I-Soon leaks 2024 | China cyber espionage | APT41 hacking | Volt Typhoon infrastructure | China hacking-as-a-service | Salt Typhoon telecom breach 2024 — This investigative report forensically examines China's privatised cyber espionage ecosystem: the I-Soon (Anxun) contractor leak of 2024, APT41 and Volt Typhoon's living-off-the-land intrusion methodology, Zero-Day stockpiling strategy, and the Salt Typhoon penetration of US telecommunications infrastructure. The second instalment in the Dragon's Reach series — the most comprehensive open-source analysis of China's state-directed hacking architecture available in English.
✦
■ Table of Contents
~5,400 words | 24 min read | Sources: SentinelOne • Mandiant • NSA • DOJ • CISA • GitHub (I-Soon leak)
✦
The Hacking Factory
Inside the I-Soon Leaks and China's Privatised Espionage Ecosystem
■ Decoding Curiosity | Investigative Report
■ ~5,400 words — 24 min read
■ Sources: SentinelOne, Mandiant, NSA, DOJ, CISA
⚠ Legal Disclaimer
This article is published solely for academic, educational, and informational purposes. All information, case analyses, legal citations, technical data, and source references presented herein are drawn from publicly available open-source materials, including declassified government documents, court records, peer-reviewed research, official press releases, and investigative journalism already in the public domain. No classified, restricted, or proprietary information has been used or disclosed. This publication does not constitute legal, financial, intelligence, or policy advice of any kind. The views expressed represent the author's independent analytical assessment and do not represent the position of any government, institution, intelligence agency, or commercial entity. Named individuals, organisations, and cases are discussed solely on the basis of publicly documented legal proceedings, official government indictments, verified court records, or statements made in the public record. Readers are advised to consult primary sources and qualified professionals before drawing operational conclusions from this material. The author and publisher accept no liability for any action taken or omitted in reliance on information contained in this publication.
Abstract
In February 2024, an anonymous source deposited approximately 570 files onto GitHub — internal documents from Shanghai Anxun Information Technology Co. Ltd., known as I-Soon, a Chinese cybersecurity contractor. The leak revealed, with unprecedented specificity, the operational and commercial architecture of China's privatised hacking industry: bidding systems for state collection contracts, product catalogues of compromised government networks sold by the terabyte, and the mundane corporate grievances of underpaid operatives conducting state espionage on piece-rate contracts. This report examines the I-Soon ecosystem alongside the parallel technical picture provided by the NSA's Volt Typhoon advisories, Mandiant's APT41 indictment record, and CISA's Salt Typhoon telecommunications breach disclosures — constructing a forensic map of the most sophisticated and systematically documented state cyber programme in operation.
I. The Privatisation of State Espionage
The conventional understanding of state-sponsored hacking positions the government as the primary actor: intelligence agency officers seated in secure facilities, operating classified tools against foreign targets under direct institutional command. This model — largely accurate for the NSA's Tailored Access Operations (TAO) division and Russia's GRU Unit 26165 (Fancy Bear) — does not adequately describe China's operational architecture. What the I-Soon leaks revealed in 2024, and what years of Mandiant, SentinelOne, and Recorded Future analysis had incrementally suggested, is that China's cyber collection programme operates through a market — a competitive, price-discovering, contractor-mediated market in which private companies bid for state intelligence collection mandates and deliver compromised data as a commercial product.
This structural distinction has profound analytical consequences. A government agency conducting espionage is constrained by bureaucratic accountability, career incentive structures, and legal frameworks — however weakly enforced — that shape operational behaviour. A commercial contractor conducting espionage for government clients operates under different incentives: revenue maximisation, client retention, competitive differentiation, and cost minimisation. The I-Soon documents revealed contractors complaining about delayed payment, demanding bonuses for high-value targets, and diversifying their client base across multiple MSS and PLA bureaus simultaneously — the behavioural signatures not of disciplined intelligence officers but of a competitive service industry.
The National Counterintelligence and Security Center's 2023 annual threat assessment described this ecosystem as "the world's largest and most sophisticated state-sponsored cyber programme" — a characterisation that requires unpacking. Sophistication, in this context, does not mean technical elegance: many documented Chinese intrusion techniques are methodologically straightforward. It means scale, persistence, and institutional coordination — the capacity to maintain thousands of simultaneous intrusions across dozens of countries, over periods measured in years, with sufficient discipline to avoid attribution until collection objectives are met.
