
Inside China's Cyber Espionage Business
Sasha Ingber: Welcome to SpyCast, the official podcast of the International Spy Museum. I'm your host, Sasha Ingber, and each week, I take you into the shadows of espionage, intelligence, and covert operations across the globe.
Ahana Datta Fasel became the British government's first ethical hacker in 2014, testing vulnerabilities in computer systems and networks which hackers could potentially exploit. She was only 23, but that gave her an early look at state-sponsored cyber intrusions, which of course have grown more serious and sophisticated. Today, her book, Full Stack Spies: Cyber Espionage in the Age of US-China Competition, explores China's business of spying online. She joins me from London to talk about the competition, vanities, and betrayals between hackers, tech companies, and the government through some of Beijing's most destructive military and civilian cyber operations.
Hey, Ahana. How are you?
Ahana Datta Fasel: Yes, very well, thank you. How are you, Sasha?
Sasha Ingber: I'm good. Starting off the day here in DC. I know you're in London. Thank you for joining me.
Ahana Datta Fasel: It's a pleasure to be here. Thank you for having me.
Sasha Ingber: So in our very first conversation, you described yourself as an inveterate scroller, which was a term I found very amusing.
And, and you told me that you went down this rabbit hole. There was this Chinese cyber security services company called i-Soon that saw its data leak back in 2024, and this is a company that conducted cyber espionage with the People's Liberation Army, with the Ministry of State Security. So first off, why did this data leak?
Ahana Datta Fasel: It was a sort of painting of continuous dissatisfaction internally, um, that seems to have resulted in this kind of leak. We have their group chats, their sort of company WeChat, for a period of almost five years. And then in February 2024, when, um, this group chat was leaked, uh, suddenly it had the attention of China watchers, uh, and cybersecurity professionals all around the world, uh, trying to figure out what this tells us about the Chinese ecosystem.
And what I did instead was to look over the entire, uh, f- sort of years and years worth of, uh, conversations and try and figure out why... W- what changed in the company? What, what sort of organizational behaviors changed here that led to this leak? And so what it feels like is that over the course of five years, there was quite a lot of internal unhappiness and disgruntlement with not being paid properly, um, or being asked to a bit too much, or being stretched beyond their regular hours.
Although, I, I don't think we'll ever know for certain, uh, but it was, uh, um, it was, it was quite interesting in the way that, um, the leak encompassed all their marketing materials, but none of their actual cyber weaponry. So none of the capabilities that held, uh, intrinsic financial value, but certainly enough, uh, of their marketing and their, uh, group chats to be able to bring the company itself down.
Sasha Ingber: So maybe this was a disgruntled worker who had limitations in what they chose to leak, and this was actually discovered by a Taiwanese security firm. Can you tell me about who i-Soon was targeting before we move into what the actual leak had in it?
Ahana Datta Fasel: Yeah, I mean, i-Soon, uh, was spread over, uh, three locations in mainland China.
So they had a Beijing bureau, they had a bureau in Chengdu, and really that's kind of the two main bureau where the CEO and the CEO are based. They had this sort of floating third bureau, uh, in Shanghai. They were targeting essentially anything and everything they could get their hands on. And it is, I suppose, a, a slightly damning view of Western security researchers that we saw i-Soon's activities under the guise of, uh, a wider hacker ring, uh, and followed their activities over the course of over 12 years, um, but not really pinning it down to them being i-Soon, but part of a wider collective based out of Chengdu.
So over the course of 15-odd years, they compromised hundreds of organizations all over the world, whether that was in healthcare companies in the US, whether that was towards, uh, the South China Sea provinces and territories. So they had quite a wide, uh, and scattered remit, and the reason for that is that the relationships that they built within organizations like the Ministry of, uh, State Security were quite decentralized.
Ahana Datta Fasel: So they were essentially hedging for contracts wherever they could get them, and their operations ran the gamut of whatever those interests might have been.
Sasha Ingber: So let's go into this leak now. What were you looking for as you're scrolling through what ends up being about five years of conversation on WeChat?
