Hackers Leak Alleged Internal Files of Chinese Social Media Monitoring Firms

A group of hackers claims to have breached three Chinese companies that specialize in social media surveillance.
Screen Shot 2020-08-20 at 3

A group of hackers says they have obtained internal files from three Chinese social media monitoring companies. After leaking some of the documents, the group was banned by Twitter under its hacked files policy, however, Motherboard has been unable to confirm the authenticity of the documents.

The group goes by the name CCP Unmasked, in reference to the Chinese Communist Party ruling the country. The group reached out to journalists on Thursday, pitching "a large dump of files" that they said exposes social media monitoring and disinformation campaigns conducted by three private companies at the behest of the Chinese government. They claim to have stolen internal documents from Knowlesys, a company based in Hong Kong and GuangDong, Yunrun Big Data Service, a company based in Guangzhou, and OneSight, based in Beijing.


"We think the public deserves to know about the CCP’s attempts to undermine democracy and freedom of expression," the hackers said in an email.

Knowlesys has previously held demonstrations on how to “monitor your targets’ messages, profiles, locations, behaviors, relationships, and more,” and how to “monitor public opinion for election,” according to Freedom House, a digital rights organization.

One of the leaked files is seemingly a presentation from Knowlesys labeled as "confidential" in which the company showcases a product called Intelligence Center, which the company advertises on its website but does not go into great detail about. In the presentation, the company wrote that it has been working "closely with intelligence agencies for 8 years," and that its clients are intelligence agencies, security agencies, military, and police.

Do you have any information on Knowlesys, Yunrun, or OneSight? Do you have information on companies that work for the Chinese government? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, lorenzofb on Wickr, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

The presentation shows a system allegedly able to monitor all kinds of websites and social media services, such as Facebook, Twitter, and WeChat in search of terrorists and "anti-government groups." Facebook and Twitter are blocked in China, so this presentation is likely for foreign governments (the company works in countries other than China and recently attempted to push into the UK.) According to online records, Knowlesys participated in the surveillance industry conference ISS World in Dubai in March and the Milpol conference in Qatar.

Screen Shot 2020-08-20 at 12.36.45 PM.png

The platform, Knowlesys writes in the presentation, can also be used to monitor what "the opposition party talk and do on News/Facebook/Twitter/Youtube/Forums/Blogs."

The hackers sent a small batch of presentations and Word documents they claim come from these companies, as well as a much larger batch of files (40GB). Motherboard was not able to verify the authenticity of the documents, some of which are written in English and some in Chinese. Knowlesys, Yunrun, and OneSight did not respond to a request for comment sent via email.

Motherboard was unable to find these documents on the open internet, and specific details in some of the presentations match with what has been publicly reported about these companies. For example, contact information contained within a Knowlesys presentation corresponds to nonpublic but functioning email accounts, Skype accounts, and WhatsApp accounts of its CEO, which suggests that at least that document is genuine.

The hackers started publishing some of the files on their Twitter account @CCP_Unmasked on Thursday afternoon. But then Twitter suspended the account for posting hacked material, the hackers said.

"We don't want to become the story and we want to protect ourselves. But we can tell you that we hacked the companies," the hackers said, declining to speak more about the documents or alleged hack. "And that we did it because we think the CCP's desire to put out fake news and interfere with democracy needs to be challenged."

Screen Shot 2020-08-20 at 1.03.17 PM.png

A screenshot of a slide from a leaked Knowlesys presentation.

Asked about the hackers' claims, Adam Segal, a researcher that focuses on China at the Council for Foreign Relations, said that what the hackers are claiming these companies do is not very surprising.

"I can't tell, but if they are monitoring Chinese web for local Chinese web for local Ministry of State Security and Ministry of Public Security it is interesting to have internal docs and put actions to a specific company, but actions themselves I don't think are that surprising," Segal said in an email. "The [Great Firewall] works on fear (getting arrested, invited in for "tea'), friction (filtering, blocking) and flooding (distraction disinfo etc)."