Culture GitHub leak exposes Chinese offensive cyber operations – researchers - The leaked documents supposedly discuss spyware developed by I-Soon, a Chinese infosec company, that’s targeting social media platforms, telecommunications companies, and other organizations worldwide

Article / Archive
Unknown individuals allegedly leaked a trove of Chinese government documents on GitHub. The documents reveal how China conducts offensive cyber operations with spyware developed by I-Soon, Taiwanese threat intelligence researcher Azaka Sekai claims.

While several researchers have analyzed the supposedly leaked documents, no official confirmation of their veracity exists as of the writing of this article.

We have reached out to I-Soon but did not receive a reply before publishing.

According to Azaka Sekai, the documents provide an intimate insight into the inner workings of China’s state-sponsored cyber activities. For example, some offensive software has specific features that supposedly allow “obtaining the user’s Twitter email and phone number, real-time monitoring, publishing tweets on their behalf, reading DMs.”

Attackers can supposedly target Android and iOS devices, obtaining a multitude of sensitive information, such as hardware information, GPS data, contacts, media files, and real-time audio recordings.

The alleged documentation reveals several gadgets that attackers can use to spy on victims, including WiFi-capable devices with the capability to inject targeted Android phones via a WiFi signal. From the outside, the device supposedly looks like a portable battery from a well-known Chinese manufacturer.

Azaka Sekai's analysis of the documents, which are written in Mandarin, details several different types of gadgets allegedly used by attackers, as well as products for spying on individuals using Chinese social media platforms such as Weibo, Baidu, and WeChat.

The information also revealed sensitive details from multiple telecommunications providers, for example, Beeline and Tele2 providers operating in Kazakhstan.

Interestingly, researchers uncovered a victim list that included the Paris Institute of Political Studies, also known as Sciences Po, a large private hospital network in India, Apollo Hospitals, and multiple government entities from China’s neighboring countries.

The documents even reveal how much employees who make the spyware earn. “Excluding the C-level execs, the average salary is 7,600 RMB after tax. That’s like 1,000 USD. That is absolutely abysmal for what they’re allegedly doing,” a researcher said on Mastodon.

 

[notorietus]

More of these leaks are:
A Twitter Monitoring system (The system is designed to monitor a user's top 5 posts, IP address hotspots (more on that later), latest posts and is also used to remote control accounts to make posts, retweet, comment, etc.)

It is specifically designed for "Public opinion guidance and control." It can generate shortlinks that basically act as a middleman between the target URL and the user. It can either be a regular link or something that requires OAuth (presumably used to obtain user information)

...but if you look at the original thread (archive), you will also notice there's more to this, which includes: Custom RATs built for Windows x64/x86 with features such as process/service/registry management, remote shell, keylogging, file access logging, obtaining system info, disconnect, uninstallation, spyware, and a bunch of exfiltrated data.

Spoiler: screenshots (lots of them)

 

[DiggieSmalls]

More of these leaks are:
A Twitter Monitoring system (The system is designed to monitor a user's top 5 posts, IP address hotspots (more on that later), latest posts and is also used to remote control accounts to make posts, retweet, comment, etc.)
View attachment 5738500
It is specifically designed for "Public opinion guidance and control." It can generate shortlinks that basically act as a middleman between the target URL and the user. It can either be a regular link or something that requires OAuth (presumably used to obtain user information)
View attachment 5738506View attachment 5738507
...but if you look at the original thread (archive), you will also notice there's more to this, which includes: Custom RATs built for Windows x64/x86 with features such as process/service/registry management, remote shell, keylogging, file access logging, obtaining system info, disconnect, uninstallation, spyware, and a bunch of exfiltrated data.

Spoiler: screenshots (lots of them)

View attachment 5738516View attachment 5738517View attachment 5738519View attachment 5738520View attachment 5738524View attachment 5738525View attachment 5738526View attachment 5738527View attachment 5738528View attachment 5738530View attachment 5738531View attachment 5738533

I like to build offensive security stuff as a hobby and honestly when i started, everything was made to target windows. At that point (and even now) most of the stuff i see is geared towards windows. I honestly dont use windows and thats one of the reasons.

 

[Seafarer]

@AltisticRight is there anything of interest that you can translate?

 

[spinal gas chamber]

OAuth (presumably used to obtain user information)

It’s dirtier than that. OAuth is a good thing when used correctly but a very, VERY bad thing when used incorrectly. It’s used to give consent to act as you. And all it takes is you (or someone on your behalf that has admin rights - like, say, TikTok) granting consent on your behalf.

Look up the recent Microsoft breach for an example of OAuth abuse.

 

[General Emílio Médici]

Damn that's hella interesting. Can a full text of these leaks be put on the Internet subforum? The computer guys need to go over all of it.

 

[AltisticRight]

@AltisticRight is there anything of interest that you can translate?

