Ethan Burk
Reception desk of i-soon corporate office Atlas News
On February 16th the Chinese espionage and intelligence community was devastated by a data breach of one of the country’s premier cyber espionage companies. What made matters worse was that this exposure wasn’t posted on a simple forum that could be shut down by the Chinese government, but instead was posted to GitHub, and allowed any foreign government, subgovernment, or criminal group to easily clone and disseminate the leaked data. Since GitHub mainly stores its data in the US, the process of removing the data was much more difficult and time consuming, which allowed for more media and international attention to this leak. This data breach allowed outside actors to examine the world of Chinese cyber espionage with a never-before-seen level of detail.
The leak mainly consisted of message logs between employees of the Chinese cybersecurity firm, I-soon, which discussed the projects the company was working on. The leak seems to have been focused on attacking I-soon’s reputation as the author wrote several sections highlighting how the company had abused the trust of the Chinese Ministry of Public Security, financial issues facing the company, and the allegedly low quality products I-Soon was selling to its customers.The leak focuses on the I-soon Chengdu branch specifically and goes in detail on employee treatment, specifically detailing the unfair wages and working conditions of the company. This has led some sources to speculate that this data leak was created by an internal employee or recently released employee of the company.
The anonymous leaker also released another section that was titled “I Soon infiltrated overseas government departments, including India, Thailand, Vietnam, South Korea, NATO, etc.”
This section details I-soon’s hacking campaigns in these countries/organizations. Based on a victims list aggregated by the cybersecurity researcher Soufiane Tahiri, there have been several large campaigns of both foreign governments and companies including the Mongolian Ministry of Foreign Affairs, the Paris Institute, and the Indian immigration system. The company also gained access to private companies with one of the most critical systems that was compromised, the Beeline communication system in Kazakhstan. There, I-Soon employees recorded call logs for specific customers allowing the hackers to gain detailed information on customer’s phone numbers, locations, and names.
The leak also detailed several products that I-Soon sold to its customers. These products range from legitimate cloud hosting software to more offensive tools such as viruses and credential stealing applications. In the manuals and promotional materials, there were several pictures that showed systems for exploiting and controlling Windows and Mac computers. I soon also claimed that they were able to target Android and IOS operating systems, record messages from android applications commonly used in China, and send GPS, call logs, and contact lists from IOS and Android devices to I-Soon employees. Also described in the data leak was an X credential stealer that was sold to Chinese authorities to spread propaganda on the social media platform. The company also sold a variety of physical devices that allowed Chinese agents to securely establish contact with Chinese servers from abroad.
One aspect of I-Soon’s business that cybersecurity experts found the most interesting was the “APT offense and defense” services that I-Soon offered. These services involved the company working as an offensive hacking organization that would offer its services to potential clients. Data from the company reveals the biggest clients for I-Soon’s operations were Chinese government entities that are namely the Ministry of State Security, as well as over 40 other Chinese government agencies. The level of government and company interaction displayed in
the messages sent by I-Soon employees shows that the Chinese government operates using a similar framework with North Korean and Russian hackers to allow for greater flexibility and deniability.
This leak shows China's cyber espionage ecosystem in a never-before-seen way. The leak can be analyzed as one of the tactical nature of China’s cyber espionage modus operandi and an analysis of the relationship between Chinese government contractors and Beijing. Overall, this data leak highlights how the Chinese cyber espionage market has evolved and changed to become more advanced and competitive in the modern cybersecurity landscape. The leak also exposes flaws within the Chinese cybersecurity ecosystem, such as the competitive practices between cybersecurity firms and frustration of engineers working at these companies. The information exposed in this leak will be critical to future investigations, cyberdefense, and deterrence modeling for Chinese cyberattacks.
Comments