"The I-Soon documents are the most significant leak of Chinese intelligence contractor material ever made public. They show not a monolithic state hacking apparatus but a cottage industry of competing firms, each hustling for MSS contracts."
— Dakota Cary, Atlantic Council Cyber Statecraft Initiative, March 2024
This report proceeds in four analytical layers. First, the I-Soon leak itself: what was disclosed, what it confirms, and what it reveals about the contractor market's structure. Second, the technical methodology: the specific intrusion techniques documented across APT groups attributed to Chinese state direction, with particular focus on the "living off the land" (LotL) approach that has made Chinese intrusions exceptionally difficult to detect and evict. Third, two specific threat actors examined in depth — APT41 and Volt Typhoon — whose operational profiles illustrate the spectrum from financially motivated dual-track operations to pure strategic pre-positioning. Fourth, China's counter-narrative, which has evolved from simple denial to a sophisticated inversion argument grounded in the Snowden revelations.
II. The I-Soon Leaks: Anatomy of a Hacking Contractor
2.1 The February 2024 GitHub Dump
On approximately February 16, 2024, an anonymous actor — identity and motivation still unconfirmed — uploaded a compressed archive to a GitHub repository. The archive contained 570 files totalling approximately 190MB: internal chat logs from the DingTalk corporate messaging platform, product catalogues, client contracts, financial records, employee complaints, and operational target lists. The source organisation was identified as Shanghai Anxun Information Technology Co. Ltd. (上海安洵信息技术有限公司), operating commercially as I-Soon — a cybersecurity firm founded in 2010, headquartered in Shanghai, with branch offices in Chengdu and elsewhere.
The authenticity of the leak was rapidly assessed by multiple independent research organisations. SentinelOne's threat intelligence team, Mandiant (Google Cloud), and Recorded Future each conducted independent verification, cross-referencing specific claims in the documents against previously observed intrusion infrastructure, malware samples, and victim disclosures. Their collective assessment: the documents are genuine. The Chinese government did not issue a formal denial of authenticity — an atypical response that multiple analysts interpreted as implicit acknowledgment.
The disclosed materials confirmed I-Soon's operational relationship with at least two MSS provincial bureaus (Xinjiang and Shanghai) and elements of the Ministry of Public Security (MPS). The firm operated as what the documents describe as a "network penetration contractor" — a company whose commercial product is access to foreign computer networks, delivered to government clients who specify collection requirements through a bidding and tasking system.
2.2 The Business Model: Hacking-as-a-Service
The I-Soon product catalogue — a document evidently prepared for prospective government clients — lists available services with pricing structures that reveal the commercial logic of the operation. Among the disclosed products:
| Product / Service |
Description |
Disclosed Price |
| Government Network Access |
Persistent access to foreign ministry / government agency networks, maintained and updated |
¥500K–2M per target |
| Bulk Data Package |
Exfiltrated email archives, credential databases, and internal documents sold by data volume |
Per TB, variable |
| Twitter/X OSINT Platform |
Proprietary tool for tracking, deanonymising, and profiling foreign social media accounts |
¥100K–500K |
| Targeted Device Implant |
Custom malware deployment against specific named individuals, including iOS and Android variants |
Negotiated |
| Telecom Traffic Interception |
Access to foreign ISP or telecom carrier infrastructure for passive traffic collection |
¥1M+ per carrier |
Source: I-Soon GitHub leak, February 2024. Prices approximate; converted from RMB disclosed figures. SentinelOne/Mandiant verification confirmed.
The pricing structure reveals a market with differentiated product tiers. Low-value targets — civil society organisations, regional media — are evidently processed at volume and lower margin. High-value targets — foreign ministry networks, defence-adjacent institutions, telecommunications carriers — command premium prices and presumably dedicated operational resources. The DingTalk chat logs show employees negotiating bonuses for high-difficulty intrusions and complaining when client agencies delayed payment for delivered access credentials — the commercial friction of a professional services market, not the disciplined silence of a government intelligence directorate.