It's worth noting that those documents do look like typical manuals from the state, with the kind of text, the font and the format. If this is fake, they did a banger job at mimicking the looks. It looks very similar to a document I've seen pertaining to VPN users, typically for accessing sites such as GitHub.

The GUI I've seen would list the users' top activities and accounts they're connected to.

That OAuth stuff is nasty. When I was trying to get a VPN to work by renting a server to route traffic during my work in China, I was told explicitly by the provider that everything is logged and any of my activities will be seen by the state. If they receive requests to share my information, they will comply. Whether I should worry or not depends on what I'm doing and really, their mood. I mainly needed a few sites and YouTube, and couldn't trust those garbage services.

This is also why it would be impossible for us to find a host in mainland China. All the reputable hosts nowadays require the full database to be sent to Chinese security officials for a check. I'm not sure how the process works but some of stuff I've posted would raise red flags, and I'm not even that rabidly anti-cpc, I've said good things about them too.

It's also worth noting that since Xi took office, the CPC's Xitter activity increased by over 1000%, it's very shameful and pathetic. Government officials shouldn't be feuding with goons on Xitter where all their activities are fully transparent. That's also the downside of single party states, they get paranoid easily. Shit is efficient in China but everyone with a VPN looks like a foreign spy. I know someone who got a visit for using Telegram for furry shit. I wasn't amused and said he deserved it (I hate furries), but it's still pretty scary if you think about it. They'll also send out text messages asking users to stop using VPNs during "sensitive times", such as the 4th of June and government forum meetings.

 

[REGENDarySumanai]

I like to build offensive security stuff as a hobby and honestly when i started, everything was made to target windows. At that point (and even now) most of the stuff i see is geared towards windows. I honestly dont use windows and thats one of the reasons.

I find all of this fascinating and I want to learn more about this. On the topic of the thread, this is definitely tied into Chinese and North Korean state hackers.

 

[The Mass Shooter Ron Soye]

I'd just like to point out that Taiwanese threat intelligence researcher Azaka Sekai is apparently a VTuber.

 

[Musashi's Son]

@AltisticRight can I upload the github leak as ZIP here on the farms? Is it allowed to post leaked government documents?

 

[ZazietheBeast]

China has been angling to become the most dominant superpower for a long time now hence why they've been doing this type of shit. They figured any advantage is a good advantage. Hence why they've done all types of backroom deals as well as cloak and dagger type shit.

Such as the Fent flooding California, the Chink plants in various governments and organizations (California and Canada comes to mind), and of course, the unrelenting Psyops that is both Discord and TikTok. The latter two being something they're in direct control of.

McArthur was right. China should have been glassed.

 

[Account]

I'd just like to point out that Taiwanese threat intelligence researcher Azaka Sekai is apparently a VTuber.

Vtubers will cause WW3 and they will make bank on the superchats with their NATO war footage react streams

 

[Casshern]

I like to build offensive security stuff as a hobby and honestly when i started, everything was made to target windows. At that point (and even now) most of the stuff i see is geared towards windows. I honestly dont use windows and thats one of the reasons.

Linux-based Desktops are in a unique spot in that since they’re only 5% of the Desktop OS market, they see the least malware activity. GNU/Linux servers however account for around 65% of infrastructure and are naturally much larger targets. So you’re not completely safe, especially against GNU/Linux server-based attacks that can spread to your Desktop (so always isolate your network), and if the world pivots in a smarter direction by dropping Windows then that would put us even more at risk, but as it stands? Yeah, we’re decently safe (for now).

 

[AltisticRight]

@AltisticRight can I upload the github leak as ZIP here on the farms? Is it allowed to post leaked government documents?

It's publicly available information so I don't see why you can't.

 

[spinal gas chamber]

Stepping out of shitposting for a minute: blaming China for OAuth abuse is a mistake IMO. Blaming OAuth for OAuth abuse is also a mistake IMO. This is the fault of lazy and/or incompetent staff.

What this is is what you see on your phone - you let Waze see your location? That’s OAuth consent for Waze to act as you when you’re logged in and get your location. If Apple decided Waze could see every iPhone user’s location, that’s admin consent.

Now apply that to corporate instances of major collaboration suites with ignorant, lazy or incompetent staff. Oops, we just gave some dumbass calendar scheduling app the ability to read and send email as anyone in the company.

 

[Seething Troon Collector]

So you’re not completely safe, especially against GNU/Linux server-based attacks that can spread to your Desktop (so always isolate your network)

This is a good daily reminder to practice network segmentation, implement log management and retention, deploy a good EDR solution and take heed to it's warnings and for the love of everything that is good and holy, are you ready for it, implement. patch. management.

Windows is a hot dumpster fire of issues and it makes sense, the NT kernel has been patched and had things bolted on over the years, some things get forgotten, stuff gets missed in QA (lol as if Microsoft even practices QA anymore). Linux is better is some respects, but damn if it doesn't take a couple of open CVEs where you least expect it to completely fuck yourself over. As much as it sucks, the way Linux handles updates is better. Instead of a rolling monthly patch with out of band fixes for hot button items, you just kinda get updates as they come out.

