Overview
i-SOON (上海安洵), a well-known contractor for various Chinese governmental organizations like the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army, encountered a significant breach of data during the period around Feb 16th. The breach brought to light the internal operations of a government-affiliated hacking contractor. Although the origins and reasons behind the breach are undisclosed as of yet, efforts are ongoing to verify the leaked documents, which align with existing publicly known threat intelligence.
This breach has provided unparalleled insights into the continually evolving landscape of cyber espionage in China, illustrating how state-issued directives fuel a competitive market of freelance hackers for hire. Despite concerns regarding inadequate employee remuneration and rumors of office betting activities, it appears that i-SOON’s activities are connected to security compromises affecting a minimum of 14 governments, democratic groups in Hong Kong, educational institutions, and NATO.
The revealed documents disclose lists of clients and targeted organizations, exposing i-SOON’s pursuit of less significant hacking contracts across multiple government departments. This disclosure challenges previously held beliefs based on the historical targets of Advanced Persistent Threats associated with Chinese contractors.
Through the utilization of automated translation tools, analysts swiftly examined the leaked data, broadening access beyond specialized professionals. However, grasping the intricacies within the data necessitates specific knowledge within the field. While localized analyses remain crucial, the reduced entry barriers allow for a more extensive evaluation of intricate patterns and relationships.
To wrap up, the data breach at i-SOON not only divulges the complexities of state-connected cyber activities but also emphasizes the changing dynamics of cybersecurity intelligence examination.
Highlighted Points
- Initial Repository: HERE
- Translated Version: HERE (internal conversations, business proposals, tool documentation, product specifics, and processes)
- Content within the i-SOON data incorporates various files, some of which appear to be documentation or business proposals outlining a broad range of products with diverse functionalities. These include:
- Customized malware for different operating systems like Windows, macOS, Linux, iOS, and Android.
- A platform designed for the gathering and analysis of email data.
- A tool crafted for breaching Outlook accounts.
- A platform for monitoring activities on Twitter.
- A reconnaissance platform leveraging OSINT (Open-Source Intelligence) data.
- Physical hardware devices intended for on-site hacking, often focusing on WiFi networks.
- Communication gear using a network resembling Tor, aimed at facilitating secure communication for agents operating globally.
- The leaked data seems to include multiple lists of targets (HERE and HERE), encompassing several governments including Pakistan, India, Malaysia, Turkey, Egypt, France, Cambodia, Indonesia, Vietnam, Myanmar, the Philippines, and Afghanistan. Additional targets consist of NATO, universities, and the pro-democracy movement in Hong Kong.
- i-SOON appears to have connections with APT41
Significant i-SOON Correlations
As per Bushidotokens (HERE), the leaked data shows numerous associations and links to recognized threat actors that have been previously detected and scrutinized over the past few years.
One such connection was identified with the threat group POISON CARP, identified through an IP address (74.120.172[.]10) hosting a deceptive website (mailnotes[.]online). This site was mentioned in CitizenLab’s report on Tibetan groups subjected to mobile exploits, aligning with Chinese MPS activities supported by i-SOON.
Another connection surfaced in Chinese legal documents linking i-S0ON to Chengdu 404, a corporate espionage company, following a disagreement regarding intellectual property.
Moreover, a correlation to the APT group JACKPOT PANDA was identified through an IP address (8.218.67[.]52) revealed in the leak, referenced in Trend Micro’s report on chat applications exploited in supply-chain attacks. This corresponds with i-SOON’s concentration on targeting the online betting sector.
Further investigations unveiled connections to the ShadowPad and Winnti malware families, mentioned in i-SOON’s product guides and the US Department of Justice’s accusation of APT41 and Chengdu404. These malware families have been linked with various Chinese cyber espionage activities.
Note: AI Tools were utilized for improved English and section translations.
Useful References
SentinelLabs Blog Entry: Unmasking I-Soon | The Leak That Revealed China’s Cyber Operations
Unit42 Blog Entry: Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns
BushidoToken Blog Entry: Lessons from the iSOON Leaks
Suggested Reading, offering a broader perspective (including geopolitical and International Affairs considerations): The i-SOON Data Leak
About Author
