SPYWARE-AS-A-SERVICE: What the i-Soon files reveal about China’s targeting of the Tibetan diaspora

18 April 2024
 / 
Turquoise Roof
 / 

Executive Summary

The pervasive spread of digital surveillance technologies and their deployment against vulnerable communities has garnered high-level attention from prominent Western governments, including those of the United States, the United Kingdom, France, and Canada. Incidents involving targeted surveillance executed by entities like Israel’s NSO Group through Pegasus malware have ignited widespread concern. These cases have spotlighted the potential of such technologies to undermine human rights and to erode the democratic fabric of societies.

Governments are increasingly incorporating cyber operations into the arsenal of statecraft. This sophisticated integration combines open-source intelligence, geospatial intelligence, human intelligence, and cyber espionage with artificial intelligence, allowing for the gathering and analysis of everexpanding data sets. Increasingly, such operations are being outsourced. This report scrutinises one instance of outsourced cyber intelligence capabilities, brought to light by the leak of internal documents from a Chinese cybersecurity firm.

In February 2024 a leak of documents from i-Soon, a Chinese cybersecurity firm tied to the nation’s security apparatus, gave new evidence of People’s Republic of China’s (China or PRC) large-scale and shadowy cyber espionage activities. The data dump provides valuable insight into the priorities of the Party state in hiring hackers to target peripheral communities, including the Tibetan exile administration in Dharamsala, Uyghurs in the diaspora, pro-democracy advocates in Hong Kong, as well as official entities in neighbouring countries such as the Mongolian police, and India’s customs agency.

The leak demonstrates both operational continuity and a steady evolution in China’s strategic deployment of targeted surveillance technology. For long-time observers, the leak provides significant evidence confirming that China’s targeting of vulnerable individuals and groups through commercial Chinese cybersecurity companies extends well beyond PRC borders, infiltrating hundreds of official and individual systems.

Examination of the i-Soon files reveals that the Tibetan administration in exile and the Dalai Lama’s Private Office in India were among the targets of sophisticated cyber espionage. i-Soon, whose biggest clients included the Chinese police, the People’s Liberation Army, the Ministry of State Security and the Tibetan regional authorities based in Lhasa, harnessed advanced technological capabilities for data mining and communication pattern analysis.

Data from the i-Soon leak has been linked to previous Advanced Persistent Threats (APT) campaigns targeting the Central Tibetan Administration (CTA), the Private Office of the Dalai Lama, and Tibetan and Uyghur civil society networks. Palo Alto’s Unit 42 were the first to report, with a high degree of confidence, that i-Soon is connected to an APT group known as Poison Carp. This attribution is based on forensic evidence surfaced in the i-Soon dump linking the company to targeting infrastructure attributed by Citizen Lab to Poison Carp, a Chinese threat group hitherto principally known for targeting the mobile phones of Tibetan and Uyghur social movement networks.

The targeting of the mobile phones of CTA officials from 2018 onwards represents a significant shift in the tactics used by threat actors, signalling an adaptation to modern communication methods and an understanding of the increasing reliance on mobile devices for both personal and professional activities. i-Soon’s compromise of mobile devices would facilitate the collection of large amounts of highly sensitive information about civil servants, which would put them, and those in their social network, at significant risk.

A key white paper found in the i-Soon data delineating its product’s capabilities utilises the compromised email inboxes of exiled Tibetan individuals as a case study, demonstrating the product’s ability to manage and analyse “massive” data collections on a “terabyte-scale.” This capability is tailored to satisfy the extensive demand of China’s intelligence agencies, domestic- and foreign-facing (i-Soon’s clients) to mine through substantial volumes of intercepted email data and to intricately map the social networks of targeted individuals.

The use of novel intelligence tactics against diaspora populations before global deployment also suggests an approach to cyber operations in which vulnerable populations serve almost as laboratories for China to refine its espionage capabilities. When applied to operations directed at Dharamsala, such testing could not only yield intelligence about Tibetan exiles, but also enhance the sophistication of China’s cyber arsenal, reducing the risk of detection and attribution in global operations against better resourced defences.

The analysis of the interpersonal relationships of target networks of Tibetans in exile deployed by i-Soon mirrors the oppressive securitisation methods used in Tibet. As i-Soon’s customers include the Public Security Bureau of the Tibet Autonomous Region, it is feasible that the web of personal and professional connections surfaced from compromised inboxes of senior Tibetan civil servants in India could have been later ingested into a known big data policing platform. This platform is instrumental in a campaign that criminalises even moderate cultural, religious expressions, language rights advocacy, and crucially, surfaces links to exile Tibetan networks.

The Central Tibetan Administration and the Dalai Lama’s personal office have been under digital threat for twenty five years, with the GhostNet operation that infected computers in the Dalai Lama’s office making global headlines in 2009. The first public recognition of these security challenges in the early 2000s predated warnings from Western intelligence services about such intrusions. Today’s threats, however, are defined by their complexity and stealth, exploiting both known and unknown vulnerabilities in networked systems.

i-Soon data files offer a glimpse, perhaps for the first time in the public domain, of the upstream APT analytics capabilities of the Party state, offering a new understanding of the processing and utilisation of data exfiltrated by APT groups for i-Soon’s Chinese intelligence and military customers. This also highlights the involvement of commercial enterprises in cyber espionage activities including significant insight into Beijing’s use of complex AI-driven surveillance systems5 to enforce political controls over PRC ethnic minority populations, not just within its own borders, but also internationally, in the diaspora(s). Demonstrating sophisticated technologies on vulnerable peripheral communities like Tibetans and Uyghurs appears to be a strategic move for corporate entities like i-Soon to advance their corporate interests.

The i-Soon leak highlights the cybersecurity threats faced by the Tibetan administration in exile, which not only emphasise the imperative for cybersecurity but also the profound consequences of cyber espionage on vulnerable populations. They accentuate the need for heightened vigilance and international cooperation to fortify the digital defences of those at risk.

Digital transnational repression targeting the Tibetan and Uyghur diaspora serves as a “canary in the digital coalmine” for democracies. Early warning capacity built into these digital diasporas could have surfaced these threats and led to a coordinated response in the West much sooner. Reports by Tibetan and Uyghur sources detailing digital threats from Beijing predated by several years Western intelligence’s public warnings of China’s cyber espionage targeting the corporate sector.