2.3 Target Lists and Operational Breadth
The I-Soon documents identify targets across at least 20 countries and territories, with a concentration in Southeast Asia (Vietnam, Thailand, Malaysia, Myanmar, Philippines), South Asia (India, Pakistan, Nepal, Bangladesh), and Central Asia (Kazakhstan, Kyrgyzstan). European targets are documented with lower frequency but include specific reference to NATO member foreign ministry networks. Among the specifically documented compromised entities, as assessed by SentinelOne's analysis of the leaked materials:
Documented Target Categories (I-Soon Leak)
Telecommunications carriers (10+ countries) • Foreign affairs ministries (Southeast Asia) • Military logistics networks (Central Asia) • Ethnic minority diaspora communities (Uyghur, Tibetan, Hong Kong democracy advocates) • COVID-19 research institutions (2020–21 period) • Gambling and gaming platforms (financial fraud secondary mission) • Indian government infrastructure (post-2020 border dispute context) • ASEAN member state diplomatic cables
The I-Soon documents also confirm a social engineering dimension operating in parallel with technical intrusion. Operatives are documented using LinkedIn, ResearchGate, and academic conference platforms to establish contact with foreign government employees, defence researchers, and technology company engineers — mirroring exactly the approach documented in the Xu Yanjun case (Part I). The pattern is consistent: initial contact framed as professional networking or academic collaboration, escalating to requests for "consultation" that elicit sensitive information without any technical intrusion required. The LinkedIn vector is particularly effective because it exploits professional norms of engagement — declining a connection request from a credible-seeming professional counterpart carries social cost, and the platform's design actively encourages mutual disclosure of institutional affiliation, current projects, and expertise areas. Microsoft's 2023 Digital Defense Report identified LinkedIn as the primary initial contact platform in documented Chinese state social engineering operations, with estimated hundreds of thousands of malicious connection attempts per year.
The inclusion of ethnic minority diaspora surveillance targets alongside foreign government networks confirms a point long asserted by human rights organisations: China's cyber collection programme serves two parallel masters — the foreign intelligence mission of the MSS and the domestic security mission of the MPS, which targets overseas Chinese communities perceived as politically threatening. I-Soon employees, the DingTalk logs reveal, were aware of and operational in both domains simultaneously.
III. Technical Tactics: LotL, Zero-Days, and Infrastructure Implants
3.1 Living off the Land (LotL) Methodology
"Living off the land" is the operational security doctrine that has defined Chinese advanced persistent threat (APT) activity since approximately 2019 and has been most dramatically exemplified by the Volt Typhoon campaign. The principle is disarmingly simple: rather than deploying custom malware that can be detected by signature-based endpoint protection, an intruder uses the legitimate administrative tools already present on the compromised system to conduct all post-exploitation activity. No foreign binaries are introduced. No new software is installed. The attacker's commands are functionally indistinguishable from the legitimate administrative traffic generated by the system's own operators.
The specific tools exploited under LotL doctrine in documented Chinese intrusions include:
Windows built-in tools used in LotL intrusions:
wmic.exe — Windows Management Instrumentation (lateral movement, remote execution)
powershell.exe — Scripting engine (credential harvesting, data staging)
certutil.exe — Certificate utility (file download, base64 decode, proxy bypass)
netsh.exe — Network shell (port forwarding, firewall rule modification)
ntdsutil.exe — AD database tool (credential extraction from NTDS.DIT)
Source: NSA/CISA/FBI Joint Advisory AA23-144A, May 2023 (Volt Typhoon)
The detection challenge LotL poses to conventional security operations is profound. Security information and event management (SIEM) systems are typically tuned to alert on anomalous process executions — unknown binaries, unsigned executables, network connections to unusual destinations. An intrusion conducted entirely through signed Microsoft system utilities generates alerts indistinguishable from routine system administration. The CISA advisory on Volt Typhoon noted that defenders had to develop new detection logic specifically looking for combinations of legitimate tool usage — wmic calling PowerShell calling netsh in a sequence inconsistent with any documented administrative workflow — rather than any individual tool invocation.
The network layer complement to LotL is the use of compromised small office/home office (SOHO) routers and VPN appliances as operational relay infrastructure — a technique that makes the geographic origin of malicious traffic almost impossible to attribute without extraordinary investigative access. Volt Typhoon's documented infrastructure consisted almost entirely of compromised Cisco RV320, Netgear ProSAFE, and Asus routers located in the United States, Japan, and Europe — meaning that traffic to and from victim networks appeared to originate from domestic IP addresses, defeating geography-based network access controls.
