Data breach at Chinese infosec firm Knowsec exposes state-level cyber weapons and intelligence ops

Chinese infosec blog MXRN reports a data breach at Knowsec Information Technology Co., Ltd., one of China's largest cybersecurity and intelligence contractors with close ties to Beijing and the Chinese military. 

Knowsec, officially known as Knownsec Information Technology Co., Ltd., operates several prominent platforms including ZoomEye, a global Internet asset search engine similar to Shodan. The company has maintained extensive partnerships with Chinese government institutions, ministries, the People's Liberation Army (PLA), and various public security bureaus, positioning itself as both a cybersecurity defender and a digital reconnaissance provider for state agencies. 

The cause of the breach is unclear, it's speculated to be either by an insider threat or unauthorized access to Knowsec's internal systems. The breach caused theft and subsequent public distribution of highly classified materials. 

Attackers posted portions of the stolen documents to GitHub, which quickly removed them for violating platform rules. The complete dataset is currently being auctioned on dark web forums to the highest bidder. The leaked dataset has been described by threat researchers as the company's "crown jewels," containing materials that blur the line between defensive cybersecurity operations and offensive intelligence gathering. The leaked materials include:

• Internal corporate records and business relationship documentation
• Government-linked project documentation and contracts with state agencies
• Malware source code and advanced offensive cyber tools
• Command-and-control (C2) frameworks and exploit toolkits
• Geopolitical target lists naming Japan, Vietnam, India, United States, Australia, United Kingdom, Thailand, Malaysia, Canada, New Zealand, Philippines, and Pakistan
• Remote Access Trojan (RAT) code capable of compromising Linux, Windows, macOS, iOS, and Android systems
• Android malware specifically designed to extract information from popular Chinese messaging applications and Telegram
• GhostX framework including "Un-Mail" email interception tools using XSS techniques
• Wi-Fi intrusion attack flows and network exploitation diagrams
• Windows trojan remote-control framework compatible with Windows 2000 and later versions
• Training slides, architecture diagrams, and tool manuals
• Datasets including LinkedIn profiles from Brazil and South Africa (labeled "linkedin_brazil_202305" and "linkedin_southafrica_202305")
• Spreadsheet documenting 80 overseas targets successfully attacked by Knowsec
• 95GB of immigration data obtained from India
• 3TB of call records stolen from South Korean telecom operator LG U Plus
• 459GB of road planning data obtained from Taiwan
• Key Infrastructure target libraries listing external servers of foreign institutions and governments
• Passive radar tools and pcap analyzer documentation
• KRACK attack methodologies and credential harvesting techniques

This incident can be considered more than a corporate security failure. It can constitute breach of critical information infrastructure affecting national security. 

Governments in Japan, Vietnam, India, and other named countries will probably treat this leak a confirmed intelligence leak and will likely conduct extensive counter-intelligence and digital forensics investigations to determine the impact on their own networks. 

Security experts recommend that organizations worldwide to consider connections and services to Knowsec as compromised, perform security audits, rotate all credentials ever shared with Knowsec systems, and potentially disconnect from Knowsec services until a report fro Knowsec is published regarding this incident.