Israeli cyber firm investigates $235k ransom for Chinese government data - analysis

The Israeli cybersecurity firm Cybersixgill has found evidence that could link the leak of Chinese government data to a similar event last year.

 Anonymous hacker with hood and mask sitting next to computer (Illustrative). (photo credit: INGIMAGE)
Anonymous hacker with hood and mask sitting next to computer (Illustrative).
(photo credit: INGIMAGE)

Underground cybercrime forums, where digital miscreants congregate to do their dark and digital deeds, have recently played host to several accounts advertising data allegedly pilfered from within the Chinese government.

A particularly audacious advert showcased confidential information supposedly harvested from China’s secretive Ministry of State Security (MSS); the individual behind the sale of this information has affixed a hefty price tag of hundreds of thousands of dollars to their ill-gotten governmental gains.

In August 2023, Israeli cybersecurity firm Cybersixgill discovered that underground forums had suddenly become the stage for a new act: multiple cybercriminals presenting data they claimed to have purloined from Chinese government sources, including one post that advertised the sale of several terabytes of data which purportedly contained classified material sourced from China’s Ministry of State Security, an entity shrouded in secrecy that amalgamates the roles of intelligence agencies akin to the American FBI and CIA.

Within this forum post, the seller boldly demanded a staggering sum of $235,000 for access to the supposedly classified information. This revelation emerged in the wake of two high-profile data leak events in 2022: one which unveiled the persecution of China’s Uyghur ethnic minority, and another which laid bare data from compromised networks affiliated with the Shanghai National Police (SHGA).

The latter incident featured a colossal leak of 23 terabytes of data encompassing a staggering one billion Chinese citizens. This mammoth breach, perhaps one of China’s most expansive, was peddled across several underground platforms at an asking price of 10 bitcoins, then equating to around $200,000. The leak made waves at the time, as such incidents often remain shrouded within China due to the government’s practice of censoring such news, in a bid to present a robust cybersecurity stance.

 An illustrative image depicting a cyberattack. (credit: INGIMAGE)
An illustrative image depicting a cyberattack. (credit: INGIMAGE)

A deeper dive

The Investigative Portal by Cybersixgill delved deep into the heart of the matter. Unveiling the post that unveiled the MSS data on a prominent cybercrime forum, the firm went further, unraveling additional posts peddling similarly stolen Chinese data. One of these posts, authored by a newly registered forum member, showcased the MSS data, proclaiming it contained records of nearly 500 million Chinese citizens, including individuals’ names, dates of birth, phone numbers, email addresses, and mailing addresses.

The post’s author cryptically alluded to “classified documents,” hinting at intelligence value for foreign entities. This tone resonated throughout the post, crafting an image of the data as a product of hacking into the inner sanctum of China’s secret police. Yet, despite the presence of personal information found within a data sample taken by Cybersixgill, nothing unequivocally verified its classified nature.

Although definitive evidence remained elusive, the possibility emerged that the previous account activity from July 2022 and the current episode might be intertwined. This hinted at the potential presence of a singular threat actor or the recycling of past content. However, this did not entirely dismiss the possibility that the August 2023 MSS data leak might indeed stem from a recent breach.

Another piece of the puzzle

The illicitly obtained SHGA data purportedly contained an array of comprehensive details – names, addresses, birthplaces, national IDs, phone numbers, and even criminal records of Chinese citizens. To establish the credibility of their haul, the attacker offered a sample containing 750,000 entries, including delivery information, ID records, and even police call logs. With such a treasure trove in hand, threat actors could orchestrate phishing campaigns, wrest control of accounts, perpetrate identity fraud, and execute financial scams.

Following the SHGA breach, the perpetrator made an audacious claim – the data had been siphoned from a localized private cloud hosted by Aliyun, an arm of Alibaba Cloud. This cloud infrastructure, it should be noted, is leveraged by the Chinese police’s public security network; if the SHGA breach was indeed sourced from that access route, or a variant of it, the same method might have been exploited in the MSS hack.

The road ahead

Amid the intrigue surrounding the MSS data, Cybersixgill’s investigation bore fruit in the discovery of another post on a separate cybercrime forum. This post advertised data linked to hundreds of millions of Chinese citizens and bore the signature of the same threat actor tied to the SHGA breach. Notably, the terms of this offering mirrored those of the MSS data sale.

Beyond the breach itself lies a tapestry of implications. The breach involving China’s Ministry of State Security brings forth the potential exposure of data pertaining to approximately 500 million Chinese citizens which, in the wrong hands, could fuel cyberattacks, inspire social engineering exploits, and drive other malicious activities. Yet, the significance of this breach extends beyond its immediate impact, casting a critical light on the preparedness – or lack thereof – of a vital Chinese intelligence agency. As reflected by the substantial asking price and the parallel incident, it becomes evident that cybercriminals have identified Chinese government data as an extraordinarily valuable commodity.

In light of these revelations, a key question emerges – how can organizations prevent such breaches in the future? According to Cybersixgill, the answer lies in robust security measures, including the implementation of Multi-Factor Authentication (MFA) to fortify login procedures.

Regular security assessments, undertaken by dedicated security teams, ensure compliance with stringent security prerequisites. Further, the vigilance and proactive stance enabled by the cybersecurity firm’s Investigative Portal could play a pivotal role in the early detection of intrusion attempts, data leaks, and asset sales within the hidden enclaves of the digital underworld.