A major data leak of internal documents from Chinese cybersecurity firm i-Soon, also known as Anxun, has shed new light on the inner world of China’s cyberespionage and its state-backed hackers for hire. Among the documents shared online were contracts, marketing presentations, product manuals, client and employee lists, chat logs, company prospectuses, and data samples. The files referenced operations targeting various actors in over 20 countries, including telecommunications networks, government ministries, hospitals, universities, think tanks, and NGOs. “This represents the most significant leak of data linked to a company suspected of providing cyber espionage and targeted intrusion services for the Chinese security services,” said Jon Condra, a threat intelligence analyst at cybersecurity firm Recorded Future. At SentinelLabs, a platform of cybersecurity firm SentinelOne, Dakota Cary and Aleksandar Milenkoski provided an overview of the inception and contents of the i-Soon data leak: 

At 10:19 pm on January 15th, someone, somewhere, registered the email address I-SOON@proton.me. One month later, on February 16th, an account registered by that email began uploading content to GitHub. Among the files uploaded were dozens of marketing documents, images and screenshots, and thousands of WeChat messages between employees and clients of I-SOON. An analyst based in Taiwan found the document trove on GitHub and shared their findings on social media. [Links added by CDT.]

Many of the files are versions of marketing materials intended to advertise the company and its services to potential customers. In a bid to get work in Xinjiang–where China subjects millions of Ugyhurs to what the UN Human Rights Council has called genocide–the company bragged about past counterterrorism work. The company listed other terrorism-related targets the company had hacked previously as evidence of their ability to perform these tasks, including targeting counterterrorism centers in Pakistan and Afghanistan. 

Elsewhere, technical documents demonstrated to potential buyers how the company’s products function to compromise and exploit targets. Listed in the documentation were pictures of custom hardware snooping devices, including a tool meant to look like a powerbank that actually passed data from the victim’s network back to the hackers. Other documentation diagrammed some of the inner workings of I-SOON’s offensive toolkit. While none were surprising or outlandish capabilities, they confirmed that the company’s main source of revenue is hacking for hire and offensive capabilities. [Source]

At The New York Times, Paul Mozur, Keith Bradsher, John Liu, and Aaron Krolik described the range of i-Soon’s hacking tools, materials, and targets:

The materials, which were posted to a public website last week, revealed an eight-year effort to target databases and tap communications in South Korea, Taiwan, Hong Kong, Malaysia, India and elsewhere in Asia. The files also showed a campaign to closely monitor the activities of ethnic minorities in China and online gambling companies.

[…] Materials included in the leak that promoted I-Soon’s hacking techniques described technologies built to break into Outlook email accounts and procure information like contact lists and location data from Apple’s iPhones. One document appeared to contain extensive flight records from a Vietnamese airline, including travelers’ identity numbers, occupations and destinations.

[…] At the same time, I-Soon said it had built technology that could meet the domestic demands of China’s police, including software that could monitor public sentiment on social media inside China. Another tool, made to target accounts on X, could pull email addresses, phone numbers and other identifiable information related to user accounts, and in some cases, help hack those accounts.

[…] Among the information hacked was a large database of the road network in Taiwan, an island democracy that China has long claimed and threatened with invasion. The 459 gigabytes of maps came from 2021, and showed how firms like I-Soon collect information that can be militarily useful, experts said. China’s government itself has long deemed Chinese driving navigation data as sensitive and set strict limits on who can collect it. [Source]

Other targets included pro-democracy organizations in Hong Kong, Uyghurs in Central and Southeast Asia, the Tibetan government in exile, British think tank Chatham House, French university Sciences Po, Amnesty International, and NATO, to name a few. As detailed by one analyst on X (formerly known as Twitter), some of the leaked files contained call detail records (CDR) and location based services (LBS) from telecommunications entities. This sort of metadata from mobile users could allow i-Soon and government intelligence agents to pinpoint a user’s location in real time. 

On Tuesday, i-Soon’s website went offline, and later in the week the GitHub repository was disabled. Still, Dake Kang from the Associated Press managed to visit i-Soon’s offices in Chengdu, where two employees confirmed the leak. Kang detailed his findings in a thread on X and highlighted documents explaining i-Soon’s logic behind targeting the platform:

15/"To keep the internet clean, we must realize that early-detection and countermeasures Internet sentiment are a systematic project that require the participation of statistics, united front, civil affairs, public security and other departments."

— Dake Kang (@dakekang) February 22, 2024

17/"We must not provide fertile soil or space for internet rumors to spread, to jointly create a clean and fresh online world where rumors are not spread, believed, or spread."

— Dake Kang (@dakekang) February 22, 2024

Analysts with the Taiwan-based TeamT5 cybersecurity firm said the leaked documents support their analysis that “China’s private cybersecurity sector is pivotal in supporting China’s APT attacks globally.” (The cybersecurity stands for “advanced persistent threat” and references the world’s most sophisticated hacking groups.) The links uncovered between APT campaigns and i-Soon “smashed the notion of neatly defined ‘threat groups’ conducting campaigns in a siloed manner,” said cybersecurity researcher Will Thomas (BushidoToken), adding that “the leak reinforces the idea that APT groups in China are connected to each other in many ways like the cybercrime underground.”