Ahana Datta Fasel: Well, I was looking for, uh, what kind of patterns might come out of these chats, the pattern of life, to try and sort of see the commonalities in behavior to, to understand what makes these people tick, but also how, uh, the company culture might have changed over the course of five years. I was looking for their reactions to sort of big events like having their sort of comrade hacker groups being indicted and what they thought of that.
And I was looking for, um, who they name-check, uh, who they brag about, uh, what sort of worries they might have, um, the sort of state of their financial health, um, and where their pressure points were.
Sasha Ingber: Who was in this chat, and what were the dynamics like?
Ahana Datta Fasel: It was quite a small group. They, they have a CEO, and, you know, all their Christian names are provided, uh, by the D- DOJ's indictment notice.
So what I'll do is use their hacker names, which is kind of, you know, for, for us hackers, it's kind of like our artist names. You know, that's how we would rather refer to each other. So the CEO is called Shutdown, and Shutdown is this bombastic creature. He's full of energy and full of opportunism. Uh, and over the course of five years, whenever he's sort of in the chat, whenever he's on the scene, he's talking about, "Oh, I had dinner with this lieutenant general, and I had a meeting with this sort of regional middle management, uh, official, and we're gonna take on a couple of, uh, junior officers from the army and try and train them."
So this really larger-than-life character, and in great contrast is his operations manager, or the COO, uh, who's called Leng Mo, uh, real name Chen Cheng, and he presents as this constant worrywart. He is this perpetually anxious, sort of looking at the books not quite adding up, sort of worrying about, uh, about everything from the kind of quality of wine at office parties to how do they get their next contract.
So you really have these two very different characters. And then in the middle, uh, you have this rotating cast of people who come and go, uh, whether that's freelancers, whether that's, uh, a group that has been indicted by, uh, the DOJ who's now essentially homeless and jobless, who they've brought into their company, uh, whether that's, uh, um, interns who they've got on just because these interns are well-connected with regional, uh, uh, government officials.
The most notable thing I found as, you know, as, as a, a person of, uh, uh, a technical background was that they don't really talk about the hacking very much at all Uh, their primary worry is, um, well, are in this order, drinking, girls, and how they're going to afford the infrastructure for all their ambitions.
Sasha Ingber: Order of importance.
Ahana Datta Fasel: Yeah. And the day that, um, one of the most notorious front companies in Chengdu called the Chengdu 404 Network Technology company, and this is, you know, another sort of Ministry of State- State Security-fronted offensive cyber companies. The day they're indicted by the DOJ, sometime in 2020, our Warrior COO, Leng Mo, comes onto the chat.
He was like, "Oh, my goodness, they've been indicted. Their mugshots are all over the internet. This is, this is outrageous." And the CEO, this bombastic shutdown persona, uh, starts laughing and says, "Well, great. The next time we'll invite them to drink 41 glasses of wine 'cause they've been caught out." And the reason he says 41 is because the US intelligence community identified, uh, the group in Chengdu as the Advanced Persistent Threat group number 41.
So they were mocking, uh- ... both the US and their comrades who had been caught out. Um, but they knew that they'd get-- uh, that they won't be unemployed for too long. Um, um, and so, so they subsume them, uh, and then they fall out with them.
Sasha Ingber: What happened?
Ahana Datta Fasel: Well, what we think happened, at least going by the chats, was that they brought in, uh, uh, these, uh, former Chengdu 404, uh, uh, people who brought with them cyber capabilities, um, that, and this sounds really prosaic, uh, that I soon thought they did- they didn't have a non-compete over, and the Chengdu 404 guys thought that they did.
And so there's this internal dispute about using software, which is actually offensive cyber, uh, uh, capability, uh, about who gets to use what. Um, and so if you look at the chats and if you look at, uh, uh, say, uh, forensic reports on this, uh, on the sort of wider ring that researchers at, for example, Google have published, in 2022, there's this period of complete silence, and that's because they're trying to wade through this dispute.
And it may very well have had an impact on who eventually leaked the group chat. It's a messy relationship that is full of egos and full of conflict of interest, uh, and opposing perspectives
Sasha Ingber: You had also traced some of the cultural aspects at play in this dynamic, and there was a concept called guanxi.
Can you tell us about that and how it also played out in the chatroom?
