China's State-Backed Hackers Exposed: iSoon Leaked Data Reveals Global Targets, ...
A trove of leaked documents, originally found on GitHub before being removed, has ripped open the underlying functioning of China's secretive cyber espionage operations.
These leaks center on the company iSoon presenting as a contradictory facade, posing as a cybersecurity firm while facing credible allegations of acting as an _"Advanced Persistent Threat (APT)-for-hire."_
Though direct links to the Chinese government remain difficult to conclusively prove, security experts widely suspect state sponsorship. This breach exposes China's tactics, India's critical position as a prime target, and the alarming new model of using private hackers to execute state-backed cyber espionage.
## Inside iSoon – Anatomy of a Cyber Espionage Operation
I-Soon, also referred to as [Anxun](https://github.com/soufianetahiri/Anxun-isoon/tree/main/OCRd_images) in Mandarin, operates as a Chinese firm purportedly specializing in public network security and digital intelligence solutions. Despite its outward facade, leaked data suggests a more clandestine role, potentially functioning as an "Advanced Persistent Threat (APT)-for-hire," collaborating with entities such as the Chinese Ministry of Public Security (MPS) and potentially other state agencies.
Here's a brief overview of I-Soon:
- **Founded:** 2010
- **Headquarters:** Shanghai, China
- **Services:** Cybersecurity, digital intelligence
- **Allegations:** Cyber espionage, hacking, surveillance, targeting governments, businesses, and individuals
The company garnered attention in February 2024 following a substantial data leak. The leaked information comprised contracts, communications, and other documents seemingly affirming I-Soon's involvement in cyber espionage endeavors.
Specifically, I-Soon (上海安洵) serves as a contractor for various PRC agencies, including the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army. The leaked data, which surfaced over the weekend of February 16th, offers a rare glimpse into the internal workings of a state-affiliated hacking contractor.
Leaked chats also reveal the dominance of a user named "lengmo," implying a leadership role. Intense communication between "lengmo" and "Shutd0wn" hints at internal hierarchies and potential influences within iSoon's operations.
However, the authenticity of the leaked documents remains uncertain. While the contents of the leak validate public threat intelligence, efforts to corroborate the documents are ongoing.
Message timestamps show peak activity aligns with Chinese work hours. While operational schedules can shift, this predictability could potentially offer defenders a vulnerability to exploit.
iSoon's arsenal includes custom malware targeting a range of operating systems (Windows, macOS, Linux, iOS, Android), social media infiltration tools, hardware for physical attacks, and OSINT-driven reconnaissance capabilities. Sources like Mandiant Intelligence corroborate these findings.
Leaked chats expose internal financial pressures, employee complaints about low pay, and a sense of demoralization within the company. This instability could increase security risks on the attacker side and offer potential avenues for counterintelligence efforts.
iSoon's suspected origins in Chengdu, an infamous hub for Chinese hacker-for-hire groups, highlight the city's significance in state-sponsored cyber warfare operations.
Security analysts, including John Hultquist of Mandiant Intelligence, authenticate the leaked data, emphasizing its significance in understanding China's cybersecurity capabilities. The involvement of iSoon, allegedly linked to the Chinese government, reinforces suspicions of state-sponsored cyber espionage.
## Victims – China's Global Espionage Web and India's Critical Role
A leaked spreadsheet verifies at least 80 successful overseas attacks by iSoon. Among these are staggering data breaches, including 95.2 gigabytes of Indian immigration data, 3 terabytes of call logs from South Korean telecom provider LG U Plus, and 459 gigabytes of sensitive Taiwanese mapping data.
On Tuesday, a user on social media platform X who goes by the moniker [Dakota Cary](https://x.com/DakotaInDC?t=8DwfPjPEQvqa_FPZiLvMmw&s=09) brought certain evidence based allegations regarding the leakage of documents from Chinese cyber agencies on GitHub.
The user asserted that these documents included data from the EPFO, the Indian PMO, and a range of public and private organizations.
Prominent Indian targets actually include the Prime Minister's Office (PMO), the Ministry of Finance, the Ministry of External Affairs, and private entities like EPFO, BSNL, Apollo Hospitals, and Air India.
The leaked documentation reveals a shocking capability of the attackers to infiltrate both Android and iOS devices, extracting a treasure trove of sensitive data.
From hardware specifics to GPS coordinates, contact lists, media files, and even live audio recordings, nothing seems beyond their grasp.
Adding to the intrigue, reports suggest the use of discreet gadgets resembling common Chinese portable batteries, ingeniously deployed to inject malicious code into targeted Android devices via unsuspecting WiFi signals.
These breaches pose severe threats to national security, and individual privacy, and undermine India's economic competitiveness.
iSoon's tools are used to monitor and suppress minority groups within China and track overseas Chinese communities. This reveals how China leverages cyberwarfare for internal control and the surveillance of perceived dissidents.
Confirmed targets extend beyond India to Vietnam, Indonesia, Nigeria, and others. Even discussions about targeting NATO, while likely complex to execute, showcase the vast scope of China's cyber ambitions and its willingness to consider even heavily defended entities as potential victims.
Analysts have distinguished intriguing parallels between iSoon and various established Chinese APTs, especially APT41.
According to Adam Meyers, leading the charge in counter adversary operations at CrowdStrike, the group's maneuvers and infrastructure bear a striking resemblance to those attributed to Aquatic Panda (known by aliases like Budworm, Charcoal Typhoo, ControlX, RedHotel, and BRONZE UNIVERSITY).
Within the trove of over 500 leaked documents lie a wealth of materials, including promotional content, operational guides, rosters of clients and staff, exchanges via WeChat between clients and staff, and a host of other undisclosed files.
## Ecosystem – China's Hacker Marketplace
iSoon is just one player in a complex network of state-backed hackers-for-hire operating with a blend of patriotic and profit-driven motives.
China has pioneered an insidious model, outsourcing hacking operations to private companies. This provides plausible deniability, and increased scalability, and encourages innovation through internal competition.
Leaked contracts expose surprisingly low prices for attacks on sensitive targets. This significantly expands the pool of potential victims and amplifies the threat on a global scale.
The lawsuit between iSoon and the indicted group Chengdu 404, along with anecdotes like the "drinking committee," illustrates the blurry lines between rival and cooperating entities within China's state-sanctioned hacking industry.
## Expert Analysis, India's Vulnerability, and Global Response
While definitively proving Chinese government control remains elusive, the cybersecurity community strongly leans towards the iSoon leak exposing another weapon in China's cyber arsenal.
Quotes from leading experts at Mandiant Intelligence and other firms underscore the leak's significance, with insights extending beyond the technical details into China's strategic goals.
Budget models designed to defend against traditional APTs fall short against state-backed entities like iSoon, which undercut legitimate security providers.
Previous cyberattacks on India can now be linked to the scale of operations revealed in the iSoon leak.
India is one among many nations targeted; the leak underscores a global threat. Only through information sharing, coordinated law enforcement efforts, and a united front demanding accountability from China can this onslaught be effectively countered.
Beyond India, China's cyber operations extend to countries like Pakistan, Nepal, and Myanmar, highlighting a broader geopolitical agenda. The theft of data from governmental and institutional entities across various nations underscores China's aggressive cybersecurity strategy.