Leaked documents reveal Australia targeted by Chinese hackers
A Chinese cybersecurity company with links to the Communist Party government used its guns-for-hire hacking operation to target Australia, leaked documents reveal.
The revelation regarding the company, i-Soon, came as the Albanese government joined international condemnation of another state-affiliated hacking group in China that targeted UK politicians and compromised Britain’s Electoral Commission.
The UK attacks are not a one-off, with hundreds of Chinese companies suspected of supporting the regime’s hacking exploits. I-Soon’s role came to light last month in leaked documents first published by developer platform GitHub.
They detail insights into the day-to-day operations of i-Soon. The company presents as an IT training security company, but, according to the leak, facilitates Chinese government-backed cyberattack and espionage campaigns with targets around the world. The leaked data includes internal company communications, sales material and product manuals.
According to translations of screenshots included in the leak, seen by The Australian Financial Review, Australia is mentioned twice. One screenshot shows a projects folder and, within that, a folder labelled “Australia”. But because the leak is a screenshot, the folder cannot be opened to see what details are inside.
In te leaked documents, Australia as a country was on the targeted list, but there were no details of specific targets of Australia,” Mei Danowski, a geopolitical intelligence researcher who publishes Natto Thoughts on Substack, told the Financial Review.
“In one chat log, the conversation mentioned they got some new samples related to Australia, but the conversation didn’t say what kinds of samples they were. However, if samples were obtained, that means the targets have been compromised.”
Ms Danowski said the leaked i-Soon documents showed the company often pitched to Chinese government agencies such as the Ministry of Public Security (MPS) or State Security (MSS).
“They often had to proactively make an ‘educated’ guess as to the interests of the MPS or MSS. When they had ‘samples’ – likely compromised data or access – they would show their ‘clients’ and ask if they would like to buy. This was probably the case of Australia which exemplified in the leaked documents,” she said.
“The Australia and China relations have not been doing well in the past several years. China is definitely interested in putting themselves on the upper hand for the situation through cyber means.”
The nature of the targets and claimed victims of i-Soon since 2013 indicate the firm was heavily focused on government targets.
The material claims the firm breached agencies such as Britain’s Home Office and National Crime Agency, India’s Ministry of Foreign Affairs, Home Affairs and Defence, the Thai Prime Minister’s Office, Vietnam’s Supreme Court, South Africa Special Forces and dozens more.
Sophisticated operation
“It is unclear what Australian targets were hacked, but the evidence points to at least the intent to hack targets in Australia for their clients,” Internet 2.0 co-chief executive David Robinson said.
“The number of victims and data on file suggest a vast and sophisticated international hacking operation with strong commercial links to the Chinese government.”
Opposition home affairs spokesman James Paterson said it was common for the Chinese Communist Party to use proxies, including front groups and commercial entities, to engage in hacking for hire against targets, including of strategic value.
“This makes it no less serious, and in some ways worse. It is not the act of a responsible actor to effectively fund and subsidise criminal activities,” he said.
“It is very concerning to learn from the i-Soon leak that Advanced Persistent Threat [APT] actors backed by the Chinese government appear to have targeted Australia for the purposes of espionage.”
On Tuesday, the Albanese government said Australia’s electoral systems had not been compromised by the hackers who targeted the UK, while joining in the international condemnation.
China state-affiliated hacking group APT31 was called out as “almost certainly responsible” for targeting the emails of UK parliamentarians.
McGrathNicol partner Blare Sutton, who leads the firm’s cyber practice in Melbourne, said the i-Soon leak appeared to detail links between the group and a range of APT organisations in China.
“The difference between them is i-Soon seems to be a registered company in China that actually develops a lot of software tools,” Mr Sutton said.
He said chat logs in the leaks showed i-Soon employees messaging members of APT groups who were using its products for hacking, and there seemed to be a “strong working relationship” between i-Soon and different state-backed hacking groups.
“It looks like they’ve got information that they can provide to the different APT groups on how to set up their tools in different environments,” Mr Sutton said.
The Australian government stopped short of imposing sanctions on the Chinese figures involved in targeting the UK, sparking opposition concern it was going soft on Beijing following the stabilisation of bilateral ties.
‘Behaviour unacceptable’
“The persistent targeting of democratic institutions and processes has implications for democratic and open societies like Australia. This behaviour is unacceptable and must stop,” Foreign Minister Penny Wong and Cyber Security Minister Clare O’Neil said.
“Australia will continue to co-operate with our international partners to promote international law and the agreed framework of responsible state behaviour in cyberspace and call out states if they act contrary to these international obligations and expectations.”
When Australia imposed financial sanctions and travel bans on a Russian national as the mastermind behind the 2022 ransomware attack on health fund Medibank, the US and UK also imposed sanctions.
Mr Paterson called on the government to explain whether it would sanction APT31 front group Wuhan XRZ and two Chinese nationals accused of being involved in the attacks, Ni Gaobin and Zhao Guangzong.
“Certainly, the US and UK showed solidarity with us and augmented the power of our sanctions by adding their weight to it,” Senator Paterson said.
“As a matter of principle I think we should do the same to support our allies, and it is up to the government to explain if it thinks the bilateral relationship [with China] is more important than defending our national interests.”
Gain insights into the week’s biggest tech stories, deals and trends. Sign up to The Download newsletter.
Max Mason covers insolvency, courts, regulation, financial crime, cybercrime and corporate wrongdoing. A Walkley Award winner, Max's journalism has also received awards from the National Press Club of Australia, the Kennedy Awards and Citibank. Connect with Max on Twitter. Email Max at max.mason@afr.com
Andrew Tillett writes on politics, foreign affairs, defence and security from the Canberra press gallery. Connect with Andrew on Facebook and Twitter. Email Andrew at andrew.tillett@afr.