VenusTech and Salt Typhoon Breach Sheds Light on China’s Covert Cyber Mercenary Networks

The dark web forum DarkForums, which has been a site for data breaches and leaks since BreachForums was shut down in mid-April, was the scene of two major leaks in late May involving Chinese cybersecurity organizations: VenusTech, a well-known IT security vendor, and Salt Typhoon, a state-sponsored advanced persistent threat (APT) organization affiliated with the Ministry of State Security (MSS).

These leaks, posted by newly created accounts “IronTooth” and “ChinaBob,” offer a rare glimpse into the intricate web of China’s hack-for-hire industry and its deep ties to government operations.

While the sample data provided is smaller compared to previous leaks like those from TopSec and iSoon, the exposed information ranging from government contracts to compromised infrastructure reveals critical insights into the operational structure and targets of these entities.

VenusTech Leak Exposes Government Contracts

The VenusTech leak, posted on May 17 by “IronTooth,” includes nonpublic documents, spreadsheets, and contracts that suggest the company’s involvement in offensive cyber operations for Chinese government clients.

VenusTech, founded in 1996 and listed on the Shenzhen Stock Exchange, has a documented history of engaging with hack-for-hire groups such as XFocus (creators of the 2003 Blaster worm) and Integrity Tech, linked to the Flax Typhoon hacking campaign.

The leaked spreadsheets, though lacking column headers, appear to detail intelligence targets and hacked organizations across regions like Hong Kong, India, Taiwan, South Korea, Croatia, and Thailand.

One notable entry indicates VenusTech’s access to the Korean National Assembly’s email server, with a contract to deliver monthly data updates for 65,000 yuan (approximately $9,000 USD).

Additionally, client lists featuring Unified Social Credit Codes point to various Chinese government entities as customers, underscoring VenusTech’s dual role as a security vendor and a facilitator of state-sponsored cyber espionage.

Salt Typhoon Data Leak Links MSS

“ChinaBob” posted data allegedly from Salt Typhoon, an APT group implicated in high-profile intrusions into US telecommunications firms and global infrastructure, including Viasat, as recently reported in 2024.

The leak includes employee personal identifiable information (PII) such as Chinese national ID numbers and phone numbers, transaction records with cybersecurity vendors like Qi’anxin and VenusTech, and configurations of 242 hacked routers, some tied to Cisco devices a known target for Salt Typhoon.

Transaction data reveals dealings with entities like PLA Unit 61419, associated with the “Tick” threat group, and the Institute of Information Engineering of the Chinese Academy of Sciences, a stakeholder in iSoon.

Moreover, the data names two previously unindicted companies Beijing Huanyu Tiangiong Information Technology Company Limited and Sichuan Zhixin Ruijie Network Technology Company Limited alongside the sanctioned Sichuan Juxinhe Network Technology Company, as part of Salt Typhoon’s operational network, hinting at a broader front for MSS activities.

These leaks, while limited in scope, highlight the porous nature of China’s state-sanctioned cyber ecosystem, where insiders often siphon data for black market sales, and underscore the growing presence of Chinese cybercriminals in Western digital crime spaces.

They serve as pivot points for understanding the scale and sophistication of China’s covert cyber mercenary networks, raising urgent questions about global cybersecurity defenses against such state-backed threats.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free