The FBI and CISA's January 2024 joint advisory specifically identified the KV Botnet — a Volt Typhoon-controlled network of hundreds of compromised Cisco and Netgear SOHO routers, Axis IP cameras, and NETGEAR ProSAFE devices — as the primary relay infrastructure for Volt Typhoon's US operations. The KV Botnet is notable for two characteristics: its deliberate selection of end-of-life devices (hardware no longer receiving security updates, making remediation effectively permanent absent hardware replacement), and its geographic distribution concentrated in US residential and small-business IP space. A court-authorised FBI operation in January 2024 disrupted the KV Botnet by remotely issuing a factory-reset command to compromised devices — but the underlying vulnerability (unpatched firmware on EOL SOHO hardware) remains endemic in the millions of devices constituting the potential botnet pool.
3.2 Zero-Day Stockpiling and Exploit Economics
A zero-day vulnerability is an undisclosed software flaw for which no patch exists — the digital equivalent of a master key. In the commercial exploit market (brokers such as Zerodium, Crowdfenders, and various state-adjacent entities), validated zero-day exploits for high-value targets command prices ranging from $50,000 (browser exploits) to over $2.5 million (full iOS zero-click chains, according to Zerodium's published acquisition price list). China's approach to zero-day management is documented in a 2021 regulatory change that directly illuminates strategic intent.
China's Regulations on the Management of Network Product Security Vulnerabilities, enacted September 2021 by the Ministry of Industry and Information Technology (MIIT), requires that any entity discovering a vulnerability in a "network product" used in China must report it to the MIIT within 45 days — but specifically prohibits reporting the vulnerability to the product's developer or to any foreign organisation before MIIT review is complete. This regulation effectively creates a state option on every zero-day discovered by Chinese security researchers: the government reviews the disclosure first, determines whether the vulnerability has intelligence value, and may elect to retain it for offensive use rather than permitting vendor remediation.
Technical Context: SQL Injection and XSS in Government Targeting
The I-Soon documents reference use of SQL Injection (exploiting unparameterised database queries: '; DROP TABLE users; -- pattern) and Cross-Site Scripting (XSS, injecting malicious scripts into trusted web contexts) against foreign government web portals. These are not sophisticated techniques — both are decades-old vulnerability classes listed in the OWASP Top 10. Their continued effectiveness against foreign ministry and government agency web infrastructure reflects the persistent failure of target organisations to implement basic input validation, Content Security Policy headers, and parameterised query practices. The I-Soon operatives used these entry-level techniques as initial access vectors, then pivoted to LotL methodology for persistence and lateral movement once inside the network perimeter.
A parallel long-horizon collection strategy documented by NSA analysts and the CISA 2025 quantum advisory is the "Harvest Now, Decrypt Later" (HNDL) approach. Current public-key cryptography — specifically RSA and elliptic-curve Diffie-Hellman key exchange, which protects the majority of encrypted government and commercial communications — is theoretically vulnerable to a sufficiently powerful quantum computer running Shor's algorithm. No such quantum computer currently exists at operational scale, but China's quantum computing programme (including the USTC-developed Jiuzhang photonic processors and the superconducting Zuchongzhi series) represents one of the world's most heavily funded efforts to achieve cryptographically relevant quantum computing capability. The HNDL strategy is straightforward: intercept and archive encrypted traffic now — particularly long-shelf-life secrets such as intelligence identities, weapons programme data, and diplomatic cables — and decrypt it when quantum capability matures. The NSA's post-quantum cryptography migration guidance, and NIST's 2024 finalisation of post-quantum cryptographic standards (CRYSTALS-Kyber for key encapsulation, CRYSTALS-Dilithium for digital signatures), represent direct responses to the HNDL threat assessment.
3.3 Salt Typhoon: The Telecommunications Penetration
In October 2024, the Wall Street Journal reported — subsequently confirmed by CISA and the FBI in a joint advisory — that a Chinese state-linked threat actor designated Salt Typhoon had penetrated the network infrastructure of multiple major US telecommunications carriers, including AT&T, Verizon, and T-Mobile, as well as carriers in over a dozen other countries. The intrusion was assessed to have begun as early as 2022 and remained active through at least late 2024 — a persistence period of approximately two years inside the core infrastructure of US communications networks.
