Chinese authorities are investigating a major leak of documents from a private security contractor I-Soon, associated with the country's top policing agency and other governmental entities. The cache of documents, which surfaced on GitHub last week, provides a rare glimpse into the alleged cyber espionage activities of the firm.

The trove of documents, numbering in the hundreds, sheds light on I-Soon's purported activities, including what appears to be hacking operations targeting both Chinese nationals and foreigners. An analysis conducted by cybersecurity firm SentinelOne described I-Soon (aka Anxun) as a company vying for “low-value hacking contracts” from various government agencies.

According to SentinelOne and Malwarebytes, the leaked documents suggest that I-Soon infiltrated several government departments, including those from India, Thailand, Vietnam, South Korea, and NATO.

The company is also said to have developed sophisticated tools capable of compromising devices across multiple operating systems, including Linux, Windows, macOS, iOS, and Android. Notably, the Android exploits purportedly allow for the extraction and transmission of users' messaging histories from Chinese chat applications (QQ, WeChat, and MoMo), as well as Telegram.

I-Soon purportedly sought contracts in Xinjiang, a region where the Chinese government has faced international scrutiny for its treatment of the Muslim Uyghur population. The documents suggest that I-Soon attempted to secure work in Xinjiang by highlighting its experience in anti-terrorism operations in Pakistan and Afghanistan.

Moreover, the leaked materials detail the hardware hacking devices allegedly employed by I-Soon, including a device described as a “poisoned power bank” capable of uploading data into victims' machines.

As of now, the source of the leak remains unidentified. Researchers theorize that the data could have been leaked by a disgruntled employee.