The I-Soon data leak unveils China's cyber espionage tactics, techniques, procedures, and capabilities.
By Brandon Karpf
Feb 22, 2024

The I-Soon data leak unveils China's cyber espionage tactics, techniques, procedures, and capabilities.

Key Insights about the I-Soon data leak.

  1. Widespread cyber operations. Documents reportedly leaked on GitHub reveal extensive cyber espionage activities conducted by I-Soon, a Chinese cybersecurity vendor, targeting global social media platforms, telecommunications companies, and various government entities.
  2. Advanced hacking tools exposed. The leak details a range of sophisticated hacking tools and services, including malware capable of infiltrating Android and iOS devices, custom Remote Access Trojans (RATs), and devices designed for network attacks.
  3. Connection to Chinese government. Analysis suggests I-Soon operates as an Advanced Persistent Threat (APT)-for-hire, servicing key Chinese government agencies like the Ministry of Public Security, implicating state sponsorship in these cyber operations.
  4. Global impact and diplomatic ramifications. The exposure of these operations has potential implications for international relations, highlighting vulnerabilities in national security across several countries and potentially affecting diplomatic ties.
  5. Concerns over the cybersecurity industry. The leak underscores the competitive and secretive nature of the cybersecurity industry within China, revealing low employee morale and financial pressures that could influence the quality and ethics of cyber operations.

In a significant cybersecurity revelation, documents reportedly leaked on GitHub have exposed the inner workings of I-Soon (also known as Anxun), a Chinese information security company allegedly involved in extensive cyber espionage activities. The documents provide a rare glimpse into China's offensive cyber operations, revealing a sophisticated array of hacking tools and services targeting a wide range of entities, from social media platforms to telecommunications companies and government bodies worldwide.

Detailed analysis of the I-Soon data leak.

The documents include contracts, product manuals, and employee lists, pointing to a comprehensive support system for Beijing's hacking endeavors. I-Soon's tools are notably advanced, featuring malware that can target both Android and iOS devices, obtain sensitive information, and control the devices remotely. Custom Remote Access Trojans (RATs) for Windows, capable of managing processes and logging keystrokes, among other functions, were also detailed. These tools demonstrate I-Soon's capability to infiltrate various systems, undetected.

Hacking tools and capabilities.

The documents uncovered in the leak describe a sophisticated arsenal of cyber weapons developed, deployed, and managed by I-Soon. Among these, several tools and capabilities warrant special attention.

  • Twitter (now X) stealer. This tool allegedly has the ability to obtain a user's Twitter email and phone number, monitor activities in real-time, read personal messages, and even publish tweets on behalf of the user.
  • Custom Remote Access Trojans (RATs) for Windows. These RATs are designed with comprehensive control features including process, service, and registry management, alongside capabilities for keylogging, file access logging, and remote system information retrieval. The inclusion of a remote shell tool and the ability to disconnect or uninstall remotely reveal a high degree of control over compromised systems.
  • Mobile device exploitation. The leak details exploitation tools for both iOS and Android platforms, claiming the iOS RAT can operate without jailbreaking the device and the Android version can elevate system app privileges for persistence. The ability to dump messages from popular messaging apps and execute real-time audio recordings illustrates a significant privacy intrusion potential.
  • Network penetration devices. Portable devices designed to attack networks from within, disguised as common electronics, point to a physical component in I-Soon's cyber operations. These devices are capable of deploying malware against targeted Android phones via WiFi.

Targeting and impact.

The leak not only sheds light on the tools but also on the breadth of I-Soon's operations. Targets span across continents and sectors, implicating telecommunications firms, government departments, and even educational institutions in countries including India, Thailand, Vietnam, South Korea, and NATO members. This widespread targeting strategy highlights a concerted effort to infiltrate a variety of strategic and potentially lucrative targets for intelligence gathering.

Operational insights.

The operational details emerging from the leak provide a rare glimpse into the inner workings of a cyber espionage campaign. The documents outline a structured approach to cyber operations, from targeted penetration testing frameworks to specialized equipment for operatives working abroad.

Financial and human aspect.

Interestingly, the leak also exposed the financial and human aspects of I-Soon's operations. From the pricing models for espionage services to employee salaries and workplace grievances, these details paint a picture of the economic and social dynamics within the world of APT-for-hire groups. The low compensation for employees, juxtaposed with the high stakes and sophistication of their work, raises questions about the sustainability of such operations, as well as potential pressure points to degrade such operations and capabilities through human factors and targeted outreach.

The role of I-SOON in China's cyber operations.

Analyses of the documents suggest that I-Soon functions as an APT-for-hire, working with China's Ministry of Public Security (MPS) and possibly other state agencies. This collaboration aligns with Beijing's increasingly aggressive cyber espionage strategies. The leaked documents not only reveal the technical aspects of these operations but also shed light on the human element within I-Soon.

