A series of leaked documents revealed that the Chinese government is working with private sector hackers to spy on foreign governments and companies, domestic dissidents, ethnic minorities and more.
On February 16, an anonymous individual with unknown motives raised the curtain at Anxun Information Technology, also known as iSoon, a Shanghai-based company best known externally for providing cybersecurity training.
Behind the scenes, it appears, the company is a hacking operation serving government agencies in the People’s Republic of China (PRC), including the Ministry of Public Security, the Ministry of State Security, and the People’s Liberation Army (PLA). .
Analysts have identified overlaps between iSoon and several known Chinese APTs. Adam Meyers, head of counter-adversary operations at CrowdStrike, tells Dark Reading that the group specifically partners with Water Panda (aka Budworm, Charcoal Typhoo, ControlX, RedHotel, BRONZE UNIVERSITY).
Between more than 500 documents leaked they are marketing materials, product manuals, customer and employee lists, WeChat instant messages between customers and employees, and much more. Analysts are still reviewing (and confirming) material that, overall, begins to paint a picture of the Chinese state’s primary goals and objectives in cyberspace.
Who iSoon is hacking
iSoon’s targets include domestic targets, such as pro-democracy organizations in Hong Kong, and members of ethnic minorities, such as the Uyghurs of China’s Xinjiang province.
They spanned agencies of at least 14 governments – in Vietnam alone, for example, the Ministry of Internal Affairs, the Ministry of Economy, the Government Statistics Office and the Traffic Control Police – and perhaps (not yet confirmed) the North Atlantic Treaty Organization (NATO).
It also hacked into private organizations across Asia, from gambling to airlines to telecommunications companies.
According to Dakota Cary, a SentinelOne consultant and non-resident fellow at the Atlantic Council’s Global China Hub, there is an important lesson to be learned from the wide range of targets of this cyber killer squad.
“Their previous targeting history should not be indicative of future interest,” he says, “because they are competing for bids in a market with many interested parties. At any time their demand signal could change based on who is soliciting their activity and for this reason, we should not rely excessively on past activity as an indicator of future performance.”
Cheap offers for government exploits
Documents leaked over the weekend also reveal very different rates at which the Chinese government pays iSoon for access to its victims.
Accessing the private website of the Vietnam traffic police, for example, resulted in a bill of $15,000, while the Ministry of Economy’s data was billed at $55,000. According to the New York Times, some personal information collected from social media accounts was worth up to $278,000 to the government, which has long been known to target individual opponents of the ruling party.
“Price is a really interesting indicator of market maturity,” Cary believes. Particularly in contrast to the prices obtained in the vulnerability market.
“It certainly says something about the offering that the contract rate for hacking in the Vietnamese Ministry of Economic Affairs is $55,000. There are a number of suppliers in this market of hackers and contractors, so much so that $55,000 is enough to get a company to go out and do these missions,” he says.
Lots of news, but nothing changes
iSoon sports an arsenal of fun malicious tools: a Twitter infostealer, pen testing tools, and more sophisticated hardware devices, including special battery tacks and a tool designed to look like a powerbank, both of which serve to pass information across a network of the victim to hackers.
Most of what it uses, however, are malware already known within the Chinese APT ecosystem, such as the Winnti backdoor and the ancient PlugX Remote Access Trojan (RAT).
“There really isn’t much, from a big-picture perspective, that we didn’t know before,” Meyers says. For him, the most interesting aspect of the leaks were the behind-the-scenes shenanigans: employee complaints about low pay, gambling on office mahjong, and the like. “It’s really nice to see, but it won’t change anything about what we do every day.”
Hey boss
What happens?
Playing Mahjong 🀄️
At the office?
What, we can’t play in the office for money? Boss, boss Li is cleaning up thousands of Rmb, join us pic.twitter.com/7VgOqVg22o— Dakota Cary (@DakotaInDC) February 19, 2024
For Cary, the bottom line is how little some organizations succeed in the cyber espionage market.
“The bar can’t be that low for your organization, especially when you consider how much companies spend on salaries, equipment, etc.,” he says. “You want the person who has a contract with your company to have to pay a million dollars, to be as high as possible.”
“The key lesson is: If they can go after a government ministry for $55,000, what do you think your price will be?” he asks.