But these connections create their own vulnerabilities. “It is a very curated leak, which looks like a reprisal type job from someone out to get the victim in trouble with authorities around the world,” said David Robinson, co-founder of the Australian cybersecurity company Internet 2.0. Reporting on the leak for The Washington Post, Christian Shepherd, Cate Cadell, Ellen Nakashima, Joseph Menn, and Aaron Schaffer described China’s messy ecosystem of “patriotic” hackers, which in this case appears to have devolved into infighting and dissatisfaction:

China’s model of mixing state support with a profit incentive has created a large network of actors competing to exploit vulnerabilities and grow their businesses.

[…] Chinese security researchers at private companies have demonstrably improved in recent years, winning a greater number of international hacking competitions as well as collecting more bounties from tech companies.

But the iSoon files contain complaints from disgruntled employees over poor pay and workload. Many hackers work for less than $1,000 a month, surprisingly low pay even in China, said Adam Kozy, a former FBI analyst who is writing a book on Chinese hacking.

[…] Although it’s unclear who released the documents and why, cybersecurity experts said it may be an unhappy former employee or even a hack from a rival outfit.

The leaker presented themselves on GitHub as a whistleblower exposing malpractice, poor work conditions and “low quality” products that iSoon is using to “dupe” its government clients. In chats marked as featuring worker complaints, employees grumbled about sexism, long hours and weak sales.

[…C]hat messages between executives from 2022 suggest that relations between the groups had soured because iSoon was late in paying [Chinese cybersecurity firm] Chengdu 404 more than 1 million yuan ($140,000). Chengdu 404 later sued iSoon in a dispute over a software development contract. [Source]

The Record wrote that i-Soon’s leaked documents show “that the ecosystem among information security companies in China is incestuous and fluid,” and it noted that contracts often involve subcontractors and third parties instead of direct dealings with public agencies. Mei Danowski, a China cybersecurity expert and author of the Natto Thoughts newsletter, told The Guardian: “We think about [Chinese hackers] as ‘Oh, the state gives them cash to do stuff.’ In reality, if these leaked documents are true, it’s not like that. They have to go and look for business. They have to build up a reputation.” In Natto Thoughts last October, Danowski wrote a detailed background of i-Soon, highlighting its hustle to gain partnerships with the Ministry of Public Security and provincial and city Public Security Bureaus, and its high secrecy classification:

[…T]he CEO of i-SOON, Wu Haibo (吴海波), a.k.a shutdown, is a well-known first-generation red hacker or Honker (红客) and early member of Green Army (绿色兵团) which was the very first Chinese hacktivist group founded in 1997. […] In addition, like Chengdu 404, i-SOON also had connections with universities throughout Sichuan province, through hosting hacking competitions and offering training courses through its i-SOON Institute.

[…] In 2013, i-SOON established a department for research on APT network penetration methods. Business partners that i-SOON listed included all levels of public security agencies, including the Ministry of Public Security, 10 provincial public security departments, and more than 40 city-level public security bureaus.

i-SOON also possesses relevant qualifications to work for state security. i-SOON is a designated supplier for the Ministry of State Security. In 2019, i-SOON appeared among the first batch of certified suppliers (列装单位) for the Cyber Security and Defense Bureau of the Ministry of Public Security (公安部网络安全保卫局) to provide technologies, tools or equipment. Subsequently, in 2020, i-SOON received a a “Class II secrecy qualification for weapons and equipment research and production company (武器装备科研生产单位二级保密资格)” from the Ministry of Industry and Information Technology (MIIT). The Class II, the highest secrecy classification that a non-state-owned company can receive, qualifies i-SOON to conduct classified research and development related to state security. After acquiring these certifications, in July 2021, i-SOON was shortlisted for a cyber security protection project for the public security bureau of Aksu region in the Xinjiang Uyghur Autonomous Region. […] Also in 2021, the Sichuan provincial government designated Sichuan i-SOON one of “the top 30 information security companies.” [Source]

The i-Soon leak reveals a fundamental instability in China’s cyberespionage ecosystem. As one New York Times article put it, “the documents also showed that I-Soon was having financial difficulty and that it used ransomware attacks to bring in money when the Chinese government cut funding,” which is exacerbated by corruption and ongoing economic issues in China, making i-Soon a target for retaliation. Other private firms may well be dealing with a similar dynamic. Moreover, the leak shows the difficulty of combating offensive Chinese cyber operations. Dakota Cary told TechCrunch that the leak “demonstrates that the previous targeting behavior of a threat actor, particularly when they are a contractor of the Chinese government, is not indicative of their future targets,” since “[t]hey’re responding to what those [government] agencies are requesting for. And those agencies might request something different [in the future].” 

Recently, the U.S. government reportedly discovered and neutralized a threat from Volt Typhoon, a Chinese state-sponsored hacking group that had hidden malware deep inside American networks controlling critical infrastructure in the U.S. and its military bases around the world. FBI director Christopher Wray said China’s malware efforts are now at “a scale greater than we’d seen before” and only “the tip of the iceberg.” Mareike Ohlberg, a senior fellow at the German Marshall Fund, concluded, “I would not expect such activities to stop as a result, only more efforts to prevent future leaks.”