Strategic integration with state agencies.

The documents illustrate a deep-seated collaboration with several of China's key security and intelligence agencies, including MPS and possibly the Ministry of State Security (MSS) and the People’s Liberation Army (PLA). This collaboration points to a strategic approach where private entities like I-Soon are integral parts of the state's cyber espionage and cyber warfare capabilities.

  • APT-for-Hire services. I-Soon's role extends beyond that of a mere vendor; it acts as an APT-for-hire, undertaking operations that directly align with the strategic interests and directives of Chinese governmental agencies. This partnership indicates a reliance on private sector agility and innovation to fulfill state-sponsored cyber operations.
  • Operational diversity. The diversity in I-Soon's operational capabilities, from social media infiltration to penetrating secure government networks, reflects the comprehensive nature of China's cyber operations. I-Soon's work is not just supportive but foundational to the broader objectives of Chinese cyber espionage, offering a blend of technical prowess and operational versatility.

Contribution to cyber espionage ecosystem.

The documents shed light on the sophisticated ecosystem of cyber espionage cultivated by China, with contractors like I-Soon playing pivotal roles. This ecosystem thrives on the seamless integration of various elements.

  • Tool development and deployment. I-Soon contributes by developing and deploying a range of cyber espionage tools, showcasing significant technical expertise and innovation. These tools are tailored to meet the evolving demands of cyber warfare and intelligence gathering, enabling deep penetration and long-term surveillance of targeted entities.
  • Intelligence gathering and processing. Beyond tool development, I-Soon's involvement in processing and analyzing gathered intelligence suggests a deeper level of operational integration. This role is crucial in translating raw data into actionable insights, thereby directly supporting China's strategic intelligence objectives.

Implications for global cybersecurity and diplomacy.

The revelation of these documents is poised to have far-reaching implications. It highlights significant vulnerabilities in the cybersecurity defenses of targeted nations and organizations, potentially straining diplomatic relations. The leak also illustrates the competitive and pressure-laden environment of China's cybersecurity industry, which could impact the ethical and operational standards of cyber operations.

  • Targeting scope and geopolitical ramifications. The broad and diverse targeting by I-Soon, spanning across national governments, international organizations, and critical infrastructure, underscores the global reach and impact of China's cyber espionage activities. This extensive targeting can strain diplomatic relations and contribute to an escalating cycle of cyber conflict.
  • Evolving cyber threat landscape. I-Soon's cutting-edge tools and methodologies highlight the evolving nature of cyber threats. The sophistication and effectiveness of these tools necessitate a reevaluation of current cybersecurity defenses and strategies, particularly for nations and organizations in the crosshairs of such operations.

Diplomatic strains and international norms.

The exposure of I-Soon's cyber operations has the potential to exacerbate tensions between China and the countries targeted by these operations.

  • Erosion of trust. The covert nature of these operations, particularly when tied to a government, can erode trust between nations. This mistrust complicates diplomatic efforts, trade relations, and international collaborations on a wide range of issues.
  • Calls for accountability and norms. There may be increased calls for accountability and the establishment of clearer norms governing state behavior in cyberspace. International bodies and agreements, such as the United Nations Group of Governmental Experts (UNGGE) on Developments in the Field of Information and Telecommunications in the Context of International Security, may see renewed focus and urgency in their efforts to establish and enforce rules of engagement in cyberspace.

Strategic implications and future relations.

The strategic implications of the I-Soon leak extend beyond immediate cybersecurity concerns, potentially influencing the future course of international relations.

  • Cyber arms race. The detailed insight into China's cyber capabilities might prompt other nations to accelerate their own cyber offensive and defensive developments, potentially leading to a cyber arms race. Such a scenario could divert resources from other critical areas and increase the likelihood of cyber conflicts.
  • Influence on global governance. The international response to these revelations could shape the future of global cyber governance. Efforts to create a more robust international legal framework for cyberspace may gain momentum, influencing how nations engage in cyber operations and manage cyber conflicts.

Additional sources on the I-Soon data leak.

  1. (SentinelOne) https://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/
  2. (The Register) https://www.theregister.com/2024/02/22/i_soon_china_infosec_leak/
  3. (Malwarebytes) https://www.malwarebytes.com/blog/news/2024/02/a-first-analysis-of-the-i-soon-data-leak
  4. (CyberScoop) https://cyberscoop.com/isoon-chinese-apt-contractor-leak/
  5. (NY Times) https://www.nytimes.com/2024/02/22/business/china-hack-leak-isoon.html
  6. (Krebs on Security) https://krebsonsecurity.com/2024/02/new-leak-shows-business-side-of-chinas-apt-menace/