Multiple accounts on underground forums recently advertised data allegedly harvested from Chinese government sources, including a recent advertisement for confidential data stolen from China’s Ministry of State Security. The threat actor offering that data requested hundreds of thousands of dollars and Cybersixgill detected another recent advertisement demanding $80,000 for similar data.
In August 2023, Cybersixgill observed members of popular cybercrime forums advertising data allegedly stolen from Chinese government sources. Most recently, Cybersixgill detected an advertisement for multiple terabytes of Chinese data on a major cybercrime forum, including classified information that allegedly belongs to China’s Ministry of State Security (MSS), a secretive law enforcement agency that combines the functions of intelligence services like the FBI and CIA in the U.S.
In the post advertising the MSS data, the seller demanded a price of $235,000. The leak’s purported contents and source, in addition to similar recent incidents, are discussed at greater length in the section that follows. The alleged MSS leak follows several high-profile incidents in 2022, including (1) a May 2022 leak exposing the persecution of the Uyghur ethnic minority in China, and (2) a July 2022 leak of data sourced from compromised networks of the Shanghai National Police (SHGA).
The SHGA information allegedly consisted of 23 terabytes (TB) of data belonging to one billion Chinese citizens, representing one of the largest data breaches China has ever suffered. The content was advertised on multiple underground forums for a price of 10 bitcoin ($200,000). With Chinese government censorship of media coverage, domestic Chinese breaches such as this are rarely disclosed to avoid the appearance of weak cybersecurity posture.
Following the SHGA leak, the perpetrator claimed that the data was exfiltrated from a local private cloud hosted by Aliyun (Alibaba Cloud), operated by the Chinese police’s public security network. If this was indeed the source of the SHGA breach, it is possible that the same, or a similar, initial access point was used to perpetuate the MSS hack.
The stolen SHGA data allegedly included Chinese citizens’ names, addresses, birthplaces, national IDs, phone numbers and criminal records. To prove the authenticity of the data, the attacker provided a 750,000-entry sample, including delivery info, ID information, and police call records. Threat actors could use this data to perpetrate phishing attacks, account takeovers, identity theft, and financial fraud.
While no representatives of the Chinese security community have publicly commented in English-language sources about the authenticity of the MSS data, experts deemed the SHGA leak the largest cybersecurity breach in China’s history. China remains home to one of the world’s top cybercriminal communities, which is populated by sophisticated state-sponsored actors who commit financially motivated crimes and collect valuable intelligence. Threat actors who target the Chinese government therefore risk reprisal at the hands of state actors and other sophisticated Chinese APTs.
The Cybersixgill Investigative Portal collected the post advertising the MSS data on a major cybercrime forum, in addition to other recent posts offering allegedly stolen Chinese data. In the post below (Figure 1), a recently registered forum member advertised the MSS data, claiming that the full data set covers close to half a billion Chinese citizens.
According to the poster, the stolen data include individuals’ names, dates of birth, phone numbers, email addresses, and mailing addresses, which could be used for spearphishing and identity fraud. The poster also referenced unspecified “classified document[s],” in an apparent attempt to portray the content as possessing intelligence value for foreign entities. This is consistent with the overall tone of the post, which presents the data as the product of a breach of China’s secret police.
While a data sample appears to contain Chinese citizens’ personal information, none of the content confirms that the information is “classified” in nature. To that end the only public response to the post was a demand for proof of classified documents. By August 21, 2023, news of the leak had begun to spread on platforms frequented by Chinese cybercriminals.
The post below is the member’s only activity on the forum and the contact information used by the threat actor did not correspond with the aliases of any other individuals in the vast data lake of deep, dark, and clear web sources collected by Cybersixgill. Using a fresh email address signals attention to operational security (OPSEC) to maintain anonymity and evade law enforcement. In addition, the forum member mentioned the use of an escrow and referred disparagingly to “time-wasters,” which represent further indications that this is an experienced threat actor wary of novices.
Cybersixgill also detected activity by a member of a predecessor forum who used the same moniker. In July 2022, that account advertised a five-part leak of Chinese citizens’ data, garnering over 20 positive reactions, with no negative responses.
While there is no definitive evidence linking the two accounts sharing the same username, there is a distinct possibility that this is the same threat actor. It is also possible that the July 2022 content is now being recycled. With that being said, the August 2023 MSS data could in fact be the product of a fresh breach.
Figure 1: Classified Chinese data advertised on a cybercrime forum
In addition to the recent advertisement for MSS data, Cybsersixgill also collected a post on a separate cybercrime forum advertising data related to hundreds of millions of Chinese citizens, which credited a threat actor associated with the Shanghai National Police breach referenced in the first section of this report. The original advertisement for the data in the post below (Figure 2) demanded similar terms of sale (escrow, etc.) to the conditions listed for the MSS data ($80,000 price, escrow required, etc.).
Figure 2: A Chinese data leak advertised on a cybercrime forum
The alleged recent breach of China’s Ministry of State Security potentially exposed the data of half a billion Chinese citizens, which could be used in cyber attacks, social engineering campaigns, and other malicious activities. This breach also potentially exposed the subpar security posture of one of China’s key intelligence agencies. Based on the attempt to sell the data for over $200,000, which followed a similar incident demanding a huge price, it appears that threat actors perceive Chinese government data as highly valuable.
To avoid data breaches in general, all organizations should implement security measures to reduce the surface attack area on corporate environments, including:
● Multi-Factor-Authentication (MFA) for an additional layer of security during login processes.
● Regular security assessments performed by a dedicated security team to ensure the compliance of computing elements to proper security requirements.
● Regular monitoring of critical assets and third parties using Cybersixgill’s Investigative Portal to proactively detect intrusion attempts on corporate networks, data leaks, and sales of assets on underground forums and markets.
 The Ministry of State Security is China's primary domestic and foreign intelligence agency and national security apparatus. The MSS oversees foreign espionage and domestic surveillance, among other functions.
 The SHGA breach was censored by the Twitter-like social network Weibo and Tencent’s WeChat.