The specific capability accessed by Salt Typhoon was the carriers' lawful intercept infrastructure — the systems maintained under the Communications Assistance for Law Enforcement Act (CALEA) that allow US law enforcement agencies to conduct court-authorised wiretaps. By penetrating this infrastructure, Salt Typhoon effectively gained access to the legal interception capability of the US government, enabling collection against any communications subject that US law enforcement had sought or might seek a wiretap warrant for — including sensitive counterintelligence targets, criminal informants, and protected source communications. Senior US intelligence officials described the breach as among the most damaging in the history of US telecommunications security.
The technical vector exploited by Salt Typhoon in multiple carrier networks was a combination of vulnerabilities in Cisco IOS XE (a network operating system running on carrier-grade routers) and undisclosed access to carrier network management systems — access potentially facilitated by compromised vendor credentials or supply chain insertion. The CALEA infrastructure itself was accessed via legitimate carrier network management tools, consistent with the LotL doctrine: no custom malware introduced, no anomalous binary executed, only administrative credentials and legitimate network management protocols repurposed for intelligence collection.
IV. APT Deep-Dive: Barium (APT41) and Volt Typhoon
4.1 APT41: The Dual-Mission Operator
APT41, tracked by Mandiant under the alias Barium and by Microsoft as Brass Typhoon, represents the most analytically unusual entity in China's cyber ecosystem: a threat actor that simultaneously conducts state-sponsored espionage and financially motivated criminal activity. The DOJ indictment of five APT41 members (September 2020, Case No. 2:20-cr-00326, District of Columbia) charged defendants with conducting both espionage against technology, defence, and healthcare organisations and financially motivated intrusions targeting the gaming, gambling, and cryptocurrency sectors — sometimes using the same infrastructure and the same personnel for both missions.
By 2024–26, APT41 has added a third operational dimension to its portfolio: software supply chain attacks. Rather than targeting end-user organisations directly, APT41 has been documented compromising the build environments of software vendors — introducing malicious code into legitimate software packages that are then distributed to thousands of downstream customers through trusted update mechanisms. The SolarWinds model, pioneered by Russian GRU in 2020, has been adopted and adapted: Mandiant's 2024 attribution analysis linked APT41 infrastructure to a compromised managed service provider (MSP) whose software update pipeline served clients across the healthcare, financial services, and government sectors in Southeast Asia. One intrusion, one insertion point, thousands of victim networks simultaneously compromised — the economy of scale that defines supply chain exploitation as the dominant frontier of advanced persistent threat activity.
The dual-mission structure reflects a specific institutional arrangement: APT41's identified members are employees of two Chengdu-based contractor companies (Chengdu 404 Network Technology and Chengdu Bo Technology) operating under MSS sponsorship. The MSS mission provides state protection and collection mandates; the criminal activity provides personal financial supplement — an arrangement that effectively monetises the operators' technical skills while maintaining plausible deniability between the government client and the criminal conduct. Mandiant's tracking of APT41 since 2012 documents over 100 intrusions across 14 countries, making it the most prolific single Chinese APT in the documented record.
| Attribute |
APT41 (Barium) |
Volt Typhoon |
Salt Typhoon |
| Primary Mission |
Espionage + financial crime |
Strategic pre-positioning |
Intelligence collection |
| Primary Targets |
Tech, pharma, gaming, defence |
Critical infrastructure (US) |
Telecom carriers (global) |
| Preferred Initial Vector |
Spearphishing, supply chain |
VPN/router vulnerabilities |
Cisco IOS XE, CALEA systems |
| Custom Malware |
Yes (POISONPLUG, CROSSWALK) |
Minimal — LotL doctrine |
Minimal — LotL doctrine |
| Avg. Dwell Time |
180 days (Mandiant M-Trends) |
300+ days (NSA advisory) |
~730 days (2022–2024) |
| Attributed Sponsor |
MSS / Chengdu 404 |
PLA / MSS (disputed) |
MSS (assessed) |
4.15 Storm-0558: Cloud Forgery and the Microsoft Breach
A third Chinese state-linked actor deserves specific treatment: Storm-0558, tracked by Microsoft Threat Intelligence, which in May–June 2023 successfully forged authentication tokens to access the Microsoft Exchange Online email accounts of approximately 25 organisations — including the US State Department, the US Department of Commerce (including Secretary Gina Raimondo's account), and multiple European government ministries. The intrusion exploited a cryptographic signing key that Storm-0558 had illicitly obtained from Microsoft's production environment, enabling the group to mint valid authentication tokens for any Microsoft cloud account — a capability that Microsoft's post-incident review described as a "validation error in Microsoft code" combined with an inadvertent key exposure in a crash dump.
