U.S. indictments of 10 Chinese nationals connected to “APT for hire” i-Soon shed light on the company’s hacking and phishing tools and methods and the network of private companies conducting cyberattacks on the People’s Republic of China (PRC).

A U.S. Department of Justice (DOJ) announcement of the indictments included screenshots of some of i-Soon’s offensive security tools, while the unsealed indictments added additional details about the company’s methods and tools.

The indictments charge eight i-Soon employees and two PRC officials with conspiracy to commit computer intrusions and conspiracy to commit wire fraud. The defendants remain at large.

7-Year Hacking Scheme Alleged

The indictments allege that i-Soon acted under the direction of the PRC’s Ministry of State Security (MSS) and the Ministry of Public Security (MPS). The Justice Department statement said MSS and MPS “used an extensive network of private companies and contractors in China to conduct unauthorized computer intrusions (“hacks”) in the U.S. and elsewhere. One of those private companies was i-Soon.”

From 2016 through 2023, the DOJ said, i-Soon and its personnel “engaged in the numerous and widespread hacking of email accounts, cell phones, servers, and websites at the direction of, and in close coordination with, the PRC’s MSS and MPS. i-Soon generated tens of millions of dollars in revenue and at times had over 100 employees.”

The DOJ said i-Soon worked with at least 43 different MSS or MPS bureaus and charged between $10,000 and $75,000 for each email inbox it successfully hacked. Among the victims were the U.S. Defense Intelligence Agency, the U.S. Department of Commerce, and the foreign ministries of Taiwan, India, South Korea, and Indonesia. News and religious organizations were also among the targets.

In some cases, i-Soon acted at the request of the MSS or MPS, the DOJ said, while in other cases, i-Soon “conducted hacks on its own initiative and then sold, or attempted to sell, the stolen data to different bureaus of the MSS or MPS.”

i-Soon Hacking Tools

i-Soon also sold its tools and methods to customers, the DOJ alleges.

One of i-Soon’s products was the “Automated Penetration Testing Platform” (screenshot below). The platform’s capabilities include launching email phishing attacks, creating malware, “and cloning websites of victims to induce them to submit personal information,” the DOJ said.

Another i-Soon product specialized in cracking passwords and was called the “Divine Mathematician Password Cracking Platform” (screenshot below).

i-Soon also sold software targeting specific systems and applications, including Microsoft Outlook, Gmail, the social media network X (formerly known as Twitter), and the Android, Windows, Mac and Linux operating systems. i-Soon claimed its software could “overcome the unique defenses of these systems,” the Justice Department said.

For X, i-Soon’s software could send a target a spear phishing link and then “obtain access to and control over the victim’s Twitter account. The software had the ability to access Twitter even without the victim’s password and to bypass multi-factor authentication,” the DOJ said. “The purpose of this software was to help i-Soon’s customers, including the PRC government, use hacked Twitter accounts to understand public opinion outside of China.”

i-Soon called the software its “Public Opinion Guidance and Control Platform (Overseas)” (screenshot below).

For Outlook, i-Soon claimed its software could generate a spear phishing link and then download the content of a victim’s mailbox if they clicked on the link. The platform was also able to bypass multi-factor authentication in some cases and manage access to multiple victim accounts at once, the indictment document said (screenshot below). i-Soon offered similar capabilities for Gmail.

i-Soon’s Phishing Rules

i-Soon also had “rules” for employees to follow when spear phishing, along with examples of successful phishing attacks.

According to the indictment document, the first rule stated, “No batch sending, no batch sending, no batch sending.” Spear phishing emails are easier to detect as malicious if they are sent multiple times.

The second rule stated, “Don’t send an interface link in the first email. Send an interface link after email chats. Please refer to the provided successful cases.”

The seventh rule states, “Strategy is very important. The purpose should not be so obvious. Must chat with the target first before giving the link.” Spear phishing attacks are more successful when they include additional social engineering, the indictment document said.

Motivated Threat Actors

The U.S. indictments underscore the motivation and sophistication of advanced persistent threat (APT) groups and the need for vigilant security teams to defend their organizations.

That means building in cyber resilience to limit damage from any cyberattacks that may occur and practicing good cybersecurity hygiene. Patching, network segmentation, Zero Trust, proper configuration and secrets protection, ransomware-resistant backups, hardened endpoints and infrastructure, and network, endpoint, and cloud monitoring are all practices that can limit damage and lateral movement – and potentially prevent attacks from occurring in the first place.

Cyble’s comprehensive attack surface management solution can help organizations bolster security by monitoring cloud and network environments for vulnerabilities and prioritizing fixes, in addition to dark web monitoring and other solutions.

Related

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.