I-S00N
Chinese intelligence in all its states
Chinese intelligence in all its states
On February 16, 2024, a significant breakthrough occurred in the public understanding of the collaboration between the Chinese government and private enterprises in the field of intelligence. A post on a specialized darknet forum exposed sensitive information belonging to Anxun, a company known for its expertise in the development of espionage tools and active involvement in intelligence operations.
The leaked data was made available through two distinct channels, accompanied by specific retrieval links for Mega and GitHub. The presence of the GitHub link notably facilitated access to this data. While the Mega link remains accessible, access via GitHub has been removed.
While the original repositories are now inaccessible, multiple copies have surfaced on various platforms, sometimes with translations and partial sorting. This proliferation underscores the extent of the leak and its impact within the cyber community. In-depth analysis of these data reveals critical information, including:
- Lists of clients revealing specific ties with the current regime
- Screenshots of conversations indicating specific requests regarding targets
- A list of entities targeted by surveillance, highlighting the means deployed to gather intelligence
- Product presentation brochures and a summary of the company’s offerings, allowing technical solutions to be matched against the capabilities of the company
- An agreement document between the Xinjiang Public Security Bureau in Bazhou and the company proving the close ties between the Chinese regime and Anxun.
The analysis conducted is divided into three parts: first, the examination of lists, surveillance logs, and screenshots reveals Anxun’s practices and targets. Next, the study of the services offered by the company assesses its technological capabilities. Finally, the examination of the agreement with the Chinese government highlights the legal and operational frameworks of their collaboration.
It is worth noting that all analyzed documents have been translated using an automatic translator and have undergone careful reconstruction. Despite the possibility of translation errors, especially in screenshots, special attention has been paid to contextualization and cross-referencing of information from multiple documents to ensure the integrity of the analysis. For a concise representation of the distribution of different document formats studied, a diagram illustrating their distribution according to their nature is presented below.
Exploration of Anxun’s Methods and Targets: Logs, Screenshots, and Tables
Analysis of Logs
While logs represent only a limited portion of the leak, they reveal details about the monitored targets. These files shed light on telephone conversations and internet data streams originating from mobile devices, thanks to identification through phone numbers and IMEI, unique identifiers for each device.
The analyzed elements also specify the involvement of various telecommunications operators, notably Beeline, a major player in Russia, and Tele2, with a significant presence in Europe.
In-depth analysis of the logs indicates a notable convergence: the majority of surveillance activities concern individuals or entities located in Kazakhstan. This geographical focus is not incidental and suggests a targeted surveillance strategy for this region. This observation relates to security concerns and intrusions within telecom networks, a topic that will be further explored through the study of screenshots and other leaked documents.
Examination of Screenshots
Screenshots constitute a substantial part of the leaked content. The majority of these images pertain to message exchanges between different pseudonyms. Below is a graph illustrating the interactions among these various pseudonyms, based on data retrieved from this GitHub:
In the analysis of captured exchanges, discussions primarily revolve around requests for information gathering on various targets, including operations related to NATO. It should be noted that not all extracted conversations directly relate to the intelligence activities of the company. Some of them cover everyday topics and appear to reflect ordinary interactions between colleagues.
To establish a connection with the following sections of this article and enhance the analysis of screenshots, it is essential to highlight images specifically related to interception activities and the theft of data targeting different organizations, as evidenced by the following screenshot:
Additional details about these operations will be provided, supported by other elements, including, among others, tables listing the targeted entities.
Decryption of Disclosed Tables
The Excel tables disclosed in the form of screenshots reveal several lists that provide interesting insights into Anxun’s operations and business practices.
These documents highlight various aspects, including:
- Quotations for Anxun’s Products: They reveal the cost of different products offered by the company.
- Employee Performance and Confidential Information: Detailed tables outline employee results and contain sensitive data for some of them.
- Summaries of Stolen Data: These documents provide information on data extracted from various telecom operators and airlines, notably from Vietnam and Myanmar.
- Extract from a CRM: Tracking of clients and orders placed. Some names mentioned in these documents can be interpreted as referring to military units or law enforcement, illustrating the governmental scope of Anxun’s operations. For example, Unit 59 and the Public Security Bureau of Haikou in Yunnan Province are specifically mentioned. Similarly, Unit 938 in Hubei Province and other institutions in various Chinese provinces are mentioned. These references confirm that Anxun’s clients are largely from the public sector.