Ahana Datta Fasel: Yeah. I mean, because hackers are hackers, they sort of, they're mainly motivated by breaking down any sort of sense of hierarchy um, and guanxi is kind of the opposite of that. It's, it's this, it's this kind of an informal relationship in Chinese culture that, uh, works on the principle of hierarchy.
Uh, and it is not always reciprocal, and it's almost a system of informal patronage in which the sort of junior member of this relationship will always be deferential to the senior person. And that is how sort of historically, uh, government officials and military personnel have been promoted. But that is also how these hacker teams or these front companies have continued to receive their state sponsorship or their patronage from within the government, so that so long as they're currying enough favor with government officials, they will somewhat be taken care of because their government work isn't exactly high-paying.
Ahana Datta Fasel: So this isn't exactly well-remunerated work, but they do it so that they have that umbrella of protection over them.
Sasha Ingber: At the same time, though, they also were deceiving the Chinese government to some extent, is my understanding.
Ahana Datta Fasel: Yeah, I mean, they were deceiving them in the sense that this offensive cyber economy, the reality of that is that they have to be able to make a living.
And often, because government work isn't well paid, they have to make that living through various other revenue streams. They have to be able to repurpose some of the technology they use for espionage into those criminal campaigns to steal data, to be able to launch ransomware attacks, to be able to hold these sort of extortion-based methods as a revenue stream.
Sasha Ingber: We're dissecting the conversations between some of the people who are working for i-Soon as a way to understand some of the dynamics of the hacking groups that the Chinese Communist Party goes to, uh, for its espionage and for campaigns that harm the United States. So as we keep thinking about this, when you tell me that their number one priority is girls and drinking and then getting government contracts, are they actually serious about what they're doing, or what's behind that?
Ahana Datta Fasel: These are quite fundamental human impulses that, uh, are common to hackers everywhere. You know, these are young men who are, um, in their first or second jobs, sort of straight out of university. It is almost entirely young men. Towards the end of the chat in the i-Soon case, you see the presence of one young woman who is kind of flirting with the operations manager, but you don't really see the impact, uh, that she has on the business from the chats. So it is almost exclusively young men who are in this slightly one-upmanship, um, state of mind where, yes, of course, their ability technically and their r- and the respect of their peers is highly prized, but even more than that is are they cool? Are they seen as cool by their, uh, hacker comrades? Are they seen as successful?
Sasha Ingber: The human interactions here are pretty fascinating. I mean, I'm just imagining you sitting there, being a inveterate scroller and getting into these weird interactions.
Ahana Datta Fasel: Yeah, I mean, it, it was, it was hugely fun because I think one of the things that we, we miss, um, when we read, uh, a cyber-adjacent story is that these are human stories.
Um, and these are human stories because they are underpinned by the fallibilities within human nature. If a, a hacker group is guided by vanity and being seen as successful and aren't prizing so much, uh, the sophistication in their tradecraft, um, then that is a vulnerability that, for example, counterintelligence, uh, uh, analysts in the US can f- can find useful.
Um, because these, these hackers will not necessarily spend loads of time inventing, uh, you know, the best offensive cyber capability. What they'll do is rely, uh, on tools that are already out there, uh, throw them at US assets, and see what works. And if that's successful and curries them, uh, favor with the state, um, that's, that's in their eyes a victory, not so much as being seen as the most technically proficient.
Sasha Ingber: And beyond the human interactions that you were tracking inside i-Soon, what were some of your biggest takeaways about the interactions with the people who would be giving them those contracts, whether it be the People's Liberation Army or the Ministry of State Security, both supporting China's Communist Party?
Ahana Datta Fasel: The one thing that stuck out was that this was not a proactive relationship from on part of the government. It was very much competing groups, front companies, going over to government officials, military officials, to essentially flog their data to them and see whether or not this, they bite and whether or not they're willing to pay for it.
So what emerges is this picture of how hands-off the technical details of these offensive cyber operations, of these espionage campaigns government officials really are, that they sort of leverage their relationships with these hacker groups to just sort of l- let them do their own thing while they turn the other way
Sasha Ingber: Uh, 2024 isn't just when this leak happens. There was a major restructuring of the People's Liberation Army that same year, in part because of major corruption inside the PLA. Part of the restructuring here, which analysts have said reflects a shift toward domain specialization, more highly focused intelligence-enabled combat support, tighter political control, part of this also involved creating a new strategic arm called the Information Support Force.