It's not going to stop a well-funded APT, but lets be honest, we're not important enough to be targeted by an APT.

(I say all of this and I'm still using Windows on my dev box because I do a lot of .NET development because I'm a massive faggot, but the second I can get away with it, I'm going back to Debian. Stable. Boring. Debian. Whatever Windows shit I'll need to do can be done in a virtual lab in Azure or in my homelab).

That OAuth stuff is nasty. When I was trying to get a VPN to work by renting a server to route traffic during my work in China, I was told explicitly by the provider that everything is logged and any of my activities will be seen by the state. If they receive requests to share my information, they will comply. Whether I should worry or not depends on what I'm doing and really, their mood. I mainly needed a few sites and YouTube, and couldn't trust those garbage services.

The China-style Great Firewall terrifies me more than anything, even more then their offensive security guys and how badly they can fuck up shit if Sino-American relations get any worse. We've seen it here, once the fundamental infrastructure underpinning the internet starts to turn against you, when the companies that handle layer 3 infrastructure down to layer 1 (the physical cables strung across the sea floor) infrastructure, how do you even counter that? Moreover, I don't want to see governments all over the world look at something like the Great Firewall and think it's a fucking swell idea and try to replicate it. I don't even like that western companies are complicit in helping to build it, but are they going to turn down money? Fuck no!

Stepping out of shitposting for a minute: blaming China for OAuth abuse is a mistake IMO. Blaming OAuth for OAuth abuse is also a mistake IMO. This is the fault of lazy and/or incompetent staff.

Fucking right! At some point, if you're in charge with deciding what services your users are allowed to delegate their credentials to and in what manner and you haven't done your due diligence, it's kind-of on you. There should be some governance structure in place to decide what external parties get access to what data, for what specific purpose, under what conditions, for how long. Nobody in IT likes doing paperwork, but it provides a check against somebody going and giving access to somebody or some organization that they shouldn't or exceeding the scope of authorized access.

 

[Sneed S. McSneedensen]

I'd just like to point out that Taiwanese threat intelligence researcher Azaka Sekai is apparently a VTuber.

This fact alone makes me want China to conquer Taiwan.

 

[AltisticRight]

Moreover, I don't want to see governments all over the world look at something like the Great Firewall and think it's a fucking swell idea and try to replicate it. I don't even like that western companies are complicit in helping to build it, but are they going to turn down money? Fuck no!

You don't want to but our governments disagree. We are seeing increasingly CPC styled internet censorship here, with the previous talks trying to label VPNs as tools for hackers to "access illegal stuff" and all the hate speech laws. There's UK pigs with badges kicking down doors over trannies being upset on social media, something China even wouldn't do. Many politicians are trying to claim that the internet is not a haven outside of the law, which sounds exactly the same as the CPC's mantra stating the internet isn't lawless.

This fact alone makes me want China to conquer Taiwan.

Don't worry, we'll invade Taiwan next week, Falungong outlets said so.

 

[Seething Troon Collector]

We are seeing increasingly CPC styled internet censorship here, with the previous talks trying to label VPNs as tools for hackers to "access illegal stuff" and all the hate speech laws.

The problem with that argument is that it labels VPN technologies as inherently evil, when they only serve a benign purpose of tunneling back into a network over a secure channel. Passing sensitive authentication traffic over the wire without wrapping it in a tunnel is about the dumbest thing you can do, which is why domain controller traffic that leaves your network absolutely must be tunneled out. That's just one example and there are many others.

Their argument is equivalent to stating that because handguns are used in criminal activity, handguns must be labeled as bad and banned (well fuck it's the UK, bad example). Cars? Sure, some people use cars to commit crimes, but labeling cars as tools for criminals completely undermines their lawful use. They just don't like that they can't have a skeleton key that magically decrypts all of the traffic for aggressive IRL jannying of wrongthink. Besides, what harm did salty memes about men dressing like women ever do to hurt anyone?

They can ask for a skeleton key, but to create such a key would fundamentally break the fundamental trust that makes up the internet, because you can't simultaneously guarantee secure communications while having a wiretap to decrypt whatever you want. China, yeah, they have that, because they own the backbone or otherwise control it, the internet sucks there. Companies don't trust it, people don't trust it, nobody worth their salt would trust it.

I see the buzzword 'Zero Trust' thrown around a lot these days. An apt quip would be that it's the perfect zero trust architecture, nobody fucking trusts China. Who in their right mind would want that for the rest of the world besides old fuckers in power that don't understand what they're asking for, or are malicious and don't care.

It's a scary time, but I'm hopeful. If enough people tell them "don't do that, it's a horrible idea", they'll finally get the message. I just have to hold out for logic and reason to win out in the end.

 

[SpergioLeonne]

Don't worry, we'll invade Taiwan next week, Falungong outlets said so.

Is this an Epoch Times reference?