- List of Targets: The last table contains a list of individuals and organizations targeted by the company. The columns in this table indicate names, types of data, and sampling dates. It is noteworthy that among this information are the names and surnames of two individuals affiliated with Sciences Po.
These Excel tables unveil the internal workings of Anxun, both in terms of business and human resources. They also underscore the significant efforts deployed to infiltrate various organizations with the aim of collecting large quantities of data. The substantial presence of government entities among its clients confirms Anxun’s integration into the Chinese intelligence ecosystem, highlighting its role in widespread surveillance and information collection.
Introduction to Anxun’s Products and Services
Discovery of Capabilities
The documents obtained in this leak provide an insight into the capabilities and services offered by Anxun. Primarily sourced from white papers and presentations, this information illustrates the diversity and sophistication of the tools developed by the company for surveillance, communication interception, and offensive operations.
The ability to implement such extensive surveillance fundamentally relies on the development of advanced and effective technical solutions, an aspect we will explore in more detail here.
Among the reconstructed documents are several PDF files revealing various aspects of Anxun’s activities:
- A document, which we will examine in more detail later, appears to illustrate a formal collaboration between Anxun and a local government authority in China
- A PowerPoint presentation consisting of around ten slides, serving as a summary of the company’s capabilities and business offerings. It will not be examined in detail here as it seems to recapitulate elements already discussed.
- A tender and an instruction manual for the Hector software.
- White papers providing detailed technical analyses of certain products offered by Anxun.
- A comprehensive presentation of the services offered by Anxun.
The different white papers provide an overview of the capabilities offered by Anxun and the products implemented to gather intelligence across various platforms. These papers include a collection of requirements, technical architecture, and demonstration screenshots for the following products:
- An email analysis platform & Outlook information extraction platform: Platforms for analyzing emails and extracting information based on keywords and other parameters relevant to the interception target.
- Remote connection platform to a secure private network.
- Training platforms: These are oriented towards practical training, with one focusing on conducting blue team/red team exercises and another on training in intrusion tests through various scenarios.
- A platform dedicated to combating online gambling.
- An automated intrusion testing platform and a suite of tools that can be used in offensive operations.
- A “remote control of Windows systems” platform, essentially a RAT. In addition to this platform, we find the user manual for Hector, a tool for remote access via a webshell.
- A platform for controlling people’s opinions on Twitter and social platforms such as forums.
- An analysis platform for algorithm-assisted intelligence operations.
Below is an excerpt from the content of the white paper dedicated to Twitter:
The examination of the services offered by Anxun reveals a wide range of technical capabilities and value propositions. However, it is important to emphasize that the presence of these services in the documents does not automatically confirm their availability or effective implementation. Some of the presented solutions may still be in the conceptual stage of research and development, intended for future commercialization. This nuance is crucial to assess the actual scope of Anxun’s activities and their potential impact in the fields of cybersecurity and intelligence.
Diving into the Array of Products
To provide a more detailed illustration of this section regarding the white papers, several elements that have particularly caught our attention are presented below.
One of the documents highlights a remote control tool, commonly referred to by the acronym RAT, designed for Windows systems. This document not only details the functioning of this tool but also explains how it has been adapted for other operating systems such as MacOS and Linux.
It has been observed from the document that this RAT has also been modified to operate on mobile platforms such as Android and iOS, thereby expanding its scope of use and surveillance.
To further our illustration, the document regarding the presentation of Anxun’s commercial services, enriched with detailed visuals of various tools, provides an in-depth overview of the architecture implemented for email interception.
To continue, the product range exclusively showcased in Anxun’s services presentation highlights various specialized hardware tools. Among them, there are tools designed to attack Wi-Fi networks with the goal of retrieving passwords and conducting reconnaissance phases before intrusion. Two versions of these tools are offered:
In the same vein, to enable the localisation of mobile devices via the Wi-Fi system, specific equipment has been designed. This device compels surrounding devices to connect to its access point, thereby allowing the tracking of all users in a given area. Here is an image of the product:
It is also observed that Anxun has developed a system similar to the one used by TOR to anonymize connections. As mentioned in the service description, this is used to anonymize operations on foreign networks. The similarity to the system used by TOR is evident from the technical description of the product’s operation, as illustrated below:
The ‘Anti-Tracking Wall’ is provided in the form of the following hardware:
In the continuation of the presentation of commercial services, among other things, there is a detailed description of tools for controlling public opinion, an automated intrusion testing platform, as well as the Falcon platform. It is also noted the presence of a real-time intelligence analysis platform based on a cloud architecture named SkyWalker:
In addition to that, there is the analysis platform for algorithm-assisted intelligence operations, mentioned earlier.
