Opening Notes
i-SOON (上海安洵), a well-known supplier for several Chinese governmental organizations like the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army, encountered a substantial breach of data over the weekend of February 16th. This violation has brought to light the internal mechanisms of a state-associated hacking provider, although the origin and reasons behind the breach are still undisclosed. The validation of the leaked documents is ongoing, yet they confirm existing public threat intelligence.
This breach provides unparalleled perspectives into the changing cyber spy landscape of China, displaying how governmental mandates steer a competitive market of independent hackers for hire. Despite worries about meager employee remuneration and accounts of office betting, the operations of i-SOON seem connected to compromises impacting a minimum of 14 governments, pro-democracy factions in Hong Kong, academic institutions, and NATO.
The disclosed documents disclose lists of clients and specific targets, underscoring i-SOON’s pursuit of minor-value hacking agreements across various government entities. This disclosure disputes presumptions based on previous targeting by Advanced Persistent Threats linked with Chinese suppliers.
By using machine translation, researchers swiftly scrutinized the leaked data, expanding access beyond specialized professionals. Nonetheless, comprehending the intricate relationships within the data requires a field-specific proficiency. While analyses focused on geographical areas stay crucial, the reduced entry barrier enables a wider examination of intricate patterns and associations.
To summarize, the i-SOON data leak not only reveals the complexities of state-tied cyber operations but also highlights the evolving scenario of cybersecurity intelligence evaluation.
My Highlights
- Initial Repository: HERE
- Converted Edition: HERE (internal dialogues, business proposals, documentation on instruments, goods, and procedures)
- The i-SOON materials encompass numerous files, where some appear to be manuals or technology-related business propositions outlining diverse product categories with broad functionalities. These include:
- Malware customized for various operating systems like Windows, macOS, Linux, iOS, and Android.
- A system crafted for assembling and examining email data.
- A program devised for breaching Outlook accounts.
- A system for overseeing Twitter activities.
- A reconnaissance platform utilizing publicly accessed intelligence (PAINT).
- Physical hardware gadgets created for on-premises hacking, commonly focusing on WiFi networks.
- Communication devices utilizing a network comparable to Tor, aiming to support secure correspondence for globally operating operatives.
- The leaked data seems to involve multiple lists of targets (HERE and HERE), incorporating various governments like Pakistan, India, Malaysia, Turkey, Egypt, France, Cambodia, Indonesia, Vietnam, Myanmar, the Philippines, and Afghanistan. Furthermore, targets comprise NATO, universities, and the pro-democracy campaign in Hong Kong.
- i-SOON appears to be associated with APT41
Noteworthy i-SOON Matches
As reported by Bushidotokens (HERE), the data breach discloses numerous correspondences and associations to recognized threat agents that had been unearthed and evaluated in the earlier years.
One correlation was identified with the danger faction POISON CARP, identified through an IP address (74.120.172[.]10) hosting a deceitful site (mailnotes[.]online). This site was referenced in CitizenLab’s report on Tibetan groups targeted with mobile exploitations, aligning with Chinese MPS operations supported by i-SOON.
Another connection emerged in Chinese court documents linking i-SOON to Chengdu 404, a commercial espionage company, following a dispute over intellectual property.
Furthermore, a tie to the APT ensemble JACKPOT PANDA was uncovered through an IP address (8.218.67[.]52) from the leak, cited in Trend Micro’s report on chat apps exploited in supply chain attacks. This collaborates with i-SOON’s focus on targeting the internet betting industry.
Further inquiry unveiled links to ShadowPad and Winnti malware factions, referenced in i-SOON’s product literature and the indictment by the US Justice Department of APT41 and Chengdu404. These malware factions have been related to various Chinese cyber-espionage initiatives.
NB: AI Devices have been utilized for crafting fluent English and segment translations.
Valuable Sources
SentinelLabs Blog Post: Unmasking I-Soon | The Leak That Revealed China’s Cyber Operations
Unit42 Blog Post: Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns
BushidoToken Blog Post: Lessons from the iSOON Leaks
Suggested Reading, it provides much broader view (including geo-political and International Affairs considerations): The i-SOON Data Leak
About Author
