Over the weekend, a highly-coveted collection of files and documents, believed to have been obtained from the Chinese government’s contracted hacking firm, I-Soon, were released to the public.
This leak presents an unprecedented opportunity for those in the cybersecurity field and rival governments to gain insight into the inner workings of Chinese government hacking operations, which are often facilitated by private contractors.
Similar to the infamous hack-and-leak of Italian spyware maker Hacking Team in 2015, the collection known as the ‘I-Soon leak’ contains internal company documents and communications that allegedly reveal I-Soon’s involvement in hacking various companies and government agencies across India, Kazakhstan, Malaysia, Pakistan, Taiwan, and Thailand, among others.
These leaked files were posted on the code-sharing platform GitHub last Friday, and since then, cybersecurity experts have been thoroughly examining their contents.
According to Jon Condra, a threat intelligence analyst at Recorded Future, this is “the most significant leak of data related to a company suspected of providing cyber espionage and targeted intrusion services for the Chinese security services.”
For John Hultquist, chief analyst at Google-owned Mandiant, the leak may be “narrow, but it is deep,” as it provides unprecedented access to the inner workings of an intelligence operation.
Dakota Cary, an analyst at cybersecurity firm SentinelOne, writes in a blog post that the leak offers “a first-of-its-kind glimpse into the internal operations of a state-affiliated hacking contractor.”
Similarly, ESET malware researcher Matthieu Tartare believes that the leak “could assist threat intelligence analysts in connecting past observations to I-Soon.”
One of the first individuals to analyze the leak was a Taiwanese threat intelligence researcher who goes by the name Azaka. In a lengthy thread posted on social media platform X, formerly Twitter, Azaka provided an in-depth analysis of some of the documents and files, many of which are dated as recently as 2022.
The researcher highlighted various spying software created by I-Soon for Windows, MacOS, iPhones, and Android devices, as well as hardware hacking devices designed for real-world use, such as cracking Wi-Fi passwords, tracking Wi-Fi devices, and disrupting Wi-Fi signals.
Azaka tells TechCrunch, “Finally, us researchers have confirmation of how things operate within this realm and how APT groups, like regular workers, are underpaid.”
The leaked documents reveal that I-Soon had ties to China’s Ministry of Public Security, the Ministry of State Security, and the Chinese army and navy. They also show that I-Soon pitched and sold their services to various local law enforcement agencies across China, targeting minorities such as Tibetans and the Uyghur community, a Muslim group located in the Chinese western region of Xinjiang.
The leaked files also link I-Soon to APT41, a Chinese government hacking group that has reportedly been active since 2012 and has targeted organizations in various industries, including healthcare, telecommunications, technology, and video games, around the world.
Furthermore, it was discovered that an IP address found in the I-Soon leak was used in a phishing attack against Tibetans in 2019, which the digital rights organization Citizen Lab named “Poison Carp.”
In addition to this information, Azaka and others found chat logs between I-Soon employees and management, some of which were mundane, covering topics such as gambling and the popular Chinese board game mahjong.
Cary highlights documents and chats that shed light on the low-paying salaries of I-Soon employees.
Cary says, “They’re earning $55,000 USD – in today’s value – for hacking Vietnam’s Ministry of the Economy. That’s not a significant amount of money for such a high-level target. It makes me wonder about the cost-effectiveness of China’s operations against high-value targets and what this says about the security of the organization.”
Cary also believes that this leak serves as a warning for researchers and cybersecurity firms to not base their assessments of mercenary hacking groups solely on their past behavior.
“It shows that the previous targets of a threat actor, particularly those contracted by the Chinese government, do not necessarily reflect their future targets,” says Cary. “Therefore, it is not useful to assume that this organization only targets the healthcare industry, specific industries or countries. They are responding to the demands of these government agencies, which may vary depending on their clients.”
When asked for comment, the Chinese Embassy in Washington D.C. did not respond.
An email sent to I-Soon’s support inbox went unanswered. However, two anonymous I-Soon employees told the Associated Press that the company held a meeting with its staff on Wednesday and reassured them that the leak would not have a significant impact on their business.
At this time, there is no information available on who released the leaked documents and files, and GitHub has since removed them from their platform. However, many researchers believe that a disgruntled current or former employee is the likely source.
“The individual(s) responsible for this leak provided a table of contents. The contents of the leak consist of employees’ complaints about their low salaries and the company’s financial situation,” explains Cary. “The structure of the leak indicates an attempt to embarrass the company.”
If you have any information about I-Soon or Chinese government-backed hacks, you can reach out to Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase, and Wire at @lorenzofb, or via email. Alternatively, you can reach out to TechCrunch via SecureDrop.