A state-linked Chinese hacking group has created a hit list of almost 20 British targets, including the Foreign Office and the Department for Exiting the European Union, a data breach has revealed.
The entirety of British government departments, think tanks and rights organizations appeared to have been singled out for possible cyber intrusions into a vast trove of documents leaked from I-Soon, a Shanghai-based private security contractor with ties to China's ministry of public security. .
Whether any of the British institutions were hacked has not been confirmed, but the documents claim the company was successful in many other cases, including retrieving a large database of Taiwan's road network, which China is threatening to invade.
The full list of UK ministries named by the hackers included the Foreign Office, Home Office, Treasury, Department for Exiting the European Union, National Crime Agency and Departments for Business , education, environment, transport and healthcare.
Human rights groups were targeted
Think tanks and human rights groups such as Chatham House, the International Institute for Strategic Studies (IISS), Center for Foreign Policy Studies, RAND Europe, Amnesty International and Human Rights Watch were also mentioned.
A screenshot of a conversation between 'Boss Lu', an apparent fixer for a client in Chongqing, and an I-Soon employee revealed that Foreign Affairs was a 'priority' for an unnamed party.
The pair discuss how an I-Soon team discovered a "zero day" vulnerability in the State Department's system, hinting at an undiscovered flaw that could enable clandestine intrusion.
"The team said they have found a zero-day that they can guarantee they will get [info]. The result can be known in two weeks," says the employee, asking whether the customer can pay in advance.
Boss Lu says an advance will be difficult, but they can discuss a future budget.
Unprecedented insight into state-sponsored hacking
The Foreign Ministry declined to comment on the case.
The story continues
The highly unusual leak of I-Soon files last weekend provides unprecedented insight into the secretive world of Chinese state-backed hackers hired to exploit software vulnerabilities that expose sensitive information.
Analysts say the anonymous leak, which includes hundreds of pages of contracts, marketing presentations, product manuals and private online conversations, provides valuable insight into the country's growing cyberespionage industry.
Most of the contracts shown in the documents are linked to China's Ministry of Public Security, and some are signed by the spy agency of China's Ministry of State Security.
Chinese police were investigating the breach and according to i newspaper, British intelligence services were urgently verifying and analyzing the documents to check their authenticity and patch up any weaknesses in the British infrastructure.
American infrastructure
US officials, who have repeatedly warned of cyber attacks, would also search the files. In January, FBI Director Christopher Wray warned that Chinese hackers were "positioning themselves on U.S. infrastructure to wreak havoc" if or when China decides to strike.
I-Soon, known as Anxun in Mandarin, has not commented publicly, but two anonymous employees confirmed the data dump and subsequent investigation to the Associated Press. The company's website was taken down on Tuesday.
The Telegraph has reached out to the company's CEO, who is reportedly a member of China's first hacktivist group, for comment.
An analysis of more than 570 files by The Washington Post found no data derived from Chinese hacking operations, but lists, targets and summaries of the extracted amounts of sample data and details on whether the hackers gained full or partial control of foreign systems .
One spreadsheet lists more than 80 foreign targets that hackers claim to have penetrated, including immigration data from India and a collection of call logs from South Korean telecom provider LG Uplus. The documents also show that I-Soon hacked networks in Central and Southeast Asia.
Foreign governments
At least 20 foreign governments, such as Taiwan, Malaysia, Thailand, Mongolia and Afghanistan, are listed as targets and some data reveals surveillance methods used against dissidents from Hong Kong, Xinjiang and Tibet, including those exiled abroad.
In one chat, two employees discuss hacking NATO targets before deciding it's too difficult.
The source of the leak is unknown, but the data is considered credible by cyber experts. It was first posted on GitHub and spotted and shared by a Taiwanese security researcher known as Azaka.
"The leak shows insight into what these people generally focus on and are interested in," Azaka said.
The leaked data also confirmed how the Chinese groups operate, what tools they have at their disposal and what malware they used, Azaka added.
Cyber attackers 'linked to Chinese state'
"The leak also gives us insight into how the threat groups operate - in that the employees actually work at a company that is then contracted by the MPS [Ministry of Public Security] to do the dirty work, instead of these attackers being hired directly by the government."
China's Foreign Ministry spokesperson said Thursday that she was not aware of the leak, but "China firmly opposes and combats all forms of cyber attacks in principle in accordance with the law."
A spokesperson for the Chinese embassy in London said: "China is a major victim of cyber attacks," adding that it used "legal methods" to tackle all forms of cyber intrusions.
"China does not encourage, support or condone hacker attacks. We oppose any baseless slander and accusation against China," he said.
"Keeping cyberspace safe is a global challenge. We hope that relevant parties will take a constructive and responsible attitude and work with China to protect cybersecurity."
A spokesperson for Chatham House said the organization was "naturally concerned" but had safeguards in place, such as technology-based security measures, and that it "took data and information security extremely seriously.
"In the current climate, we, along with many other organizations, are the target of regular attack attempts from both state and non-state actors," the spokesperson added.
