GitHub leak exposes Chinese offensive cyber operations

20.02.2024

Recently, an unidentified group purportedly leaked a collection of Chinese government documents on the GitHub platform. The disclosed documents, according to Taiwanese threat intelligence researcher Azaka Sekai, shed light on China’s offensive cyber operations, revealing the utilization of spyware developed by I-Soon.

While various analysts have scrutinized the alleged leaked documents, their authenticity remains unconfirmed as of the time of this writing.

Efforts were made to contact I-Soon for a response, but no reply was received prior to the publication of this article.

Azaka Sekai asserts that the leaked documents offer a detailed glimpse into the inner workings of China’s state-sponsored cyber activities. Notably, certain offensive software is reported to have specific functionalities enabling the acquisition of users’ Twitter email and phone numbers, real-time monitoring, tweeting on their behalf, and reading direct messages.

According to the purported documentation, attackers can target both Android and iOS devices, extracting a plethora of sensitive information, including hardware details, GPS data, contacts, media files, and live audio recordings.

The alleged documents outline various devices that attackers can employ for espionage, including WiFi-capable devices capable of infiltrating targeted Android phones via a WiFi signal. Externally, these devices purportedly resemble portable batteries from a well-known Chinese manufacturer.

Azaka Sekai’s analysis of the Mandarin-written documents delves into different types of gadgets supposedly used by attackers, along with tools designed for surveillance on individuals through Chinese social media platforms like Weibo, Baidu, and WeChat.

A purported list has also surfaced, claiming to contain the names of countries affected by the spyware. According to this list, terabytes of information have been gathered from Pakistan, Nepal, Turkey, Kazakhstan, Kyrgyzstan, Malaysia, Mongolia, India, Egypt, France, Cambodia, Rwanda, Nigeria, Hong Kong, Indonesia, Vietnam, Burma, the Philippines, and Afghanistan. The victims’ roster includes TÜBİTAK, the Scientific and Technological Research Council of Turkey.

Furthermore, the leaked documents provide insights into the earnings of employees involved in spyware development. “Excluding C-level executives, the average after-tax salary is 7,600 RMB, approximately 1,000 USD. This remuneration is considered abysmal given the nature of their alleged activities,” commented one researcher.