430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hacking firm I-Soon data leak revealed Chinese gov hacking capabilities

Recently the leak of a collection of files apparently stolen from the Chinese government hacking contractor, I-Soon, exposed Chinese hacking capabilities. Recently someone has leaked on GitHub [1,2] a collection of files apparently stolen from the Chinese hacking firm, I-Soon. An analyst based in Taiwan, known as Azaka, discovered the data leak and shared their […]

I-Soon

Recently the leak of a collection of files apparently stolen from the Chinese government hacking contractor, I-Soon, exposed Chinese hacking capabilities.

Recently someone has leaked on GitHub [1,2] a collection of files apparently stolen from the Chinese hacking firm, I-Soon. An analyst based in Taiwan, known as Azaka, discovered the data leak and shared their findings on social media.

i-SOON is a prominent contractor for various agencies of the Chinese government, including Ministry of Public Security, Ministry of State Security, and the People’s Liberation Army.

SentinelOne researchers noticed that on January 15 at 10:19 pm, an individual registered the email address I-SOON@proton.me. On February 16th, an account linked to that email uploaded a batch of files including marketing documents, images, screenshots, and a substantial collection of WeChat messages exchanged between I-SOON employees and clients.

The alleged data breach revealed the capabilities of the China-linked hacking contractor.

“The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem. It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.” reads an analysis published by SentinelOne.

Leaked documents include internal communications, demonstrating hacking operations against companies and government agencies in several countries, including India, Kazakhstan, Malaysia, Pakistan, and Taiwan. I-Soon was involved in the compromise of at least 14 governments, pro-democracy organizations in Hong Kong, universities, and NATO.

At this time, the identity of the author of the data leak and its motivation is still unknown. The individuals responsible for the data theft and their motivations remain unknown. However, this breach offers a unique insight into the internal workings of a hacking contractor affiliated with a state. The authenticity of the leaked documents is yet to be confirmed, and ongoing efforts are being made to validate the information, even though some aspects align with existing public threat intelligence

The documents, which are dated as recently as 2022, demonstrate that the Chinese contractor developed a sophisticated spyware that can target Windows, Macs, iPhones and Android devices. The arsenal developed by i-SOON also includes hardware hacking tools, including snooping devices and systems to hack into Wi-Fi networks.

Azaka noticed that the hacking firm has a DDoS system relying on a bot that can infect Windows, Linux, or generic IoT devices. The total throughput of the botnet is 10~100Gbps. The Chinese firm also developed an automatic pen-testing platform that supports Windows, Linux, web services, and networking equipment.

“Us researchers finally have a confirmation that this is how things are working over there and that APT groups pretty much work like all of us regular workers (except they’re getting paid horribly).” the analyst Azaka told TechCrunch, “that the scale is decently big, that there is a lucrative market for breaching large government networks.” APT, or advanced persistent threats, are hacking groups typically backed by a government.

Some documents link I-Soon to the Chinese APT41, one document lists out targeted organizations and the fees the company earned by hacking them. The Chinese government paid $55,000 for data stolen from Vietnam’s Ministry of Economy. 

The APT41 group, aka WinntiAxiom, Barium, Blackfly, HOODOO) is a China-linked cyberespionage group that has been active since at least 2007.

This data leak demonstrates the importance of third-party contractors within the strategy of nation-state actors. They support enhances the offensive operations carried out by Bejing, making hard the attribution of the attacks.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, I-Soon)