Introduction

i-SOON (上海安洵), a prominent contractor for various Chinese government agencies such as the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army, experienced a significant data breach during the weekend of Feb 16th. The breach has shed light on the internal workings of a state-affiliated hacking contractor, although the source and motivations behind the leak remain undisclosed. Verification of the leaked documents is ongoing, yet they corroborate existing public threat intelligence.

This breach offers unprecedented insight into China's evolving cyber espionage landscape, showcasing how governmental directives drive a competitive market of independent hackers-for-hire. Despite concerns over low employee compensation and reports of office gambling, i-SOON's operations appear linked to compromises affecting at least 14 governments, pro-democracy groups in Hong Kong, universities, and NATO.

The leaked documents unveil client lists and targeted entities, highlighting i-SOON's pursuit of low-value hacking contracts across multiple government agencies. This revelation challenges assumptions based on historical targeting by Advanced Persistent Threats associated with Chinese contractors.

Utilizing machine translation, analysts swiftly analyzed the leaked data, democratizing access beyond specialized experts. However, understanding the nuanced relationships within the data demands domain expertise. While geographically-focused analysis remains invaluable, the lowered entry barrier enables broader scrutiny of complex patterns and relationships.

In conclusion, the i-SOON data leak not only exposes the intricacies of state-affiliated cyber operations but also underscores the evolving landscape of cybersecurity intelligence analysis.

My Keypoints

1. Original Repository: HERE
2. Translated Version: HERE (internal chats, business pitches, documentation on tools, products and process)
3. The i-SOON data contains various files, some of which seem to be documentation or technical business proposals outlining a wide array of products with diverse capabilities. Among these are:
   • Malware tailored for operating systems such as Windows, macOS, Linux, iOS, and Android.
   • A platform designed for the collection and analysis of email data.
   • A tool intended for hacking into Outlook accounts.
   • A platform for monitoring activity on Twitter.
   • A reconnaissance platform utilizing OSINT (Open-Source Intelligence) data.
   • Physical hardware devices intended for on-premises hacking, often targeting WiFi networks.
   • Communication equipment utilizing a network similar to Tor, aimed at facilitating secure communication for agents operating internationally.
4. The leaked information looks like to include multiple target lists (HERE and HERE), encompassing several governments such as Pakistan, India, Malaysia, Turkey, Egypt, France, Cambodia, Indonesia, Vietnam, Myanmar, the Philippines, and Afghanistan. Additionally, targets include NATO, universities, and the pro-democracy movement in Hong Kong.
5. i-SOON looks like to be connected to APT41

Interesting i-SOON Overlaps

According to Bushidotokens (HERE) the data leak includes several overlaps and connections to known threat actors already been discovered and analyzed in the past years.

One connection was with the threat group POISON CARP, identified through an IP address (74.120.172[.]10) hosting a phishing site (mailnotes[.]online). This site was cited in CitizenLab's report on Tibetan groups targeted with mobile exploits, aligning with Chinese MPS operations supported by i-SOON.

Another connection emerged in Chinese court documents linking i-SOON to Chengdu 404, a commercial spying firm, after a dispute over intellectual property.

Additionally, a link to the APT group JACKPOT PANDA was found via an IP address (8.218.67[.]52) from the leak, referenced in Trend Micro's report on chat applications used in supply-chain attacks. This aligns with i-SOON's focus on targeting the online gambling industry.

Further investigation revealed ties to ShadowPad and Winnti malware families, referenced in i-SOON's product whitepapers and the US Justice Department's indictment of APT41 and Chengdu404. These malware families have been associated with various Chinese cyber-espionage campaigns.

NB: AI Tools has been used to build fluent English and section translations.

Great Resources

SentinelLabs Blog Post: Unmasking I-Soon | The Leak That Revealed China’s Cyber Operations
Unit42 Blog Post: Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns
BushidoToken Blog Post: Lessons from the iSOON Leaks
Suggested Reading, it provides much broader view (including geo-political and International Affairs considerations): The i-SOON Data Leak