Pierluigi Paganini
February 26, 2024
Recently someone has leaked on GitHub [1,2] a collection of files apparently stolen from the Chinese hacking firm, I-Soon. An analyst based in Taiwan, known as Azaka, discovered the data leak and shared their findings on social media.
i-SOON is a prominent contractor for various agencies of the Chinese government, including Ministry of Public Security, Ministry of State Security, and the People’s Liberation Army.
SentinelOne researchers noticed that on January 15 at 10:19 pm, an individual registered the email address I-SOON@proton.me. On February 16th, an account linked to that email uploaded a batch of files including marketing documents, images, screenshots, and a substantial collection of WeChat messages exchanged between I-SOON employees and clients.
The alleged data breach revealed the capabilities of the China-linked hacking contractor.
“The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem. It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.” reads an analysis published by SentinelOne.
Leaked documents include internal communications, demonstrating hacking operations against companies and government agencies in several countries, including India, Kazakhstan, Malaysia, Pakistan, and Taiwan. I-Soon was involved in the compromise of at least 14 governments, pro-democracy organizations in Hong Kong, universities, and NATO.
At this time, the identity of the author of the data leak and its motivation is still unknown. The individuals responsible for the data theft and their motivations remain unknown. However, this breach offers a unique insight into the internal workings of a hacking contractor affiliated with a state. The authenticity of the leaked documents is yet to be confirmed, and ongoing efforts are being made to validate the information, even though some aspects align with existing public threat intelligence
The documents, which are dated as recently as 2022, demonstrate that the Chinese contractor developed a sophisticated spyware that can target Windows, Macs, iPhones and Android devices. The arsenal developed by i-SOON also includes hardware hacking tools, including snooping devices and systems to hack into Wi-Fi networks.
The standard version is disguised as a Xiaomi battery, whilst the mini version is just a plain PCB that can be inside anything. pic.twitter.com/ucfPwk7zi6
— 安坂星海 Azaka 🐼 VTuber (@AzakaSekai_) February 18, 2024
Azaka noticed that the hacking firm has a DDoS system relying on a bot that can infect Windows, Linux, or generic IoT devices. The total throughput of the botnet is 10~100Gbps. The Chinese firm also developed an automatic pen-testing platform that supports Windows, Linux, web services, and networking equipment.
“Us researchers finally have a confirmation that this is how things are working over there and that APT groups pretty much work like all of us regular workers (except they’re getting paid horribly).” the analyst Azaka told TechCrunch, “that the scale is decently big, that there is a lucrative market for breaching large government networks.” APT, or advanced persistent threats, are hacking groups typically backed by a government.
Some documents link I-Soon to the Chinese APT41, one document lists out targeted organizations and the fees the company earned by hacking them. The Chinese government paid $55,000 for data stolen from Vietnam’s Ministry of Economy.
The APT41 group, aka Winnti, Axiom, Barium, Blackfly, HOODOO) is a China-linked cyberespionage group that has been active since at least 2007.
This data leak demonstrates the importance of third-party contractors within the strategy of nation-state actors. They support enhances the offensive operations carried out by Bejing, making hard the attribution of the attacks.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, I-Soon)