Tell us more about what it does in relation to the cyber ecosystem that we've been talking about.
Ahana Datta Fasel: So the Information Support Force is an evolution, uh, of the previous structure of the People's Liberation Army. Its previous incarnation was called the Strategic Support Force. So the Information Support Force sort of came towards the end of a number of purges of sen- senior, uh, military officials to be able to centralize and make this power vertical at the level of every single theater command, at the level of PLA Air and PLA Navy, to be able to show that information operations were as important to the Chinese military as any other, uh, command.
Sasha Ingber: And what exactly is it doing?
Ahana Datta Fasel: That remains somewhat shrouded in mystery, but what commentators think is that it is the culminating department that subsumes a lot of capability, like network warfare, like information operations, like the PLA's, uh, uh, offensive capabilities that up until, uh, 2020 were sort of written off because commentators thought that the Ministry of State Security, the foreign intelligence arm, was, uh, far superior in terms of tradecraft.
Sasha Ingber: When we come back, we look at some of China's greatest vulnerabilities in the cyber ecosystem
We know today that the People's Liberation Army was behind Volt Typhoon. This was an intrusion that was first detected in 2023 by Microsoft in Guam, where the United States has naval ports and bases, but also found on the mainland here in the US in critical infrastructure, potentially to prepare for future disruption, especially in the event of conflict over Taiwan, conflict with China.
Can we take all of these pieces and talk about what it ultimately means and whether or not this actually put China ahead when we're talking about cyber warfare?
Ahana Datta Fasel: When the infiltration was discovered in this, uh, naval logistics hub in Guam, Microsoft employees started following this, uh, uh, the, uh, this, this traffic, um, being sent through by the PLA's hackers.
Um, Microsoft President Brad Smith called it a generational threat. Um, and the reason he called it that is because for the first time it seemed as though the People's Liberation Army really invested into stealth and their stealth capabilities. Um, because for gaining entry into this, uh, um, naval network, they weren't using, uh, massively sophisticated capabilities or tradecraft.
Once they got into the network, they were using ordinary tools that any kind of infrastructure manager would use just to poke around the network and see what access they could gain. I would see it as a proof of the sophistication of the People's Liberation Army's tradecraft.
Sasha Ingber: If, if the PLA was ultimately using simple tools, and here we have been discussing the practices and priorities of a company like i-Soon, what is that telling us?
Ahana Datta Fasel: Well, it's telling us that the, uh, offensive ecosystem in China, uh, whether that's military or foreign intelligence, over the past five years has decided to prioritize stealth rather than being as noisy as possible about their, uh, interventions. Up until 2015, when President Xi met President Obama, stealth wasn't a huge factor, but obviously the Chinese state realized that they had to be better at this.
Um, so when Volt Typhoon showed its ability to be able to introduce stealth into its operations, that was quite a seismic thing for the PLA. Um, and the second part that made this operation different was that in a closed-door meeting in Geneva, The Wall Street Journal reported when the US side asked the Chinese Foreign Ministry about the involvement of China, for the first time the answer wasn't a vehement no. And that is a huge departure for how China usually handles accusations like this.
Um, but to be very specific, the Chinese side responded w- something to the effect of, "It wasn't us, but if we had done it, it shouldn't be of surprise to you." And that is essentially a power play. It's a perception-shaping device. It's them saying that, "We have clearly stepped up our capabilities, and we are going to leave this in a, a place of ambiguity where now your behavior is going to be, uh, shaped by the lack of a denial."
So for the first time, military-type espionage was fulfilling, um, these different strategic goals, not just of real-time counterintelligence, but also of shaping their adversary's perception.
Sasha Ingber: So let's also then move on to the Ministry of State Security, which is, of course, foreign-focused, but spread out across China more in an FBI-like way.
And it was behind Salt Typhoon, which was a very destructive intrusion in that it entered the US telecommunication system, and there are many different ways that can present threats, including learning about communications between government officials who could now be subject to blackmail. Can you talk more about that attack in light of what you've just shared?