This detailed exploration of Anxun’s products and services demonstrates advanced technical expertise in the field of intelligence and surveillance. The tools, tailored for multiple operating systems and designed for specific operations, reflect a capacity for innovation and a commitment to extensive surveillance.
Agreement with the Public Security Bureau of Xinjiang
An agreement between the Public Security Bureau of Bazhou, located in the Bayingol Autonomous Prefecture within the Uighur Autonomous Region of Xinjiang, and the company Anxun was detailed in a document. While this document addresses conflicts between the local government and various factions considered as terrorists, our analysis will primarily focus on aspects related to Anxun’s products and intelligence activities.
The document reveals that Anxun has engaged in information gathering by infiltrating various entities, covering an extensive range of services and businesses across multiple countries, including:
- In Pakistan:
-> Data from the counterterrorism center of the Punjab region.
-> Data from government services: postal service, Punjab police service, and the Pakistani police station in Perouz.
-> Communication data from the Zong operator.
- In Afghanistan:
-> Access to the Intranet and postal service of the Afghan National Security Council.
- For the Southeast Asia Counterterrorism Center:
-> Postal service data.
- In Malaysia:
-> Political and economic data from the Ministries of Foreign Affairs and Interior.
-> Military data from the Malaysian military network.
- In Thailand:
-> Political and economic data from the Ministry of Commerce and Finance.
- Mongolia:
-> Political and economic data from the Mongolian police and foreign affairs ministries.
-> Communication data from Mongolian operators.
- For Air Astana and Air Macau:
-> Travel data.
- In Kazakhstan:
-> Communication data from Kcell and Beeline operators; some of this data is available in various leaks.
Regarding generic intelligence, the document indicates that for Afghanistan, Syria, Uzbekistan, and Iran, the company has set up specific project teams for particular targets and to prepare for potential infiltration.
In terms of technical capabilities, Anxun offers defensive and offensive cybersecurity training to the Bazhou Public Security Bureau. Although the document mentions a defensive program, the offensive part is more emphasized. For example, there are repeated mentions of network penetration tools and remote terminal control tools.
In a third part of the document, the idea of a talent training plan is discussed, resembling an apprenticeship or internship system. It emphasizes the significant relationship between schools, the public security bureau, and businesses.
In the fourth and final part, there is a section on the complete construction of a research and development laboratory focusing on cyber offensive programs, digital forensics, and population surveillance. All of this is in accordance with the overall policy of the government. Below is an excerpt related to the expansion of research and development capabilities of the Chinese government:
Several technical aspects are discussed in this part:
- Strengthening offensive capabilities in cyberspace.
- The use and improvement of network protection tools and their auditing.
- The use of reconnaissance equipment to obtain “internet-oriented” intelligence related to network access points and any other available or retrievable information.
- Development of tools dedicated to secrecy control and VIP defense.
- Utilization of commercial links for intelligence gathering.
- Development of equipment for monitoring social networks, emails, and other remote terminal control systems.
For the construction of this laboratory, the company Anxun proposes the provision of equipment and training.
In conclusion…
This data leak, occurring in mid-February 2024, marks a turning point in public awareness regarding cyber interference operations conducted by China. The disclosed documents shed light on advanced surveillance operations and cutting-edge technologies, indicating a well-established intelligence strategy that raises significant questions about information security and privacy protection on a global scale.
Despite the Chinese government’s formal denial of almost all the facts revealed by these documents, the extent and depth of connections between the entities mentioned in the data leak and the Chinese government remain concerning.
The detailed examination of these leaked documents reveals an extensive range of espionage methods, highlighting a variety of sophisticated techniques and tools for infiltration, surveillance, and the collection of critical information. These revelations demand a reconsideration of current cybersecurity strategies, urging governments, organizations, and individuals to enhance their defense measures against an ever-evolving threat.
Gatewatcher’s Purple Team will update this article with any new relevant information that emerges in the coming weeks or months.
Authors: Gatewatcher Purple Team and 0xSeeker