Unmasking I-Soon: The Leak That Revealed China’s Cyber Operations


In a seismic shift to our understanding of cyber espionage, the recent exposure of I-Soon, a Shanghai-based hacking contractor for the People’s Republic of China (PRC), sheds unprecedented light on the intricate web of cyber operations undertaken by state-affiliated entities. I-Soon, involved in various capacities with the Ministry of Public Security, the Ministry of State Security, and the People’s Liberation Army, was recently thrust into the spotlight following a substantial data leak that divulged a trove of sensitive information regarding its operations, client list, and internal dynamics.

This exposé, derived from the comprehensive analyses available through SentinelOne, The Cyberwire, Lawfare, China Digital Times, and The Stack, reveals not just the technical prowess but also the operational, financial, and human aspects of a shadowy industry that operates at the behest of national interests and intelligence gathering.

Key points from the leak include:

  • Insight into China’s Cyber Espionage Ecosystem: The leaked documents shed light on the evolving landscape of China’s cyber espionage activities, showcasing how government directives drive a competitive market of independent contractor hackers-for-hire.
  • Activities of I-Soon: The leaked documents implicate I-Soon in compromising at least 14 governments, pro-democracy organizations in Hong Kong, universities, and NATO. This aligns with previous threat intelligence on various threat groups.
  • Low-Value Hacking Contracts: I-Soon appears to compete for low-value hacking contracts from multiple government agencies, as evidenced by victim data, targeting lists, and client names included in the leak. This challenges the notion that historical targeting information provides strong guidance on future targets.
  • Accessibility of Leaked Information: Machine translation tools have facilitated the rapid analysis of the leaked data, enabling a broader pool of analysts to extract and disseminate findings. However, understanding the intricate relationships and implicit patterns within the data necessitates domain expertise.

Executive Summary

On February 16, 2024, a significant data breach rocked the cybersecurity landscape when undisclosed individuals uploaded a trove of sensitive data to GitHub. This data encompassed purported internal communications, sales-related materials, and product manuals allegedly belonging to the prominent Chinese IT security services company i-Soon, also recognized as Anxun Information Technology. The leaked documents shed light on the intricate workings of a commercial entity purportedly involved in the development and provision of cyber espionage tools in support of Chinese-affiliated threat actors. Initial scrutiny by Unit 42 uncovered compelling links between the leaked data and preceding Chinese-affiliated advanced persistent threat (APT) campaigns. With high confidence, Unit 42 affirms the authenticity of the leaked materials.

For instance, revelations within the leaked documents suggest that i-Soon was actively marketing the development and deployment of cyber espionage tools. Through meticulous analysis of the leaked data, Unit 42 has identified infrastructure ostensibly controlled by threat actors and potential malware strains associated with past reporting on Chinese threat actors. Given the scale and implications of this data breach, this report aims to provide an initial analysis and highlight key discoveries, with the expectation of further revelations in the future. Although GitHub has since removed the original repository hosting the leaked data due to violations of its terms of service, researchers remain committed to exploring the insights initially shared.

Drawing from our current understanding of the data leak, customers stand to benefit from heightened protection offered by Palo Alto Networks security products against the tools and methodologies employed by the Chinese threat actors discussed herein.

Detailed Analysis

The leaked data unveiled a comprehensive array of materials purportedly originating from i-Soon, a company deeply embedded in China’s IT security landscape. Among the disclosed documents were internal communications, sales strategies, and technical manuals, offering unprecedented visibility into the company’s operations.

Unit 42, Palo Alto Networks’ threat intelligence team, swiftly initiated an investigation into the leaked data. Notably, they discerned compelling overlaps between the leaked information and prior instances of cyber espionage attributed to Chinese-affiliated threat actors. This linkage lent credence to the authenticity of the leaked materials, bolstering the significance of the breach.

One notable revelation from the leaked documents is the apparent marketing efforts undertaken by i-Soon to promote cyber espionage tools. This includes strategies for the development, distribution, and utilization of sophisticated malware designed to infiltrate target networks, gather intelligence, and potentially disrupt operations.

Furthermore, Unit 42’s analysis uncovered traces of actor-owned infrastructure within the leaked data, suggesting a coordinated effort to orchestrate cyber attacks. Additionally, they identified potential malware strains with ties to historic reporting on Chinese threat actors, implicating i-Soon in the proliferation of malicious tools.

The removal of the GitHub repository hosting the leaked data underscores the gravity of the situation, indicating a swift response from platform administrators to mitigate further dissemination. Nonetheless, researchers remain committed to unraveling the insights gleaned from the initial disclosure, recognizing the enduring significance of the breach.

