• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Intelligence
  • Hacking firm I-Soon data leak revealed Chinese gov hacking capabilities

Hacking firm I-Soon data leak revealed Chinese gov hacking capabilities

Pierluigi Paganini February 26, 2024

Recently the leak of a collection of files apparently stolen from the Chinese government hacking contractor, I-Soon, exposed Chinese hacking capabilities.

Recently someone has leaked on GitHub [1,2] a collection of files apparently stolen from the Chinese hacking firm, I-Soon. An analyst based in Taiwan, known as Azaka, discovered the data leak and shared their findings on social media.

i-SOON is a prominent contractor for various agencies of the Chinese government, including Ministry of Public Security, Ministry of State Security, and the People’s Liberation Army.

SentinelOne researchers noticed that on January 15 at 10:19 pm, an individual registered the email address I-SOON@proton.me. On February 16th, an account linked to that email uploaded a batch of files including marketing documents, images, screenshots, and a substantial collection of WeChat messages exchanged between I-SOON employees and clients.

The alleged data breach revealed the capabilities of the China-linked hacking contractor.

“The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem. It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.” reads an analysis published by SentinelOne.

Leaked documents include internal communications, demonstrating hacking operations against companies and government agencies in several countries, including India, Kazakhstan, Malaysia, Pakistan, and Taiwan. I-Soon was involved in the compromise of at least 14 governments, pro-democracy organizations in Hong Kong, universities, and NATO.

At this time, the identity of the author of the data leak and its motivation is still unknown. The individuals responsible for the data theft and their motivations remain unknown. However, this breach offers a unique insight into the internal workings of a hacking contractor affiliated with a state. The authenticity of the leaked documents is yet to be confirmed, and ongoing efforts are being made to validate the information, even though some aspects align with existing public threat intelligence

The documents, which are dated as recently as 2022, demonstrate that the Chinese contractor developed a sophisticated spyware that can target Windows, Macs, iPhones and Android devices. The arsenal developed by i-SOON also includes hardware hacking tools, including snooping devices and systems to hack into Wi-Fi networks.

The standard version is disguised as a Xiaomi battery, whilst the mini version is just a plain PCB that can be inside anything. pic.twitter.com/ucfPwk7zi6

— 安坂星海 Azaka 🐼 VTuber (@AzakaSekai_) February 18, 2024

Azaka noticed that the hacking firm has a DDoS system relying on a bot that can infect Windows, Linux, or generic IoT devices. The total throughput of the botnet is 10~100Gbps. The Chinese firm also developed an automatic pen-testing platform that supports Windows, Linux, web services, and networking equipment.

“Us researchers finally have a confirmation that this is how things are working over there and that APT groups pretty much work like all of us regular workers (except they’re getting paid horribly).” the analyst Azaka told TechCrunch, “that the scale is decently big, that there is a lucrative market for breaching large government networks.” APT, or advanced persistent threats, are hacking groups typically backed by a government.

Some documents link I-Soon to the Chinese APT41, one document lists out targeted organizations and the fees the company earned by hacking them. The Chinese government paid $55,000 for data stolen from Vietnam’s Ministry of Economy. 

The APT41 group, aka Winnti, Axiom, Barium, Blackfly, HOODOO) is a China-linked cyberespionage group that has been active since at least 2007.

This data leak demonstrates the importance of third-party contractors within the strategy of nation-state actors. They support enhances the offensive operations carried out by Bejing, making hard the attribution of the attacks.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, I-Soon)


facebook linkedin twitter

APT41 China Hacking hacking news I-Soon information security news IT Information Security Pierluigi Paganini Security Affairs

you might also like

Pierluigi Paganini July 27, 2025
Allianz Life data breach exposed the data of most of its 1.4M customers
Read more
Pierluigi Paganini July 27, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Allianz Life data breach exposed the data of most of its 1.4M customers

    Data Breach / July 27, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

    Malware / July 27, 2025

    Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 27, 2025

    Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

    Cyber Crime / July 26, 2025

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT