During the weekendsomeone posted a cache of files and documents apparently stolen by Chinese government hacking contractor I-Soon.
This leak gives cybersecurity researchers and rival governments an unprecedented opportunity to look behind the curtain of Chinese government hacking operations facilitated by private contractors.
Like hack-and-leak mode that targeted Italian spyware maker Hacking Team in 2015, the I-Soon leak includes corporate documents and internal communications that show I-Soon was allegedly involved in hacking companies and government agencies in India, Kazakhstan, Malaysia , Pakistan, Taiwan and Thailand, among others.
The leaked files were published on the code sharing site GitHub the manufacture. Since then, watchers of Chinese hacking operations have feverishly poured over the files.
“This represents the most significant data breach linked to a company suspected of providing cyberespionage and targeted intrusion services for Chinese security services,” said Jon Condra, threat intelligence analyst at cybersecurity firm Recorded Future.
For John Hultquist, the chief analyst at Google-owned Mandiant, this leak is “narrow, but deep,” he said. “Rarely do we have such unfettered access to the inner workings of any intelligence enterprise.”
Dakota Cary, an analyst at cybersecurity firm SentinelOne, he wrote in a blog publishes that “this leak provides a first-of-its-kind look into the inner workings of a state-linked hacking contractor.”
And, ESET malware researcher Matthieu Tartare said the leak “could help threat intelligence analysts link some of the compromises they’ve seen to I-Soon.”
One of the first people to go through the leak was a threat intelligence researcher from Taiwan who goes by the name Azaka. Azaka on Sunday posted a long thread at X, formerly Twitter, analyzing some of the documents and files, which don’t appear until 2022. The researcher highlighted spyware developed by I-Soon for Windows, Mac, iPhone and Android devices, as well as hardware hacking devices designed to be used in real-world situations that can crack Wi-Fi passwords, locate Wi-Fi devices, and disrupt Wi-Fi signals.
I-Soon’s ‘WiFi Near Field Attack System’, a device to hack Wi-Fi networks that comes disguised as an external battery. (Screenshot: Azaka)
“We researchers finally have a confirmation that this is how things work there and that APT teams work almost like all of us regular workers (except they get paid horribly),” Azaka told TechCrunch, “that the scale is decently large, that there is a lucrative market for hacking large government networks.” APT, or advanced persistent threats, are hacking groups that are usually supported by a government.
According to the investigators’ analysis, the documents show that I-Soon worked for China’s Ministry of Public Security, Ministry of State Security, and the Chinese army and navy. and I-Soon have also marketed and marketed their services to local law enforcement agencies across China to help target minorities such as Tibetans and Uighurs, a Muslim community living in the western Chinese region of Xinjiang.
Documents link I-Soon to APT41, a Chinese government hacker group which has reportedly been in business since 2012, targeting organizations in different healthcare, telecommunications, technology, and video gaming industries around the world.
Also, an IP address found in the I-Soon leak hosted a phishing site that digital rights organization Citizen Lab saw used against Tibetans in a 2019 hacking campaign. Citizen Lab researchers at the time named the hacking group “Poison Carp.”
Azaka, as well as others, also found logs of conversations between I-Soon employees and management, some of them extremely mundane, such as employees talking about gambling and playing the popular tile-based Chinese game mahjong.
Cary highlighted documents and conversations that show how much — or how little — I-Soon employees are paid.
Contact us
Do you know more about I-Soon or Chinese government hacks? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email. You can also contact TechCrunch via SecureDrop.
“$55,000 is being paid [US] — in 2024 dollars — to hack the Ministry of Economy of Vietnam, is not a lot of money for such a goal,” Cary told TechCrunch. “It makes me think how cheap it is for China to execute an operation against a high-value target. And what does that say about the nature of the organization’s security?’
What the leak also shows, according to Cary, is that researchers and cybersecurity firms should carefully consider the potential future actions of mercenary hacking groups based on their past activity.
“It demonstrates that a threat actor’s past targeting behavior, particularly when they are a Chinese government contractor, is not indicative of their future targets,” Cary said. “So it’s not helpful to look at this organization and say, ‘They only hacked the healthcare industry, or they hacked industry X, Y, Z and they’re hacking these countries.’ They respond to them [government] the agencies request. And these services may ask for something different. They may start work with a new office and a new location.”
The Chinese embassy in Washington did not respond to a request for comment.
An email sent to I-Soon’s support inbox went unanswered. Two anonymous employees of I-Soon he told the Associated Press that the company held a meeting on Wednesday and told staff that the leak would not affect their business and to “continue business as usual”.
At this point, there is no information on who posted the leaked documents and files and GitHub recently removed the leaked cache from its platform. But several researchers agree that the most likely explanation is a disgruntled current or former employee.
“The people who put this leak together gave her a table of contents. And the table of contents of the leak is the workers complaining about the low pay, the financial conditions of the business,” Cary said. “The leak is structured in a way that embarrasses the company.”
