A reported trove of leaked Chinese hacking documents may have given the world a glimpse of how widespread and effective China’s hacking operations could be.
More than 570 files and documents were posted to the developer platform GitHub last week, The Washington Post reported. They appear to document hacking activity across multiple countries and come from iSoon, which the Post identified as a private security contractor with ties to China’s Ministry of Public Security.
{snip}
On Wednesday, the Associated Press reported that China’s police were investigating the leak, citing two unnamed iSoon employees it spoke with. The employees told the AP that the documents belonged to the group.
The files mentioned targets ranging from government agencies to businesses such as telecommunications firms in at least 20 foreign countries and territories including the UK, India, South Korea, Thailand, and Malaysia, the Post reported.
The hackers had claimed to be able to exploit vulnerabilities in software made by companies including Microsoft and Google, per the Post. (The Post said that Microsoft didn’t respond to a request for comment and that Google said the documents didn’t mention specific vulnerabilities in its software.)
While the Post’s report didn’t mention any US targets, the files align with repeated warnings from security officials and experts on China’s hacking operations.
The FBI chief, Christopher Wray, told “60 Minutes” in October that China was running “the biggest hacking program in the world.”
Wray said China had “stolen more of our personal and corporate data than every nation, big or small, combined.”
And when it comes to tackling the threat posed by Chinese hackers, Wray said the FBI was finding itself outnumbered.
{snip}
Representatives for China’s foreign ministry didn’t immediately respond to a request for comment from Business Insider.
Correction: February 22, 2024 — This story was updated to clarify that The Washington Post had characterized a hacking group’s ability to exploit vulnerabilities in companies’ software as claims, not as fact, and to note the Post’s efforts to contact Microsoft and Google about the claims. An earlier version of this story also misspelled the surname of a cybersecurity expert interviewed by the Post. It’s John Hultquist, not John Hultquitist.