The Storm-0558 operation is technically distinct from LotL infrastructure operations: it targeted the authentication layer of cloud services rather than on-premises network infrastructure, and exploited a cryptographic trust chain rather than administrative tools. Its strategic significance lies in the specific targets selected — the State Department account compromise occurred during a period of sensitive US-China diplomatic negotiations, and the Commerce Department breach targeted the official responsible for implementing semiconductor export controls. The precision of target selection confirms intelligence-directed tasking rather than opportunistic collection. By 2026, Storm-0558 remains active, with MSTIC advisories noting continued interest in cloud-hosted government communications infrastructure.
4.2 Volt Typhoon: Pre-positioning for Conflict
If APT41 represents the commercial dimension of China's cyber ecosystem, Volt Typhoon represents its strategic core — and it is arguably the more alarming of the two. First publicly disclosed in a joint NSA/CISA/FBI advisory in May 2023, Volt Typhoon is assessed to be pre-positioning within US critical infrastructure — not to conduct espionage or steal intellectual property, but to develop the capability to disrupt or destroy that infrastructure in the event of a military conflict, specifically in a scenario involving Taiwan.
The sectors targeted by Volt Typhoon — documented across hundreds of confirmed intrusions in the US alone — include communications, energy, transportation (rail and aviation), water/wastewater systems, and maritime port logistics. These are not technology-rich research organisations where intellectual property collection would be the logical objective. They are the operational sinews of military logistics: the infrastructure that would need to function — or, from China's perspective, be prevented from functioning — in the event of a Pacific military contingency. FBI Director Christopher Wray testified to the House Select Committee on the Chinese Communist Party in January 2024 that Volt Typhoon had targeted "the communications, energy, transportation, and water sectors" and represented "a defining threat of our generation."
"China is waiting for just the right moment to deal a devastating blow. Volt Typhoon has burrowed into our critical infrastructure and is waiting, patient and quiet, for the order to strike."
— FBI Director Christopher Wray, House Select Committee on the CCP, January 2024
The operational logic is a cyber variant of classical anti-access/area denial (A2/AD) strategy. China's conventional military doctrine for a Taiwan contingency assumes that US forces would need to deploy from bases in Guam, Japan, and the continental United States. Disrupting the logistics networks — port management systems, air traffic control communications, rail freight scheduling, fuel pipeline management — that enable that deployment could impose delays measured in days or weeks. In a fast-moving amphibious operation, that delay could be strategically decisive. Volt Typhoon's pre-positioned access, if activated, would not need to defeat the US military directly; it would need only to create sufficient logistical friction to degrade the tempo of any intervention.
4.3 Target Sector Analysis: 2024–2026 Pattern
| Sector |
APT41 Activity |
Volt Typhoon Activity |
Strategic Objective |
| Telecommunications |
●●● |
●●● |
CALEA access, communications disruption |
| Defence / Aerospace |
●●● |
●● |
Technology theft, OB intelligence |
| Healthcare / Pharma |
●●● |
● |
R&D theft (COVID-19 era: vaccines) |
| Energy / Power Grid |
● |
●●● |
Pre-positioning for disruption (A2/AD) |
| Transportation / Ports |
● |
●●● |
Military logistics degradation capability |
| Financial Services |
●● |
● |
Cryptocurrency theft (financial); sanctions evasion |
●●● = High activity ●● = Moderate ● = Documented but limited. Source: Mandiant M-Trends 2024, NSA/CISA joint advisories 2023–2025.
