Cyber Incident Victim: People's Republic of China

In August 2023, Israeli cybersecurity firm Cybersixgill discovered advertisements on underground cybercrime forums where multiple cybercriminals were presenting data they claimed to have stolen from Chinese government sources. A particularly significant post advertised the sale of several terabytes of data purportedly containing classified material sourced from China’s Ministry of State Security (MSS), an entity that amalgamates the roles of intelligence agencies similar to the American FBI and CIA. The seller behind this specific post demanded a ransom of $235,000 for access to this supposedly confidential information. This incident emerged following two high-profile data leak events in 2022, one which unveiled the persecution of China’s Uyghur ethnic minority and another which laid bare data from compromised networks affiliated with the Shanghai National Police (SHGA). The SHGA incident itself was a mammoth breach involving 23 terabytes of data encompassing a staggering one billion Chinese citizens, which was peddled across several underground platforms for 10 bitcoins, equivalent to approximately $200,000 at the time.

The post advertising the MSS data, authored by a newly registered forum member, proclaimed the dataset contained records of nearly 500 million Chinese citizens. These records allegedly included individuals’ names, dates of birth, phone numbers, email addresses, and mailing addresses. The author of the post cryptically alluded to “classified documents,” hinting at the data's potential intelligence value for foreign entities. The overall tone of the advertisement crafted an image of the data being the product of a successful hack into the inner sanctum of China’s secret police. Despite the presence of personal information found within a data sample analyzed by Cybersixgill, nothing within that sample provided unequivocal verification of the data's classified nature. The possibility emerged that this new incident might be intertwined with previous account activity observed in July 2022, hinting at the potential presence of a singular threat actor or the recycling of past content, though this did not entirely dismiss the possibility that the August 2023 MSS data leak might indeed stem from a recent and genuine breach.

The investigation by Cybersixgill also uncovered another post on a separate cybercrime forum advertising data linked to hundreds of millions of Chinese citizens. This post bore the signature of the same threat actor previously tied to the 2022 SHGA breach. Notably, the terms of this offering mirrored those of the MSS data sale, suggesting a potential connection between the two incidents or a consistent modus operandi. The SHGA data from the prior year was purported to contain an extensive array of comprehensive details on Chinese citizens, including names, addresses, birthplaces, national IDs, phone numbers, and even criminal records. To establish credibility for that haul, the attacker had offered a sample containing 750,000 entries, which included delivery information, ID records, and police call logs. Such a vast repository of personal information represents a significant threat, as threat actors in possession of it could orchestrate sophisticated phishing campaigns, wrest control of online accounts, perpetrate identity fraud, and execute financial scams on a massive scale.

Following the 2022 SHGA breach, the perpetrator had made an audacious claim that the data had been siphoned from a localized private cloud hosted by Aliyun, an arm of Alibaba Cloud. This specific cloud infrastructure is leveraged by the Chinese police’s public security network. If the claim regarding the SHGA breach's origin was accurate, and the data was indeed exfiltrated from that access route or a variant of it, then the same method might have been exploited in the purported August 2023 MSS hack. This potential connection points to a systemic vulnerability within the cloud infrastructure used by Chinese government entities. The recurrence of such high-profile breaches indicates that cybercriminals have identified Chinese government data as an extraordinarily valuable commodity, warranting substantial ransom demands and attracting significant attention within the digital underworld.

The implications of a breach involving China’s Ministry of State Security are profound. The potential exposure of data pertaining to approximately 500 million citizens could, in the wrong hands, fuel a wide array of malicious activities beyond simple identity theft. The data could be used to inspire highly targeted social engineering exploits, drive advanced cyberattacks against both individuals and critical infrastructure, and even be leveraged for espionage purposes by foreign state actors should the data contain genuinely classified material. The significance of such an event extends beyond its immediate impact on citizens' privacy and security; it casts a critical light on the cybersecurity preparedness of a vital Chinese intelligence agency itself. The fact that such a secretive and powerful entity could be compromised, as claimed by the threat actor, challenges the perception of its operational security and resilience against modern cyber threats.

The substantial asking price attached to the MSS data, set at $235,000, and the parallels drawn to the earlier SHGA breach, for which the asking price was around $200,000, underscore the high market value that cybercriminals place on large datasets exfiltrated from Chinese government bodies. These incidents reveal a thriving underground economy where stolen data from state organs is treated as a high-value commodity to be auctioned to the highest bidder. The censorship of such news within China, a practice aimed at presenting a robust cybersecurity stance, contrasts sharply with the reality depicted by these repeated and large-scale breaches appearing on international cybercrime forums. This contrast suggests that the public narrative surrounding cybersecurity within the country may not fully align with the events occurring in the digital shadows, where threat actors operate with relative impunity.

The investigation into these forum posts required deep analysis of the digital underworld, a space where cybercriminals congregate to conduct their illicit transactions. Cybersixgill’s Investigative Portal played a pivotal role in uncovering these advertisements and analyzing the available data samples. The firm's vigilance in monitoring these hidden enclaves is crucial for the early detection of such intrusion attempts, data leaks, and the subsequent sale of stolen assets. The discovery of multiple posts from different actors all claiming to possess Chinese government data indicates that this is not an isolated phenomenon but rather a persistent threat landscape targeting specific entities within the Chinese governmental structure. The recycling of old data or the reemergence of past threat actors further complicates the attribution and verification process, making it challenging to ascertain the true scope and recency of any claimed breach.