Ahana Datta Fasel: As far as my own analysis goes, Salt Typhoon is simply a more extreme version of what the Ministry of State Security has been doing since all the way back to the attack on the Office of Personnel Management. Um-
Sasha Ingber: And that was a 2015 attack which targeted US federal workers who had filled out security forms. So millions and millions of Americans now had been targeted back in 2015.
Ahana Datta Fasel: That's right. And in the run-up to the Office of Personnel Management attack, uh, China, uh, origin hackers had been probing, uh, middle managers, middle players, intermediaries, uh, like data brokers, insurance companies, uh, and probing their networks for the same kind of data until it led to the OPM breach.
Um, with Salt Typhoon, there is no open consensus on what, uh, the hackers must have compromised to gain entry into the backbone of American telco. Um, but it is simply the latest in a long trajectory of supply chain compromises, of infrastructure attacks that the Ministry of State Security has done again and again and again to ever more egregious campaigns.
Sasha Ingber: And this is suggesting the long-term thinking that we all know China has, um, that the 2015 OPM hack was really just the start of, you're saying?
Ahana Datta Fasel: Absolutely. Um, I mean, if you think about, um, Western responses to these campaigns, they have been quite chop and change. Uh, we respond to a campaign, and we respond to, uh, the actors in that campaign.
Sasha Ingber: It's very siloed, and you are connecting it here. And I, I'm wondering, you know, we've seen so many examples of China stealing our data and our technology, whether it's through hacking or through intelligence officers between the People's Liberation Army and the Ministry of State Security. How innovative are they actually?
Or is it really just that they have this long-term thinking and strategy?
Ahana Datta Fasel: I think, um, one of the things that is really crucial to this ecosystem, but especially in the foreign intelligence ecosystem, is the ability of the Chinese state to be able to amass a certain scale, and the scale is probably the single most crucial asset because that scale provides fungibility.
That scale provides the diffusion of capabilities and the ability to contract out a job to multiple different actors. So that scale is really a massive asset to the Ministry of State Security. But on the other hand, the PLA, the People's Liberation Army, is also showing, uh, its ability to prioritize, uh, uh, offensive cyber operations, uh, by investing in them, um, uh, by showing signals, uh, uh, that they look at information operations at the same level as any other kind of military offensive.
And that mentality, that change in mindset is quite big for, uh, for the Chinese.
Sasha Ingber: I- is that from working with these companies like i-Soon?
Ahana Datta Fasel: The Salt Typhoon campaign is a very interesting one because when Salt Typhoon became public... And just to remind your listeners that it is still going on right now. So when it was made public back in 2024, the American intelligence community and private sector researchers traced back Salt Typhoon to a bureau of the Ministry of State Security in Sichuan.
It's based in Chengdu. So if you just think about the different front companies that we've talked about that have had a presence in Chengdu, it wouldn't be surprising at all that Salt Typhoon is in fact not one group, but a collection of different hacker collectives, whether that's front companies or whether that's internal Ministry of State Security staff.
Um, and to be able to lump them together into this sort of actor name like Salt Typhoon is both a benefit to be able to track their activities, but also a slight disservice because we can't get far down enough into the nitty-gritties of who makes up these campaigns.
Sasha Ingber: So when we think about how back in 2025, China's state-sponsored hackers used Anthropic's AI to automate cyber attacks, according to Anthropic, where do we see this all going?
AI presents a new landscape of threat vectors, and it doesn't look pretty from where I'm sitting.
Ahana Datta Fasel: The real game changer is the time element, and that, both for defenders and offen- uh, and offensive actors, is a massive variable now that will define the future of how cyber competition plays out. Because for defenders to be able to preempt and design their infrastructure to account for these sort of AI-enabled campaigns, and for as- offensive actors to be able to maintain stealth despite the opportunities afforded by AI, these are not trivial considerations.
So the time element of not just being able to defend, not just being able to know when to attack, but also what to do in response to an attack, these are not only technical questions, these are also political questions.