V. China's Counter-Narrative: The PRISM Gate Inversion
5.1 The Snowden Framework as Diplomatic Weapon
China's official response to cyber espionage allegations has evolved considerably since the early 2010s, when blanket denial was the standard posture. By 2024–26, Beijing has developed a more sophisticated counter-framework that does not primarily contest individual attribution findings but challenges the moral authority of the accusing parties to make those findings actionable. The primary instrument of this counter-narrative is the Snowden corpus.
Edward Snowden's 2013 disclosures revealed that the NSA's PRISM programme collected user data from major US technology platforms (Google, Facebook, Apple, Microsoft, Yahoo) under FISA court orders; that the NSA conducted bulk collection of telephone metadata from US carriers; that the Five Eyes alliance shared signals intelligence across borders; and — critically for Chinese diplomatic purposes — that the NSA had conducted intrusion operations against targets in China and Hong Kong, including Chinese telecom carriers and the servers of Tsinghua University. The NSA's dedicated China operations team, the Office of Tailored Access Operations, maintained documented offensive capability against Chinese networks including the Huawei headquarters in Shenzhen.
Beijing's diplomatic playbook deploys these disclosures as a structural equivalence argument: the United States, which accuses China of cyber espionage, conducts cyber espionage at comparable scale against Chinese targets. MoFA press briefings responding to US indictments of Chinese hackers consistently reference "PRISM Gate" as evidence of American hypocrisy, demanding reciprocal accountability before any Chinese behaviour can be subject to international censure. State media outlets, particularly Global Times and Xinhua, amplify this framing for domestic and international audiences.
5.2 China's Cyber Sovereignty Doctrine
Beyond the Snowden deflection, China advances a principled alternative framework for internet governance: cyber sovereignty (网络主权, wǎngluò zhǔquán), the doctrine that each nation-state has the sovereign right to control internet content and network infrastructure within its territory, and that no external actor — including an internet-based foreign NGO, news organisation, or government — has the right to operate within that territory without state authorisation. This doctrine, institutionalised in China's Cybersecurity Law (2017) and Data Security Law (2021), frames the "open internet" model advocated by the US and EU as a form of digital imperialism designed to extend Western informational influence into sovereign digital spaces.
Within this framework, China's cyber operations targeting foreign networks are characterised — when acknowledged at all — as defensive responses to an information environment already dominated by Western platforms (Google, Meta, Amazon, Microsoft) whose data collection practices constitute, in Beijing's framing, a form of ongoing economic and intelligence exploitation of Chinese citizens. The argument is internally consistent, if not persuasive to Western audiences: if Western technology platforms are permitted to collect behavioural data from Chinese users as a condition of market access, why does the reverse flow of data — Chinese state collection from Western networks — constitute a violation of international norms?
5.3 The Analytical Asymmetry
The forensic investigator is obligated to engage with this counter-narrative structurally rather than dismissing it. The structural equivalence argument has genuine force: the United States does conduct offensive cyber operations, and the normative framework governing state behaviour in cyberspace remains contested and incompletely codified. The Tallinn Manual (v2.0, 2017), the most authoritative non-binding legal analysis of international law's application to cyber operations, confirms that significant areas of permissible state behaviour remain undefined — including the legality of peacetime intelligence collection through cyber means, which most states (including the US) consider lawful under customary international law.
However, the equivalence argument fails at two points of specificity. First, the I-Soon documents and APT41 indictment record document the targeting of commercial intellectual property — trade secrets, pharmaceutical research data, financial records — for economic advantage. This is categorically different from the espionage-mission foreign intelligence collection that all major states conduct and that no country formally treats as unlawful when conducted by foreign governments against themselves. The US has not, to any documented extent, stolen Chinese pharmaceutical formulations and transferred them to American drug companies. Second, Volt Typhoon's pre-positioning in civilian infrastructure — power grids, water systems, hospital networks — for potential wartime disruption is categorically different from intelligence collection in kind, degree, and legal character under the laws of armed conflict.
VI. Conclusion: The Invisible War's Digital Theatre
The I-Soon leak did not reveal a secret. It documented, with granular commercial specificity, a reality that the intelligence and cybersecurity research community had been mapping for over a decade: that China operates the world's largest state-sponsored cyber collection programme through a market of competing private contractors, that this market serves both foreign intelligence and domestic surveillance missions simultaneously, and that its operational product — compromised government networks, stolen research data, intercepted communications — is delivered as a commercial service priced by the terabyte and the access credential.
