The leak gives cybersecurity researchers and rival governments an unprecedented opportunity to take a look behind the curtain of Chinese government hacking operations facilitated through personal contractors.
Similar to the hack-and-leak operation targeting Italian spyware maker Hacking Team in 2015, the I-Soon leak includes internal corporate documents and communications, showing that I-Soon was allegedly involved in hacking corporations and government agencies in India, Kazakhstan, Malaysia, Pakistan, Taiwan, and Thailand, among others.
The leaked files were published on the GitHub codeshare on Friday. Since then, observers of China’s hacking operations have been frantically studying the files.
“This is the most significant data breach similar to a company suspected of conducting cyber espionage and intrusion targeting the Chinese security network,” said Jon Condra, a risk intelligence analyst at cybersecurity firm Recorded Future.
John Hultquist, a lead analyst at Google-owned Mandiant, called the leak “narrow but deep. “”Rarely do we have such unfettered access to the inner workings of an intelligence operation. “
Dakota Cary and Aleksandar Milenkoski, analysts at cybersecurity firm SentinelOne, wrote in a blog post that “this leak provides a one-of-a-kind insight into the internal operations of a state-affiliated hacking contractor. “
And Mathieu Tartare, a malware researcher at ESET, said the leak “could help risk intelligence analysts link some of the compromises they’ve observed with I-Soon. “
One of the first people to notice the leak was a Taiwanese risk intelligence researcher, known as Azaka. On Sunday, Azaka posted a lengthy thread on X, formerly Twitter, analyzing some documents and files, which appear to be dated to 2022. The researcher highlighted spying software evolved through I-Soon for Windows, Mac, iPhone, and Android devices, as well as hardware hacking devices designed for use in real-world conditions and capable of cracking Wi-Fi passwords, locating Wi-Fi devices, and disrupting Wi-Fi signals.
I-Soon’s “WiFi Near-Field Attack System,” a system for hacking into Wi-Fi networks, disguised as an external battery. (Screenshot: Azaka)
“Regardless, we researchers are getting confirmation that this is how things work there and that APT teams work pretty similarly to the rest of the normal staff (except they’re terribly paid),” Azaka told TechCrunch, “that the scale is pretty much APTs, or advanced persistent threats, are hacking teams that are usually subsidized by a government.
According to the investigators’ analysis, the documents show that I-Soon worked for China’s Ministry of Public Security, Ministry of State Security, and Army and Navy; and I-Soon have also brought and sold their products to local authorities across China to help target minorities such as Tibetans and Uyghurs, a Muslim network living in China’s western region of Xinjiang.
The documents link I-Soon to APT41, a Chinese government hacking organization that has reportedly been active since 2012, organizations in other sectors of the healthcare, telecommunications, technology, and video game industries around the world.
In addition, an IP address discovered in the I-Soon leak harbored a phishing that the human rights organization Citizen Lab saw used against Tibetans in a hacking campaign in 2019. Citizen Lab researchers dubbed the hacking organization “Poison Carp. “
Azaka, along with others, also uncovered records of conversations between I-Soon workers and management, some of them incredibly mundane, such as those of workers talking about gambling and mahjong, a popular Chinese tile-based game.
Cary highlighted documents and discussions that show how much (or how little) I-Soon workers are paid.
“They’re being paid $55,000 [U. S. ] — in 2024 dollars — to hack Vietnam’s Ministry of Economy, that’s not a lot of money for a goal like that,” Cary told TechCrunch. “It makes me think about how reasonable it is for China to carry out an operation against a high-value target. And what does this tell us about the nature of organizational security?
What the leak also shows, according to Cary, is that researchers and cybersecurity firms deserve to be wary of the potential long-term movements of mercenary hacker teams based on their activities beyond.
“This shows that a risk actor’s prior behavior to attack targets, i. e. , when it comes to a Chinese government contractor, is not indicative of its long-term goals,” Cary said. “So it doesn’t make sense to go after this organization and say, ‘Oh, they’ve only hacked the fitness sector, or they’ve hacked the X, Y, Z industries, and they’ve hacked those countries. They’re reacting to what those [government] agencies are asking for. And those agencies could ask for anything different. They may simply do business with a new workplace and a new location.
The Chinese Embassy in Washington, D. C. , responded to a request for comment.
An email sent to I-Soon’s help inbox went unanswered. Two anonymous I-Soon artists told The Associated Press that the company held a meeting Wednesday and told staff that the leak would have no effect on their business and that they would “continue paintings as usual. “
At this point, there is no data on who published the leaked documents and files, and GitHub recently removed the leaked cache from its platform. But several researchers agree that the most likely explanation is a disgruntled current or former employee.
“The other people who combined this leak gave it an index. And the leak index shows workers complaining about the company’s low wages and monetary conditions,” Cary said. “The leak is structured in such a way as to embarrass the company. “
U. S. Disrupts Chinese-Backed Hacking Operation as It Warns of Threat to U. S. Infrastructure