Sasha Ingber: And when you talk about time, you're specifically saying from when they are able to get in, to what they're doing in there, to when they are detected, when they are-
Ahana Datta Fasel: That's right.
Sasha Ingber: So how should the West handle the threat coming out of China? Here in the United States, President Trump's cyber strategy has stated that it will deploy a, quote, "full suite of US government defensive and offensive cyber operations. We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities. We must detect, confront, and defeat cyber adversaries before they breach our networks and systems. We will erode their capacity and capabilities and use all instruments of national power to raise the costs for their aggression." Is that the approach that you would recommend?
Ahana Datta Fasel: I think that we must be very cautious when taking an aggression-first approach.
I understand completely the administration's desire to take that kind of tone because a lot of the things that the US has done in response to Chinese cyber operations hasn't really worked. I would argue that it's not for the lack of, uh, uh, aggressive cyber operations, uh, but from a lack of understanding this continuity that is seen in, uh, China's cy- cyber operations over the course of 15 years, what we know about their ecosystem, what we know about their hacker groups, how they're incentivized, and to try and break through that side of adversarial behavior rather than trying to big up how powerful offensive cyber operations conducted by the US will be.
Sasha Ingber: So what would that look like?
Ahana Datta Fasel: We would have to ask ourselves, how can we raise the costs on the adversaries enough, uh, like President Trump's strategy says? What are the mechanisms through which we can raise the costs where the likes of i-Soon find it too expensive, uh, to carry much success? Now, if you look at, uh, the kind of tools that most Chinese hackers have used in the past 15 years, these are quite low-level tools.
If we look at the trajectory of Chinese cyber operations, they've been successful repeatedly because they've, uh, um, managed to leverage small-time vulnerabilities, uh, in our operating systems. Uh, and the truth is that we simply haven't prioritized, uh, defense, cyber defense, uh, quite enough to be able to say that somehow offensive cyber operations will have a deterrent effect.
Sasha Ingber: I, I remember a conversation I had with someone who was working in counterintelligence, especially looking at China, and described to me conversations from years ago where they approached lots of different government entities, what is most important to protect, what is most critical, and there was never any clarity on that, what to prioritize.
Even if you just look at critical infrastructure, what's most critical of critical infrastructure? And that seems like it is the obstacle here if you're describing low-level tools that have been able to be successful because our defenses are low.
Ahana Datta Fasel: I think, I think that is, uh, uh, a very useful way to look at it.
Sasha Ingber: So then let's look at this from the other side, where we know that China plays this long game, and because it is not a democracy, it can maintain more of a consistent, uh, stance, strategy. What are some of China's greatest vulnerabilities in the cyber ecosystem space whereby those can be exploited by the United States, by the UK, by other actors?
Ahana Datta Fasel: I think it's the same thing that makes, um, the UK, the US, and other Western allies, uh, so strong, which is the resilience of our relationships. Um, if you think about the offensive Chinese ecosystem, their allied relationships are pretty much either quite brittle or, or nonexistent. What makes the Five Eyes the most powerful intelligence alliance in the world is the quality of our relationships, that we're able to develop, uh, offensive cyber capability at whatever level, uh, in concert, uh, with our allies.
Whereas China doesn't necessarily have that kind of relationship even with its closest partners.
Sasha Ingber: Ahana, thank you so much for sitting down with me today.
Ahana Datta Fasel: It's such a pleasure, Sasha. Uh, and it's been, it's been such a great conversation. I mean, I'm sure we could talk about this for hours and hours 'cause there's just-
Sasha Ingber: I think we could
Ahana Datta Fasel: there's so much. Yeah.
Sasha Ingber: Yeah, yeah. There is a lot to cover. Really appreciate you coming. Thanks again.
Ahana Datta Fasel: It's been a pleasure. Thank you so much.
Sasha Ingber: Thanks for listening to this episode of SpyCast. If you like the episode, give us a follow on Apple, Spotify, or wherever you get your podcasts, and leave us a rating or review.It really helps. If you have any feedback or you wanna hear about a particular topic, you can reach us by email at spycast@spymuseum.org. I'm your host, Sasha Ingber, and this show is brought to you by N2K Networks, Goat Rodeo, and the International Spy Museum in Washington, DC.


