over the weekendsomeone posted a cache of files and documents that appeared to be stolen from Chinese government hacking contractor I-Soon.
The leak gave cybersecurity researchers and hostile governments an unprecedented opportunity to peer behind the scenes at a Chinese government hacking operation facilitated by private contractors.
Similar to the hack-and-leak operation that targeted Italian spyware maker Hacking Team in 2015, the I-Soon leak includes company documents and internal communications, and reveals that I-Soon has been linked to India, Kazakhstan, India, and Kazakhstan. , indicating that it is suspected of being involved in hacking of Indian companies and government agencies. Malaysia, Pakistan, Taiwan, Thailand etc.
The leaked files were posted to code-sharing site GitHub on Friday. Since then, observers of Chinese hacking activity have been eagerly viewing the files.
“This represents the most significant data breach involving a company suspected of providing cyber espionage and targeted intrusion services to Chinese security services,” said John, threat intelligence analyst at cybersecurity firm Recorded Future.・Mr. Condra stated.
For John Hultquist, chief analyst at Google's Mandiant, the breach is “small in scope, but deep-rooted.” “Rarely do we have such unfettered access to the inner workings of an intelligence operation.”
“This breach is the first to reveal the inner workings of a nation-state hacking contractor,” Dakota Carey, an analyst at cybersecurity firm Sentinel One, wrote in a blog post.
Mathieu Tartare, a malware researcher at ESET, also said the breach “could help link some of the breaches observed by threat intelligence analysts to I-Soon.”
One of the first people to investigate the breach was a threat intelligence researcher from Taiwan known as Azaka. On Sunday, Azaka posted a long thread on X (formerly Twitter) in which he analyzed some documents and files, which appear to date back to 2022. Researchers highlighted spy software developed by I-Soon for Windows, Mac, iPhone, and Android devices. It also includes hardware hacking devices designed to be used in real-world situations that can crack Wi-Fi passwords, track Wi-Fi devices, and jam Wi-Fi signals. will appear.
I-Soon's “WiFi Near Field Attack System” is a device that hacks Wi-Fi networks disguised as an external battery. (screenshot: Azaka)
“We researchers have finally confirmed that this is how things work over there, and that APT groups work pretty much like all of us regular workers ( “The scale is pretty large, and there's a lucrative market for compromising large government networks.” Azaka told TechCrunch. APT (Advanced Persistent Threat) is a hacking group that usually has government support.
According to researchers' analysis, the documents show that Yisun served in China's Ministry of Public Security, Ministry of State Security, and China's Army and Navy. I-Soon also markets and sells its services to local law enforcement agencies across China to target ethnic minorities such as Tibetans and Uyghurs, a Muslim community living in western China's Xinjiang Uighur Autonomous Region. did.
This document connects I-Soon and APT41. APT41 is a Chinese government hacking group that has reportedly been active since 2012 and targets organizations across a variety of industries in the healthcare, communications, technology, and video game industries around the world.
The IP addresses found in the I-Soon leak also hosted phishing sites that digital rights organization Citizen Lab saw used against Tibetans in a 2019 hacking campaign. At the time, Citizen Lab researchers named the hacker group “Poison Carp.”
Like Azaka and others, they also discovered chat logs between Yisun employees and management, in which employees talked about gambling, a popular Chinese tile-based game. Some of the content was very mundane, such as playing mahjong.
Carey highlighted documents and chats showing how much or how little Isun employees were paid.
inquiry
Do you know more about I-Soon and the Chinese government hack? Securely contact Lorenzo Franceschi-Bicchierai from your non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb or email You can contact me. You can also contact TechCrunch via SecureDrop.
“They are receiving $55,000.” [US] — $2,024 — that’s not a lot of money for a target like that to hack Vietnam’s Ministry of Economy,” Carey told TechCrunch. “It makes you think about how low-cost it is for China to conduct operations against high-value targets. And what does that say about the nature of the organization's security?”
What the leak shows, Carey said, is that researchers and cybersecurity companies need to carefully consider the potential future actions of mercenary hacker groups based on past activity. .
“This shows that a threat actor's previous targeting behavior, especially when they are Chinese government contractors, is not indicative of future targets,” Carey said. “So it's not helpful to look at this organization and think, 'Oh, they just hacked the healthcare industry, or they hacked X, Y, and Z industries, and they hacked these countries.' what is it responding to? [government] Requested by the agency. And those agencies may request something different. They may get deals with new bureaus and new locations. ”
The Chinese embassy in Washington, D.C., did not respond to a request for comment.
An email sent to I-Soon's support inbox went unanswered. Two anonymous I-Soon employees told The Associated Press that the company held a meeting on Wednesday and advised employees that the breach would not impact business and to “continue to operate as usual.” He said that he told him.
At this time, there is no information about who posted the leaked documents or files, and GitHub recently removed the leaked cache from its platform. However, several researchers agree that the accounts are more likely to come from disgruntled current or former employees.
“The people who put this leak together created a table of contents. And what the leak is about is employees complaining about low pay and the company's financial situation,” Cary said. “This leak is structured to embarrass the company.”