News
Unmasking I-Soon - The leak that revealed China’s cyber operations
February 2024 by SentinelLabs
I-Soon, a company that contracts for many PRC agencies – including the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army – was subject to a data leak over the weekend of 16th February 2024. It is not known who pilfered the information nor their motives, but this leak provides a first-of-its-kind look at the internal operations of a state-affiliated hacking contractor. The authenticity of the documents is still undecided. While the leak’s contents do confirm public threat intelligence, efforts to corroborate further the documents are ongoing.
The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem. It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.
I-Soon – whose employees complain about low pay and gamble over mahjong in the office–appears to be responsible for the compromise of at least 14 governments, pro-democracy organisations in Hong Kong, universities, and NATO. The leaked documents align with previous threat intel on several named threat groups.
Victim data and targeting lists, as well as names of the clients who requested them, show a company who competes for low-value hacking contracts from many government agencies. The finding indicates that historical targeting information from Advanced Persistent Threats thought to be PRC contractors does not provide strong guidance on future targets.
Machine translation enabled the rapid consumption of leaked data. These tools broadened the initial analysis of the information beyond seasoned Chinese experts with specialised language skills and technical knowledge. This has enabled many more analysts to scan the leaked information and quickly extract and socialise findings. As researchers dig into the voluminous information, domain expertise will be required to understand the complex relationships and implicit patterns between the relevant organisations, companies, and individuals. One upshot is that geographically specialised analysis will continue to provide distinct value, but the barrier to entry is much lower.
Conclusion
The leaked documents offer the threat intelligence community a unique opportunity to reevaluate past attribution efforts and gain a deeper understanding of the complex Chinese threat landscape. This evaluation is essential for keeping up with a complex threat landscape and improving defence strategies.
Extensive sharing of malware and infrastructure management processes between groups makes high-confidence clustering difficult. As demonstrated by the leaked documents, third-party contractors play a significant role in facilitating and executing many of China’s offensive operations in the cyber domain.
For defenders and business leaders, the lesson is plain and uncomfortable. Your organisation’s threat model likely includes underpaid technical experts making a fraction of the value they may pilfer from your organisation. This should be a wake-up call and a call to action.
