakening when the private military and security sector diverged from state agendas or clashed with individuals' ethical boundaries. In this respect, the rise of cyber mercenaries further complicates matters, as they capitalise on the expanding market for spyware and cyber warfare. Moreover, distinguishing between legitimate cybersecurity firms and cyber mercenaries is an increasingly daunting task in the lawless frontier of the cyber realm.

Cyber mercenaries, however, are prowling the grey zone between corporate cybersecurity and offensive cyber operations. Despite their growing power, they operate largely under the radar, unlike their counterparts in traditional warfare who struggle to conceal themselves within the grey-area definitions of private military and security firms.

Yet, China now grapples with the repercussions of entrusting its cybersecurity to external entities, echoing past incidents like the Edward Snowden leaks in the United States or Russia's reliance on cyber mercenaries entrenched in the criminal underworld to execute clandestine operations on the dark web.

In 2013, Snowden's explosive disclosures of the National Security Agency's (NSA) telephone metadata collection programme ignited a global outcry, leading to the pivotal moment in 2015 when the USA Freedom Act was enacted. Advocates hailed this legislation as a decisive step to halt the mass-surveillance practices Snowden had brought to light, in what is now referred to as "the Snowden Effect".

Ironically, before Snowden leaked highly classified intelligence documents during his tenure as a contractor with the NSA, his initial role was to uncover and prevent Chinese hacking attempts on US government operations.

In China, the notion of privatising the state monopoly on cybersecurity might have found some resonance with Western favouritism towards the private sector before this massive data leak. However, the Russian model would be even harder for Beijing to accept, due to its strong emphasis on control. According to Federico Varese, an Oxford University expert on Russian organised crime, Moscow's cyber capabilities thrive through a symbiotic relationship with highly proficient cyber criminal organisations, relying on two principles: firstly, the state's shielding of criminal hackers who refrain from targeting national interests; and secondly, the hackers need to conduct operations on behalf of the Kremlin when required.

On the global stage, while mercenaries on the ground sow disorder, their cyber counterparts capitalise on the demand for easily deployable offensive cyber capabilities. These professionals, attracted by the allure of lucrative opportunities in the private sector, often prioritise financial gain over national allegiance, while in China, monetary gain and nationalistic pride go hand in hand.

As China increasingly favours the use of private security firms with boots on the ground to protect its Belt and Road Initiative projects overseas against criminal and terrorist threats, it appears to also be employing the same strategy in cyberspace. In this respect, Beijing is discovering the hard way, as the West has, the perils and advantages of outsourcing security to private companies to maintain plausible deniability.

Additionally, in light of ongoing discussions in the Chinese government surrounding the expansion of roles for private security firms safeguarding Chinese interests abroad and in the digital realm, the fallout from this massive data breach will undoubtedly centre on how much "the party will control the cyber gun", adapting a long-standing Maoist dictum.

Yet, the case of the Shanghai-based cybersecurity company remains too early to assess, with various possibilities for the source of the leak: whether that be a Snowden-like figure with "Chinese characteristics", a foreign state's operations, an internal manoeuvre by a rival firm, or simply the actions of a disgruntled employee.

Indeed, amid the Ministry of State Security's heightened crusade against foreign cyber espionage - fuelled further by last July's anti-spy law revision - the leak will undoubtedly spark a relentless hunt for the perpetrator. This pursuit may very well epitomise the old Chinese idiom, "kill the chicken to scare the monkey", with an unlikely possibility of a Snowden effect in China.

Alessandro Arduino is the author of Money for Mayhem: Mercenaries, Private Military Companies, Drones, and the Future of War

This article originally appeared on the South China Morning Post (SCMP).

Copyright (c) 2024. South China Morning Post Publishers Ltd. All rights reserved.