Loading Now
The recent I-Soon data breach offers insight into China’s cyber-espionage activities.
The recent I-Soon data breach offers insight into China's cyber-espionage activities.

The recent I-Soon data breach offers insight into China’s cyber-espionage activities.

A major data leakThe release of confidential information from i-Soon, a Chinese cybersecurity company, has revealed new information about China’s state-sponsored hacking activities. The leaked documents include contracts, marketing materials, product manuals, lists of clients and employees, chat logs, company profiles, and data samples. The documents mention operations aimed at targets in more than 20 countries, such as telecommunications networks, government agencies, hospitals, universities, think tanks, and non-governmental organizations. This disclosure highlights the widespread and diverse nature of China’s cyberespionage efforts. from the National Security Agency

The largest breach of information from the National Security Agency.
Jon Condra, a threat intelligence analyst at Recorded Future, stated that the company was connected to alleged activities of supplying cyber espionage and targeted intrusion services to Chinese security services. Dakota Cary and Aleksandar Milenkoski from SentinelLabs, a platform of SentinelOne, also supported this claim.

a summary of the beginning and information contained in the i-Soon data breach

At 10:19 pm on January 15th, an individual registered the email address [email protected]. One month later, on February 16th, an account using that email address was created and began uploading content.GitHub the files included a large number of I-SOON’s

Dozens of marketing files, images, and screenshots as well as thousands of WeChat messages between I-SOON employees and clients were uploaded. A Taiwan-based analyst discovered this collection of documents on GitHub, which also contained a significant amount of I-SOON’s information.shared their findings on social media. [Links added by CDT.]

Numerous documents are different iterations of promotional materials designed to promote the company and its offerings to potential clients. In an attempt to secure projects in Xinjiang, where China is accused of committing genocide against millions of Uyghurs, the company boasted about their past experiences in counterterrorism. They also cited their successful hacking of other terrorism-related targets, such as counterterrorism facilities in Pakistan and Afghanistan, as proof of their capability in this field.

Elsewhere, technical documents demonstrated to potential buyers how the company’s products function to compromise and exploit targets. Listed in the documentation were pictures of custom hardware snooping devices, including a tool meant to look like a powerbank that actually passed data from the victim’s network back to the hackers. Other documentation diagrammed some of the inner workings of I-SOON’s offensive toolkit. While none were surprising or outlandish capabilities, they confirmed that the company’s main source of revenue is hacking for hire and offensive capabilities. [Source]

The journalists Paul Mozur, Keith Bradsher, John Liu, and Aaron Krolik wrote about at The New York Times.the range of i-Soon’s hacking tools, materials, and targets:

Last week, materials were published on a public website that exposed a period of eight years focused on accessing databases and intercepting communications in South Korea, Taiwan, Hong Kong, Malaysia, India, and other parts of Asia. The documents also outlined a plan to closely surveil the actions of ethnic minorities in China and online gambling businesses.

The leaked materials outlined I-Soon’s hacking methods, which involved using technology to access Outlook email accounts and gather personal details such as contact lists and iPhone location data. One document even contained detailed flight records from a Vietnamese airline, including passengers’ identification numbers, occupations, and travel destinations.

I-Soon announced that it has developed technology to cater to the needs of China’s police force. This includes software that can track public opinion on social media within China. They have also created a tool specifically for targeting accounts on X, which is capable of extracting personal information such as email addresses and phone numbers. In certain situations, this tool may even assist in hacking into the accounts.

The data breach included a significant database of Taiwan’s road system, a democratic island that has been disputed and targeted by China for invasion. The 459 gigabytes of maps were from 2021 and revealed the military value of information gathered by companies like I-Soon, according to experts. The Chinese government has also recognized the sensitivity of Chinese driving navigation data and has imposed strict restrictions on its collection.Source]

part of China’s efforts to suppress dissidents and control information, they also targeted pro-democracy groups in Hong Kong, Uyghur communities in Central and Southeast Asia, the Tibetan government in exile, the British think tank Chatham House, the French university Sciences Po, Amnesty International, and NATO. These actions reflect China’s attempts to silence political opposition and manipulate information.

The analysis was given by a single analyst.

On X (previously known as Twitter), several leaked documents included records of phone calls and usage of location services from telecommunication companies. This type of data from mobile users could potentially enable i-Soon and government intelligence agents to accurately determine a user’s current location.

On Tuesday, i-Soon’s website went offline, and later in the week the GitHub repository was disabled

Despite the challenges, Dake Kang of the Associated Press was able to conduct a visit to i-Soon’s offices in Chengdu. During his visit, two employees confirmed the leak and Kang documented his findings in a report.thread on X and highlighted documents explaining i-Soon’s logic behind targeting the platform:

Analysts with the Taiwan-based TeamT5 cybersecurity firm said the leaked documents support their analysis that “China’s private cybersecurity sector is pivotal in supporting China’s APT attacks globally

“According to cybersecurity researcher Will Thomas, APT (advanced persistent threat) refers to the most sophisticated hacking groups in the world. The discovery of connections between APT campaigns and i-Soon has challenged the belief that threat groups operate independently in a compartmentalized manner.”BushidoToken

She further explained that the leak strengthens the notion that. , including sharing of tactics and tools.