In response to these revelations, Palo Alto Networks underscores the importance of leveraging their security products to fortify defenses against the tactics and techniques employed by Chinese threat actors. By leveraging advanced threat detection and prevention capabilities, customers can bolster their resilience against evolving cyber threats emanating from state-sponsored entities.

Unit 42 – Technical Analysis

Text on the GitHub repository claims that i-Soon has targeted the governments of India, Thailand, Vietnam and South Korea, as well as the intergovernmental organization NATO. We continue to analyze the leaked data to verify these claims.

The GitHub repository contains a mixture of online chat conversations, screenshots and probable victim data, as well as sales- and support-related documents. The text conversations dated between November 2018 and January 2023, and they involve 37 unique usernames.

The conversations range from general conversation and workplace issues to talking about targets, software vulnerabilities and customers.

Figure 1 graphs the text communications observed between the members of i-Soon, showing relationships between employees and the volume of messages between them. (Specific user names and given names have been redacted.)

Image 1 is a relationship diagram of employees and message volume. Blue icons represent people with their user names underneath. Arrows connect these users with each other. Numbers along the arrows indicate the number of messages. Usernames have been redacted.
Figure 1. Visualization of i-Soon’s leaked online chats (specific user names redacted).

Links to Previous Threat Intelligence Reporting

Unit 42 has found links in the leaked i-Soon text message conversations to two previously reported campaigns attributed to Chinese advanced persistent threat (APT) groups.

Campaign 1: 2022 Supply Chain Attack

In September 2022, Trend Micro reported about a supply chain attack on the Canadian software company Comm100. The attackers trojanized the installer for Comm100’s chat-based customer engagement application hosted on their official website. When we looked through the i-Soon data leak, we found indications that i-Soon was involved in that attack.

Table 1 includes an excerpt taken from a conversation between two members of i-Soon where they claim IP address 8.218.67[.]52 is their server.

2022-06-13 7:39:19wxid_c9xxxxxxxxxxxxwxid_zbxxxxxxxxxxxx扬州那边问个人pc的通道[A person or organization from Yangzhou] wants to ask for or request access to a PC channel that belongs to a specific individual. 
2022-06-13 7:39:21wxid_c9xxxxxxxxxxxxwxid_zbxxxxxxxxxxxx[捂脸][emoji suggesting embarrassment or sorry to bother you]
2022-06-13 7:39:23wxid_c9xxxxxxxxxxxxwxid_zbxxxxxxxxxxxx现在能给不Can you give it now?
2022-06-13 7:40:26wxid_zbxxxxxxxxxxxxwxid_c9xxxxxxxxxxxx【彩宝贝】【代理】8.218.67[.]52:27011【TCP隧道】8.218.67[.]52:17011【账号】admin【密码】88888888【Gambling or lottery site】【Proxy】8.218.67[.]52:27011【TCP Tunnel】 8.218.67[.]52:17011【account】admin【password】88888888
2022-06-13 7:40:34wxid_c9xxxxxxxxxxxxwxid_zbxxxxxxxxxxxx嗯嗯Uh-huh
2022-06-13 7:40:37wxid_c9xxxxxxxxxxxxwxid_zbxxxxxxxxxxxx我日[Expletive]
2022-06-13 7:40:54wxid_c9xxxxxxxxxxxxwxid_zbxxxxxxxxxxxx这个服务器在香港的This server is in Hong Kong
2022-06-13 7:41:06wxid_zbxxxxxxxxxxxxwxid_c9xxxxxxxxxxxx你不管You don’t need to worry about it
2022-06-13 7:41:07wxid_c9xxxxxxxxxxxxwxid_zbxxxxxxxxxxxx<ahref=’068f70a1-1ff9-451 b-999e-2569860fd348.md’>domain_access_r esult(1).csv</a>
2022-06-13 7:41:11wxid_c9xxxxxxxxxxxxwxid_zbxxxxxxxxxxxxUm
2022-06-13 7:41:14wxid_zbxxxxxxxxxxxxwxid_c9xxxxxxxxxxxx这个服务器是我们的This server is ours

Table 1. Transcript of conversation between i-Soon members about IP address 8.218.67[.]52.

On June 17, 2022, days after the above conversation occurred, the IP address 8.218.67[.]52 served a Linux ELF file with the SHA256 of db4497090a94d0189aa3c3f4fcee30d5381453ec5aa38962e2ca971074b74e8b. The file was served from the URL hxxp[://]8.218.67[.]52/js/xxx.jpg. When executed, the file attempts to contact the domain unix.s3amazonbucket[.]com (which is not a legitimate Amazon domain).

The Trend Micro report also mentioned that another subdomain of s3amazonbucket[.]com (analyaze.s3amazonbucket[.]com) was used as a command and control (C2) server for the trojanized installers.

