As further evidence of government surveillance insiders moonlighting in the data broker market, the SpyCloud researchers point to a leak earlier this year of communications and documents from I-Soon, a cyberespionage contractor to the Ministry of Public Security and the Ministry of State Security. In one leaked chat conversation, one employee of the company suggests to another that “I am just hear here to sell qb,” and “sell some qb yourself.” The SpyCloud researchers interpret “qb” to mean “qíngbào,” or “intelligence.”
Given that the average annual salary in China, even at a state-owned IT company, is only around $30,000, the promise—however credible or dubious—of making nearly a third of that daily in exchange for selling access to surveillance data represents a strong temptation, the SpyCloud researchers argue. “These are not necessarily masterminds,” says Johnson. “They’re people with opportunity and motive to make a little money on the side.”
That some government insiders are in fact cashing in on their access to surveillance data is to be expected amid China’s perpetual struggle against corruption, says Dakota Cary, a China-focused policy and cybersecurity researcher at cybersecurity firm SentinelOne, who reviewed SpyCloud’s findings. Transparency International, for instance, ranks China 76th in the world out of 180 countries in its Corruption Index, well below every EU country other than Hungary—with which it tied—including Bulgaria and Romania. Corruption is “prevalent in the security services, in the military, in all parts of the government,” says Cary. “It’s a top-down cultural attitude in the current political climate. It’s not at all surprising that individuals with this kind of data are effectively renting out the access they have as part of their job.”
In their research, SpyCloud’s analysts went so far as to attempt to use the Telegram-based data brokers to search for personal information on certain high-ranking officials of the Chinese Communist Party and the People’s Liberation Army, individual Chinese state-sponsored hackers who have been identified in US indictments, and the CEO of cybersecurity company I-Soon, Wu Haibo. The results of those queries included a grab bag of phone numbers, email addresses, bank card numbers, car registration records, and “hashed” passwords—passwords likely obtained through a data breach that are protected with a form of encryption but sometimes vulnerable to cracking—for those government officials and contractors.
In some cases, the data brokers do at least claim to restrict searches to exclude celebrities or government officials. But the researchers say they were usually able to find a workaround. “You can always find another service that’s willing to do the search and get some documents on them,” says SpyCloud researcher Kyla Cardona.
The result, as Cardona describes it, is an even more unexpected consequence of a system that collects such vast and centralized data on every citizen in the country: Not only does that surveillance data leak into private hands, it also leaks into the hands of those who are watching the watchers.
“It’s a double-edged sword,” says Cardona. “This data is collected for them and by them. But it can also be used against them.”