Chinese APT groups have various connections with each other, which involve sharing of strategies and resources.

Similar to the underground world of cybercrime.

A retaliatory act by someone seeking to incriminate the victim with law enforcement.
David Robinson, co-founder of the Australian cybersecurity firm Internet 2.0, stated that the breach had global implications. The Washington Post’s Christian Shepherd, Cate Cadell, Ellen Nakashima, Joseph Menn, and Aaron Schaffer provided coverage of the leak in their reporting.
China’s messy ecosystem of “patriotic” hackers, which in this case appears to have devolved into infighting and dissatisfaction:

The combination of government backing and a focus on profits in China has resulted in a vast array of individuals and organizations vying to take advantage of weaknesses and expand their enterprises.

In recent years, Chinese security researchers from private companies have shown significant improvement. They have been successful in winning more international hacking competitions and receiving higher bounties from tech companies.

However, the iSoon documents include grievances from dissatisfied workers about inadequate compensation and excessive workload. According to Adam Kozy, a former FBI analyst working on a book about Chinese hacking, numerous hackers receive less than $1,000 per month, which is surprisingly low even in China.

It is not known who published the documents or for what reason, but experts in cybersecurity suggest that it could be a disgruntled ex-employee or a hacking attempt by a competing organization.

The individual who leaked the information identified themselves on GitHub as a whistleblower who exposed unethical behavior, inadequate working conditions, and subpar products being used by iSoon to deceive their government customers. In conversations labeled as worker grievances, employees expressed dissatisfaction with sexism, excessive workload, and poor sales performance.


Chat conversations among high-level leaders in 2022 indicate that the relationship between the two parties had deteriorated due to iSoon’s delay in payment of over 1 million yuan ($140,000) to Chinese cybersecurity firm Chengdu 404. As a result, Chengdu 404 took legal action against iSoon regarding a contract for software development.Source]

incestuous and fluid
The article mentioned that contracts frequently involve working with subcontractors and third parties rather than directly dealing with government entities. Mei Danowski, an expert in Chinese cybersecurity and the author of Natto Thoughts newsletter, informed The Guardian that the common perception of Chinese hackers receiving funding from the government is not entirely accurate. If the leaked documents are authentic, it suggests a different reality.

They need to search for opportunities in the market.
In October’s Natto Thoughts, Danowski provided a thorough overview of i-Soon, emphasizing the importance of building a reputation.

It is challenging to establish partnerships with the Ministry of Public Security and local Public Security Bureaus, as they are highly classified and require confidentiality.:

The founder and CEO of i-SOON, Wu Haibo (吴海波), also known as “shutdown,” is a renowned pioneer in the hacker community and a founding member of the first Chinese hacktivist group, Green Army (绿色兵团), established in 1997. Additionally, i-SOON, similar to Chengdu 404, had partnerships with universities in Sichuan province. They organized hacking competitions and provided training courses through their i-SOON Institute.

In 2013, i-SOON created a division dedicated to studying ways to infiltrate APT networks. Their list of business partners included various public security agencies such as the Ministry of Public Security, 10 provincial departments, and over 40 city-level bureaus.

i-SOON also possesses relevant qualifications to work for state security. i-SOON is a designated supplier for the Ministry of State Security. In 2019, i-SOON appeared among the first batch of certified suppliers (列装单位) for the Cyber Security and Defense Bureau of the Ministry of Public Security (公安部网络安全保卫局) to provide technologies, tools or equipment. Subsequently, in 2020, i-SOON received a a “Class II secrecy qualification for weapons and equipment research and production company (武器装备科研生产单位二级保密资格)” from the Ministry of Industry and Information Technology (MIIT). The Class II, the highest secrecy classification that a non-state-owned company can receive, qualifies i-SOON to conduct classified research and development related to state security. After acquiring these certifications, in July 2021, i-SOON was shortlisted for a cyber security protection project for the public security bureau of Aksu region in the Xinjiang Uyghur Autonomous Region. […] Also in 2021, the Sichuan provincial government designated Sichuan i-SOON one of “the top 30 information security companies.” [Source]

The organization resorted to utilizing ransomware attacks as a means of generating income after experiencing reduced funding from the Chinese government.

The leak of sensitive information from i-Soon highlights the impact of corruption and economic challenges in China, creating a vulnerable situation for the company to potentially face retaliatory actions. This situation may also be applicable to other private businesses. The incident also exposes the challenges in countering offensive cyber operations from China, as stated by Dakota Cary to TechCrunch. It is evident that this contractor of the Chinese government has a history of targeting behavior, making it difficult to combat their actions.

does not reflect their future goals
“They are responding to the requests made by government agencies. These agencies might ask for something different in the future.”

A warning issued by Volt Typhoon exceeded by the Russians

According to FBI director Christopher Wray, a Chinese hacking group, sponsored by the state, has infiltrated American networks responsible for critical infrastructure within the country and its military bases globally. Wray stated that China’s use of malware has reached unprecedented levels, second only to Russian efforts.

The top or visible part of a larger issue or problem.

Mareike Ohlberg, a senior fellow at the German Marshall Fund, stated that she does not anticipate these actions to cease as a consequence.

More effort is needed to prevent leaks in the future..”