I-Soon leak reveals inner workings of China cyber attacks

Detailed information on a network of high-expertise, low-cost, web-based operations shows what Beijing wants and the methods used to get it

AFP

I-Soon headquarters, Chengdu, China.

I-Soon leak reveals inner workings of China cyber attacks

Marco Mossad

last update on 07 Mar 2024

After a leak of a series of sensitive documents, detailed insight into how the Chinese government uses the private sector as part of its politically motivated hacking operations at home and abroad has emerged.

The revelations come from information leaked from inside I-Soon — a software company Beijing has hired to provide various services, which range from monitoring ethnic minority groups in China, including the Uighurs, to carrying out intelligence attacks against foreign governments, including India, Thailand, Vietnam, and South Korea.

The leak occurred in February via GitHub — a specialist website for cybersecurity and IT professionals — where they share programming code and the latest network developments.

It provided a rare insight into who is helping Beijing in these efforts and into the activities of key groups affiliated with the Chinese government, groups known in the industry as APTs.

Reports have indicated a link between I-Soon and APT-41, which has targeted various industries such as healthcare, telecommunications, and technology since 2012.

This is the story of how the leak happened, what its revelations mean and what they tell us about the size and scope of the companies involved in a state-of-the-art hacking campaign.

Stolen documents

In mid-January, an individual – who remains anonymous – accessed GitHub using an email address reading “[email protected]”. About a month later, files and documents stolen from I-Soon – which is also known as Anxun Information Technology – were published.

Since then, there has been speculation that the leaker may be a former company employee retaliating for being fired. Such breaches are known in the cybersecurity industry as “insider threats”.

Bloomberg — A display of screens in Danbury, UK, on the day hackers managed to insert malicious code into a product from an IT provider with a customer list of 300,000 organisations. January 7, 2021.

The I-Soon leak revealed that the company was working for Chinese security agencies, including the Ministry of State Security, the Ministry of Public Security, and the People's Liberation Army. For providing sensitive information to Vietnam's Ministry of Economy, it received up to $55,000.

The leaks also show how the Chinese government recruits other individuals and companies. The details show that a local government in a southwestern Chinese province paid about $15,000 to obtain information that allowed them to access Vietnam's road network.

Additionally, Chinese government entities can purchase software for $10,000 that allows them to run campaigns on the popular social media platform X.

These modest amounts are modest, but their significance runs beyond price. I-Soon's activities show what China’s hackers are capable of and how much they cost.

Hackers for hire

In effect, the leaks reveal the development of a new kind of commercial entity in China, providing intelligence services and also seeking to influence public opinion.

I-Soon does not just fulfil government contracts. Its services are also available to private companies. It has the ability to access Windows, Mac, and Android operating systems.

The company also produced a device resembling a portable charger that allows Chinese hackers to transfer the personal data of victims using the device to the company's databases. In addition, the company manufactured devices that can crack Wi-Fi network passwords.

The leak also reveals that smaller companies are involved in government-sponsored hacking.

I-Soon's activities show what China's hackers are capable of and how much they cost.

I-Soon has a workforce of 70 people, including a research unit and a technical support group. However, a significant part of its revenue comes from three operational teams which offer hacking services.

China has used I-Soon to attack government targets in Central and Southeast Asia and the foreign ministries of countries, including India and Nepal.

After extensive research into its operational history, experts found it has been involved in electronic attacks in the Middle East, such as Egypt and Turkey, as well as in Africa, including Nigeria and Rwanda.

The New York Times described I-Soon as part of a contracting system related to China's hacking industry. This system has existed for two decades.

The contracting system between the Chinese government and private companies is not new on the international scene. Iran and Russia have used this method for years, relying on non-governmental entities to attack commercial and political entities at home and abroad.

The newspaper attributed the increase in China's cybersecurity activity to Chinese President Xi Jinping's directives to strengthen the role of government agencies in participating in cyberattacks.

Cyber attacks are no longer under the exclusive jurisdiction of the People's Liberation Army (PLA) but are managed by public security bureaus at the provincial level. Official regional governments in China continue to sponsor and support high-tech cyberattacks against heavily protected targets.

Getty

Suppression of ethnic minorities

The leaks also revealed that the Chinese government uses the contracting system with companies to monitor the situation of ethnic minorities, especially the Uighurs.

China commissioned I-Soon to monitor domestic minorities to help impose political control, as well as to monitor fugitives and political dissidents, including ethnic and minority groups.

Beijing sees these groups as a potential source of political instability in the country.

A Wall Street Journal investigation revealed that China was tracking Uighur dissidents residing in New York and targeting them with propaganda and intelligence campaigns aimed at gathering as much information as possible about them and their future plans.

Beijing sees minorities and marginalised groups as a threat to stability. It uses cyber campaigns as a precise means of targeting them.

The Wall Street Journal's report mentioned groups in Tibet, Hong Kong, and Xinjiang, where a large number of citizens consider themselves non-Chinese.

The Internet Protocol address that was tracked in the leaks was the same address used in an intelligence operation carried out by the Chinese government against Tibetans in 2019, known as Operation Poison Carp.

The leaks reveal the development of a new kind of commercial entity in China, one that provides intelligence services and also seeks to influence public opinion.

I-Soon and APT41

The leaks also reveal that I-Soon is linked to a group called "APT41", formed in 2012 and backed by the state for intelligence operations.

It has planned attacks on the financial, healthcare facilities, telecommunications, and video games.

A network security specialist, Unit 42 of Palo Alto Networks, published a report in February last year stating that the leaked information was connected to previous attacks. Unit 42 identified the malware's infrastructure for I-Soon and the company's involvement in two intelligence campaigns attributed to APT41.

The first campaign in 2019 targeted minorities in Tibet with malware on various operating systems. The second campaign 2022 involved an attack on the supply chain of a technology company in Canada, where attackers installed a malware installer on the company's official website.

In both cases, there were signs of cooperation between the company and the APT41, showing that this behaviour by the Chinese government was, in many cases, intentional and systematic.

Due to the secrecy surrounding the issue, only a few attacks have been disclosed.

This leak begins to shed light on the network of hackers in China, and, more importantly, it links these attacks together to redefine this cybercriminal network and key actors supported by the Chinese government.

+ / -