The man had immigrated to the U.S. after being born in China’s western region of Xinjiang, where the ethnic minority Uyghurs and other groups have faced mass detentions and other rights abuses. After arriving in the U.S., he began speaking out about the plight faced by Uyghurs.
He didn’t know at the time he got the call that he had been targeted for a hack. A trove of documents that were purportedly leaked from a cybersecurity firm in China this month includes a chat log dated March 2020—weeks before he got the call—in which a representative of the company discusses digging up information on a number of people behind social-media accounts.
The man, who asked not to be identified, said his account was among those identified in the chat log. “I have reasons to believe that I was targeted in a campaign to collect information about Uyghurs,” he said.
The documents, which appeared to come from a Chinese cybersecurity firm called I-Soon, have opened a new window into how China’s government uses surveillance to impose political controls inside and outside of its borders. A Wall Street Journal analysis of the documents indicates a strong focus on people from the country’s periphery, including ethnic minority groups that Beijing sees as a potential source of political instability.
The documents, which were originally uploaded to GitHub, an online platform for developers, before being removed, suggest I-Soon was part of a group of private firms that supplement China’s spying. The Journal couldn’t independently verify the authenticity of the files—including hundreds of pages of chat logs, client lists and product manuals—but cybersecurity experts say the documents appear to be legitimate because they align with activities previously associated with Chinese state-sponsored hacking groups.
The trove of documents suggest I-Soon had a range of targets, but a number of examples point to a focus on ethnic minorities. The files show I-Soon was pitching its hacking capabilities to local security officials in Xinjiang. Chat logs also indicate the firm was offering to monitor Tibetan exiles in India.
I-Soon didn’t respond to a request for comment. China’s Ministry of Public Security didn’t respond to a request for comment.
“The hackers were focused on domestic threats that migrated abroad,” said Drew Thompson, a senior research fellow at the Lee Kuan Yew School of Public Policy in Singapore. “Their clients were keen on data from government bureaus, telecommunication providers, airlines, so they could monitor and access individual emails, phones and keep track of dissidents abroad,” added Thompson, a former senior official at the U.S. Defense Department who was stationed in Beijing.
Under Chinese leader Xi Jinping, national security has become a larger focus, with the Communist Party going to great lengths to crush efforts at political organizing outside of its control. China has been particularly focused on the threat posed by regions on the country’s margins such as Xinjiang, Tibet and Hong Kong, where large numbers of people see themselves as something other than Chinese.
For years, China’s government sent Turkic minorities to indoctrination camps in Xinjiang as part of a campaign of forced assimilation that some rights groups and Western governments described as a “crime against humanity.” The Chinese government describes its policies in Xinjiang as job training designed to curb terrorism and religious extremism.
Beijing has expanded its campaign to target Uyghurs and other minority groups outside China, telling people to spy on their communities abroad or risk retaliation against their family members in Xinjiang, overseas activists say.
“China wants to intimidate Uyghurs by showing their hands can even reach American soil,” said Ilshat Kokbore, a Uyghur activist in the U.S.
In the leaked files, I-Soon claimed to have hacked into dozens of government targets, including ministries in Malaysia, Thailand and Mongolia. The company claimed to have penetrated universities in Hong Kong, Taiwan and France.
The documents show some of its biggest customers include local and provincial-level bureaus of China’s Ministry of State Security, Ministry of Public Security and People’s Liberation Army.
The data trove contains an unsigned copy of a feasibility cooperation contract with a local government in Xinjiang’s southeastern Bayingolin region, home to more than half a million Uyghur Muslims and other minorities. In the contract, I-Soon dangled access to what it termed “antiterrorist” data it had purportedly stolen from governments in Pakistan, Afghanistan, Malaysia, Thailand and Mongolia.
Another of the targets listed was the Hong Kong Confederation of Trade Unions, a pro-democracy labor organization that came under intense government scrutiny during the 2019 protest movement. It was eventually forced to disband in 2021, and some of its leaders are now in jail facing national-security charges.
The organization did experience cyberattacks during and after the 2019 protests, said Mung Siu-tat, its former chief executive who now lives in the U.K. “Our websites were shut down or could not function properly,” he said. “Sometimes we received warnings from Google that our emails were under the threat of state-level attacks.”
I-Soon was founded in Shanghai in 2010 by Wu Haibo, its chairman and general manager. One Chinese media report described Wu as a patriotic hacker who goes by the moniker “shutdown.” Chinese cybersecurity giant Qi An Xin Technology is among the biggest shareholders in the firm.
I-Soon had also been vetted and shortlisted as one of three vendors selected to build a safety defense system for the public security bureau in Xinjiang’s Akusu region, according to an official Xinjiang procurement notice posted in July 2021.
Cybersecurity experts say China’s vast army of state-sponsored hackers is growing more ambitious and sophisticated, pointing to recent breaches of email accounts belonging to the U.S. commerce secretary and other senior officials. Christopher Wray, the director of the Federal Bureau of Investigation, told the Journal earlier this month that Beijing’s efforts to place malware in critical U.S. infrastructure was at “a scale greater than we’d seen before.”
I-Soon appears to represent just one aspect of China’s hacking capabilities. In the past, Chinese hacking operations have broadly focused mostly on military and industrial espionage.
The recent leak “shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire,” SentinelLabs, a cybersecurity firm, said in a report.
I-Soon offered clients a range of tools that it said could infiltrate Microsoft, Apple and Google’s operating systems, by tricking a target into clicking on a phishing link or downloading malware. Using the strategy, the company said it could access the inbox of an Outlook email account, acquiring GPS location data of an iPhone and activating the microphone on an Android device.
Another tool, with an advertised price tag of $55,600 a year, is designed for “public opinion guidance and control” on X. The company claimed to be able to take over accounts without requiring passwords—again by using phishing—as well as process no less than 100 million pieces of raw data daily to allow for “prompt detection” of “negative” and “illegal” public opinion.
Clarence Leong contributed to this article.
Write to Liza Lin at liza.lin@wsj.com and Austin Ramzy at austin.ramzy@wsj.com