A leak of data from a Shanghai-based cybersecurity company has researchers speculating that it has exposed the workings of a Chinese government-sponsored hacking group.
The company is called i-Soon — also known as Anxun — which, according to researchers at SentinelOne, does contract work for many Chinese government departments, including the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army.
Last weekend, a cache of more than 500 company documents was published on GitHub. “The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem,” says SentinelOne. “It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.”
Although the source is not entirely clear, researchers at Malwarebytes say it’s likely a disgruntled staff member of the group leaked the information on purpose.
I-Soon employees complain about low pay and gamble over mahjong in the office, says SentinelOne. But the meat of the documents show the company appears to be responsible for the compromise of at least 14 governments, pro-democracy organizations in Hong Kong, universities, and NATO. The leaked documents align with previous threat intel on several named threat groups, SentinelOne says.
“Victim data and targeting lists, as well as names of the clients who requested them, show a company who competes for low-value hacking contracts from many government agencies,” says SentinelOne. “The finding indicates that historical targeting information from Advanced Persistent Threats thought to be PRC [People’s Republic of China] contractors does not provide strong guidance on future targets.”
Malwarebytes says the documents show i-Soon’s tools include
- a Twitter (now X) stealer: Features include obtaining the user’s Twitter email and phone number, real-time monitoring, reading personal messages, and publishing tweets on the user’s behalf;
- Custom Remote Access Trojans (RATs) for Windows x64/x86: Features include process/service/registry management, remote shell, keylogging, file access logging, obtaining system information, disconnecting remotely, and uninstallation;
- the iOS version of the RAT also claims to authorize and support all iOS device versions without jailbreaking, with features ranging from hardware information, GPS data, contacts, media files, and real-time audio records as an extension. (Note: this part dates back to 2020);
- the Android version can dump messages from all popular Chinese chatting apps QQ, WeChat, Telegram, and MoMo, and is capable of elevating the system app for persistence against internal recovery.
- portable devices for attacking networks from the inside;
- special equipment for operatives working abroad, to establish safe communication;
- a user lookup database which lists user data, including phone number, name, and email, and can be correlated with social media accounts;
- and a targeted automatic penetration testing scenario framework.
Many of the files are versions of marketing materials for advertising the company and its services to potential customers, says SentinelOne. In a bid to get work in Xinjiang – where China subjects millions of Ugyhurs to what the UN Human Rights Council has called genocide – the company bragged about past counterterrorism work, the report says. The company also listed other terrorism-related targets the company had hacked previously, as evidence of its ability to perform these tasks, including targeting counterterrorism centers in Pakistan and Afghanistan.
Technical documents showed potential buyers how the company’s products function to compromise and exploit targets. Included in the documentation were pictures of custom hardware snooping devices, including a tool meant to look like a powerbank for charging portable devices that passed data from the victim’s network back to the hackers. Other documentation diagrammed some of the inner workings of I-Soon’s offensive toolkit. While none were surprising or outlandish capabilities, they confirmed that the company’s main source of revenue is hacking for hire and offensive capabilities.
The selection of documents and chats leaked on GitHub seem meant to embarrass the company, says SentinelOne, but they also raise key questions for the cybersecurity community. One document lists targeted organizations and the fees i-Soon earned by hacking them. Collecting data from Vietnam’s Ministry of Economy paid out US$55,000; i-Soon was paid less for data from other ministries. Another leaked messaging exchange shows an employee hacking into a university not on the targeting list. Their supervisor labeled that as an accident.
“The leaked documents offer the threat intelligence community a unique opportunity to re-evaluate past attribution efforts and gain a deeper understanding of the complex Chinese threat landscape,” says SentinelOne.
For defenders and business leaders, it adds, “the lesson is plain and uncomfortable. Your organization’s threat model likely includes underpaid technical experts making a fraction of the value they may pilfer from your organization. This should be a wakeup call and a call to action.”