Topsec and Venustech have been implicated in assisting cyber activities linked to state-sponsored initiatives in China. Notably, Topsec has employed several former Honkers, including the founder of the Honker Union of China. The company’s founder previously stated that the People’s Liberation Army (PLA) directed its operations. In 2015, Topsec was associated with significant cyber incidents, including the breach of Anthem Insurance in the United States.
Throughout the years, various tools utilized by Chinese Advanced Persistent Threat (APT) groups were developed by former Honkers. Both the PLA and the Ministry of State Security (MSS) have exploited these tools for vulnerability research and exploit development. In 1999, Huang Xin, known as “glacier,” a member of the Green Army, introduced “Glacier,” a remote-access trojan. The following year, along with Yang Yong of XFocus, he developed X-Scan, a network vulnerability scanning tool still in use by hackers today. In 2003, Honker Union members released HTRAN, facilitating traffic rerouting through proxy servers to obscure an attacker’s location, a tool regularly leveraged by Chinese APTs. In 2008, Tan, alongside fellow NCPH member Zhou Jibing, is believed to have created the PlugX backdoor, utilized by over ten Chinese APTs. It is reported that Zhou enhanced this further to create ShadowPad, which has seen use by APT 41 among others.
Leaked documents and indictments in the United States have revealed the alleged ongoing espionage activities of former Honkers after their time with the Honker Union. These revelations indicate China’s strategy of employing private firms for state hacking initiatives, with companies like i-Soon and Integrity Tech established by former Honkers. Wu Haibo, a former member of Green Army and 0x557, founded i-Soon in 2010. Recently, internal files and communications from i-Soon surfaced, revealing the firm’s espionage efforts for the MSS and the Ministry of Public Security (MPS). In March, the U.S. indicted eight i-Soon employees along with two MPS officials for hacking operations targeting U.S. agencies, Asian foreign ministries, dissidents, and media outlets.
Integrity Tech, established by Cai Jingjing, another former Green Army member, in 2010, faced U.S. sanctions this year due to connections with global infrastructure attacks. Furthermore, Zhou and Wu, both ex-Green Army members, were indicted for their roles in state-sponsored hacking, with Zhou also tied to APT 27. Allegations suggest that he operated a data-leak service, selling stolen information to various clients, including intelligence agencies.
This pattern reflects the transition seen with early American hackers, many of whom evolved into cybersecurity company founders or were recruited by government agencies to conduct cyber operations. However, as cybersecurity expert Kozy notes, unlike in the United States, the Chinese government has harnessed its entire societal structure, compelling individuals and businesses to cooperate in espionage efforts.
Kozy commented on China’s approach, stating that the intention was to co-opt Honkers to serve state interests from the beginning. Given the patriotic sentiments of many involved, they were incentivized to participate with promises of serving their country, while also realizing the wealth that could accompany such undertakings.
The implications of these findings highlight a complex network of private-sector involvement in state-sponsored cyber activities, underscoring an urgent need for vigilance among organizations globally, particularly those situated within potential target countries such as the United States. With tactics often associated with continuous network exploitation, including initial access, persistence, and privilege escalation as outlined in the MITRE ATT&CK framework, businesses must fortify their defenses against such sophisticated adversaries.