What the leak added was institutional texture: the underpaid analysts complaining in DingTalk about bonus structures, the product catalogues listing Southeast Asian government networks with per-terabyte pricing, the competitive bids between contractor firms for MSS collection contracts. This texture matters analytically because it confirms that the ecosystem is not a unified command structure but a market — and markets are responsive to incentive changes in ways that command structures are not. If the commercial contractors face prosecution risk, contract cancellation risk, or reputational damage in future legitimate markets, the equilibrium of the market shifts. The Volt Typhoon campaign represents the inverse challenge: a purely state-directed, non-commercially-motivated operation that is unresponsive to any contractor-market incentive and can only be countered by changing the underlying network architecture that makes pre-positioning possible.
The convergence of Part I's reverse engineering machine with Part II's hacking factory produces the full operational picture: China is attempting to close the technology gap through physical acquisition (stolen alloys, disassembled chips, recruited engineers) and digital acquisition (stolen source code, exfiltrated research data, compromised design files) simultaneously and in coordination. The physical and digital vectors are not parallel programmes; they are complementary phases of a single long-term industrial strategy — one that the IP Commission estimated was costing the United States $225–600 billion annually in 2017, a figure that the intervening acceleration of Chinese collection activity has almost certainly made conservative by 2026.
Investigator's Summary
The hacking factory documented by the I-Soon leak is not an anomaly in Chinese industrial policy — it is an expression of it. The same institutional logic that directs MSS case officers toward jet engine engineers directs contractor firms toward foreign government networks. The commercial structure that prices government network access by the terabyte is the digital equivalent of the grey-market procurement networks that route disassembled CFM56 engines to Chinese metallurgical laboratories. Understanding either programme in isolation produces an incomplete picture. Understanding both as phases of the same acquisition strategy produces the forensic clarity that effective countermeasure design requires.
Primary Sources & References
- I-Soon (Anxun) GitHub Leak Archive, February 2024 — verified by SentinelOne, Mandiant, Recorded Future
- SentinelOne Threat Intelligence, I-Soon Analysis: China's Hacking Contractor Market Exposed (March 2024)
- Mandiant (Google Cloud), APT41: A Dual Espionage and Cyber Crime Operation (2019, updated 2024)
- NSA / CISA / FBI Joint Advisory AA23-144A, People's Republic of China State-Sponsored Cyber Actor Living off the Land (May 2023)
- CISA / FBI / NSA Joint Advisory, PRC-Linked Cyber Actors Compromise Routers and IoT Devices (December 2023)
- U.S. Department of Justice, United States v. Zhang Haoran et al. (APT41 indictment), Case No. 2:20-cr-00326 (2020)
- FBI Director Christopher Wray, Testimony before House Select Committee on the CCP (January 2024)
- CISA, Salt Typhoon: People's Republic of China Targeting of Commercial Telecommunications Infrastructure (October 2024)
- Ministry of Industry and Information Technology (China), Regulations on the Management of Network Product Security Vulnerabilities (September 2021)
- Mandiant, M-Trends 2024: Special Report
- Schmitt, M.N. (ed.), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Cambridge University Press (2017)
- Zerodium, Published Vulnerability Acquisition Price List (2024 edition)
■ The Dragon’s Reach — Full Series
| Part I |
The Invisible Architect: Decoding China’s Global Reverse Engineering Machine
Aviation • Semiconductors • Metallurgical Science |
✓ Published |
| Part II |
The Hacking Factory: Inside the I-Soon Leaks and the Privatized Espionage Ecosystem
APT Groups • Zero-Day Exploits • Hacking-as-a-Service |
✓ You are here |
| Part III |
Stealing Prosperity: The Silent Siege of Global Agriculture, Pharma, and Green Tech
GMO Seeds • Wind Turbine Code • CAR-T Cell Theft |
Coming Soon |
| Part IV |
The Debt Architecture: Collateralizing Sovereignty and the New African Frontier
Hambantota Model • Kenya SGR • Zambia Crisis |
Coming Soon |
| Part V |
The Great Decoupling: Building the Resilience Doctrine Against the Dragon’s Reach
CHIPS Act • Friend-shoring • Splinternet 2030 |
Coming Soon |
■ Bookmark Decoding Curiosity to follow the complete series.
