New Leak Shows Business Side of China’s APT Threat – Krebs on Security

A new data leak that appears to come from one of China’s leading private cybersecurity companies provides a rare glimpse into the commercial side of several Chinese state-sponsored hacking groups. . Experts say the leak illustrates how Chinese government agencies are increasingly contracting foreign espionage campaigns in the country’s growing and highly competitive cybersecurity industry.

A marketing slide deck highlighting i-SOON’s Advanced Persistent Threat (APT) capabilities.

A large cache of more than 500 documents published on GitHub last week shows that the records from i-SOON, a technology company headquartered in Shanghai that is perhaps best known for providing cybersecurity training courses throughout China. But the leaked documents, which include candid employee chats and images, show a less public side of i-SOON, one that routinely initiates and sustains cyberespionage campaigns on commission. in various Chinese government agencies.

The leaked documents suggest that i-SOON employees were responsible for a raft of cyber intrusions over the years, which penetrated government systems in the United Kingdom and countries across Asia. Although the cache does not include raw data stolen from cyber espionage targets, it does contain several documents that list the level of access gained and the types of data exposed during each entry.

Security experts who have examined the leaked data say they believe the information is legitimate, and that i-SOON works closely with China’s Ministry of State Security and the military. In 2021, the Sichuan provincial government named i-SOON as one of the “top 30 information security companies.”

“The leak provides some of the most concrete details the public has seen to date, revealing the mature nature of China’s cyber espionage ecosystem,” SAYS Dakota Carya China-focused consultant to the security firm SentinelOne. “This clearly shows how government targeting requirements are driving a competitive market of independent hacker-for-hire contractors.”

Mei Danowski is a former intelligence analyst and China expert who now writes about his research in a Substack publication called Natto Thoughts. Danowski said i-SOON has achieved the highest classification of secrecy a non-state-owned company can receive, which qualifies the company to conduct classified research and development related to state security. .

i-SOON’s “business services” webpage says the company’s offerings include public safety, anti-fraud, blockchain forensics, business security solutions, and training. Danowski said that in 2013, i-SOON established a department for research on the development of new methods of penetrating the APT network.

APT stands for Advanced Persistent Threat, a term that usually refers to state-sponsored hacking groups. In fact, among the documents apparently leaked from i-SOON is a sales pitch slide that boldly touts the hacking skills of the company’s APT team (see screenshot above).

i-SOON CEO Wu Haibo, in 2011. Image:

The leaked documents include a lengthy chat between the company’s founders, who repeatedly discussed flagging sales and the need to secure additional employees and contracts. government. Danowski said that the CEO of i-SOON, Wu Haibo (“Shutdown” in the leaked chats) is a well-known first-generation red hacker or “Honker,” and an early member of the Green Army – the first Chinese hacktivist group founded in 1997. Mr. Haibo has not yet responded to a request for comment.

In October 2023, Danowski detailed how i-SOON became embroiled in a software development contract dispute when it was sued by a competing Chinese cybersecurity company called Chengdu 404. In September 2021, the US Department of Justice unsealed indictments against several Chengdu 404 employees, alleging the company was a facade hiding more than a decade’s worth of cyber intrusions attributed to a threat actor group known as “APT 41.”

Danowski said the existence of this legal dispute suggests that Chengdu 404 and Sichuan i-SOON have or at one time had a business relationship, and that one company may have served as a subcontractor to the other in certain campaigns. of cyber espionage.

“From what they’re chatting about we can see that this is a very competitive industry, where companies in this space are constantly poaching each other’s employees and equipment,” Danowski said. “The infosec industry is always trying to distinguish (the work of) one APT group from another. But that’s harder to do.”

It remains unclear whether i-SOON’s work earned it a unique APT designation. but Is it Thomas?a cyber threat intelligence researcher at Equinix, found an Internet address in the leaked data that matched a domain flagged by a 2019 Citizen Lab report about one-click mobile phone exploits used by target groups in Tibet. A 2019 report identified the threat actor behind the attacks as an APT group called Poisonous Carp.

Several images and chat records in the data leak suggest that i-SOON clients periodically give the company a list of targets they want to infiltrate, but sometimes employees get confused by the instructions. A screenshot shows a conversation where an employee tells his boss that they just hacked one of the universities on their latest list, only to be told that the victim in question was never listed as a desired target.

The leaked chats show that i-SOON is continuously trying to recruit new talent by hosting a series of hacking competitions across China. It also does charity work, and seeks to engage employees and maintain morale in various team building activities.

However, the chats include many conversations between employees commiserating over long hours and low pay. The overall tone of the discussions indicated that employee morale was relatively low and that the work environment was somewhat toxic. In several conversations, i-SOON employees openly discussed with their bosses how much they lost gambling online using their mobile phones while at work.

Danowski believes the i-SOON data may have been leaked by one of the disgruntled employees.

“It was released on the first working day after Chinese New Year,” Danowski said. “I’m sure whoever did this planned it, because you can’t get all the information at once.”

SentinelOne’s Cary said he reached the same conclusion, as the Protonmail account tied to the GitHub profile that published the records was registered a month before the leak, on January 15, 2024.

China’s much-vaunted Great Firewall not only allows the government to control and limit what citizens can access online, but this distributed spying apparatus allows authorities to block citizens’ data and a Chinese company that will never leave the country.

As a result, China enjoys a unique information asymmetry vis-a-vis almost all other industrialized countries. So this apparent leak of data from i-SOON is a rare find for Western security researchers.

“I’m so happy to see it,” Cary said. “Every day I expect data leaks to come out of China.”

That information asymmetry is at the heart of the Chinese government’s cyberwarfare goals, according to a 2023 analysis by Research at the Margin made in the name of Defense Advanced Research Projects Agency (DARPA).

“In the field of cyberwarfare, western governments view cyberspace as the ‘fifth domain’ of war,” the Margin study says. “The Chinese, however, see cyberspace in the broader context of information space. The ultimate goal is, not to ‘control’ cyberspace, but to control information, a vision that dominates the cyber operations in China.

The National Cybersecurity Strategy issued by the White House last year singled out China as the single biggest cyber threat to US interests. While the United States government has contracted out some aspects of its cyber operations to private sector companies, it has not followed China’s example of promoting the wholesale theft of state and corporate secrets for commercial purposes. which benefits its own private industries.

Dave Aitela co-author of the Margin Research report and former computer scientist at US National Security Agencysaid it would be nice to see Chinese cybersecurity companies having to deal with all the same contracting headaches that US companies seeking federal government work face.

“This leak just shows that there are layers of contractors all the way down,” Aitel said. “It would be great to see a Chinese version of this.”

Leave a comment