Given the domain s3amazonbucket[.]com was likely under the control of i-Soon, Unit 42 assesses with moderate confidence that a group of hackers within i-Soon was involved in the supply chain attack on Comm100.

Campaign 2: 2019 Poison Carp Attack

In September 2019, Citizen Lab reported on attackers targeting Tibetan groups via multiple iOS and Android exploits. Citizen Lab attributed the attack to the Chinese threat group they track as POISON CARP. The report references domains that were tied to an IP address that we found references to in this data leak.

The IP address 74.120.172[.]10 was associated with the domain mailteso[.]online between Sept. 22, 2020, and Feb. 20, 2024, and mailnotes[.]online between Aug. 7, 2021, and July 12, 2022.

Table 2 outlines the conversation between i-Soon employees about IP address 74.120.172[.]10.

2023-01-09 02:28:14wxid_hlxxxxxxxxxxxxwxid_12xxxxxxxxxxxx等一下 平台有点问题Wait, there are some issues with the platform
2023-01-09 02:28:18wxid_12xxxxxxxxxxxxwxid_hlxxxxxxxxxxxx好的OK
2023-01-09 02:36:19wxid_hlxxxxxxxxxxxxwxid_12xxxxxxxxxxxxhxxps[://]74.120.172[.]10:10092/home
2023-01-09 02:36:25wxid_hlxxxxxxxxxxxxwxid_12xxxxxxxxxxxxaccess OrFRXV LZtestUser lzqzmp@123
2023-01-09 02:43:51wxid_12xxxxxxxxxxxxwxid_hlxxxxxxxxxxxx演示视屏发一个Send over a demo video
2023-01-09 02:44:06wxid_12xxxxxxxxxxxxwxid_hlxxxxxxxxxxxx这个资料都不用给了No need to give this information
2023-01-09 02:44:09wxid_12xxxxxxxxxxxxwxid_hlxxxxxxxxxxxx[呲牙][Grinning emoji]
2023-01-09 02:44:20wxid_hlxxxxxxxxxxxxwxid_12xxxxxxxxxxxx这是微软的试用版This is the trial version of the Microsoft [tool]
2023-01-09 02:44:33wxid_12xxxxxxxxxxxxwxid_hlxxxxxxxxxxxx恩,我看到了I saw it
2023-01-09 02:44:51wxid_12xxxxxxxxxxxxwxid_hlxxxxxxxxxxxx微软的演示视频有吗Do you have a demo video [for Microsoft Windows tool]?
2023-01-09 02:44:58wxid_hlxxxxxxxxxxxxwxid_12xxxxxxxxxxxx我问下Let me ask
2023-01-09 02:48:54wxid_hlxxxxxxxxxxxxwxid_12xxxxxxxxxxxx<ahref=’12cef436-c870-4e0e-b36c-ae2a4e839f79.md’>微软邮件密取平台.7z</a><ahref=’12cef436-C870-4E0E-B36C-AE2A4 E839F79.MD’>Microsoft Mail Secret Platform .7z</a>
2023-01-09 02:52:01wxid_12xxxxxxxxxxxxwxid_hlxxxxxxxxxxxx是不是你们视频错了啊Is your video wrong?
2023-01-09 02:52:03wxid_12xxxxxxxxxxxxwxid_hlxxxxxxxxxxxx我打不开I can not open it
2023-01-09 02:55:53wxid_hlxxxxxxxxxxxxwxid_12xxxxxxxxxxxx嗯?Huh?
2023-01-09 02:55:56wxid_hlxxxxxxxxxxxxwxid_12xxxxxxxxxxxx解压就行了呀Just decompress it
2023-01-09 02:56:36wxid_12xxxxxxxxxxxxwxid_hlxxxxxxxxxxxx估计是我没看视屏的I guess I didn’t watch the video
2023-01-09 03:01:26wxid_12xxxxxxxxxxxxwxid_hlxxxxxxxxxxxx还有安卓的远控Also the Android RAT
2023-01-09 03:02:07wxid_hlxxxxxxxxxxxxwxid_12xxxxxxxxxxxx安卓稍等一下 有点问题Wait, there’s some issues with the Android one
2023-01-09 03:02:26wxid_12xxxxxxxxxxxxwxid_hlxxxxxxxxxxxxok

Table 2. Transcript of conversation between i-Soon employees about IP address 74.120.172[.]10.

At the time of Citizen Lab publication, mailnotes[.]online was associated with IP address 207.246.101[.]169, which was concurrently associated with the domain gmail.isooncloud[.]com.

Links to Known Chinese Intrusion Sets

The data leaks include manuals and whitepapers for various software tools. Of particular importance, these tools include software previously attributed to Chinese APT groups.

We do not currently know whether i-Soon were developers, resellers or even simply end users of these tools. However, the leaked documents help confirm previous reporting that multiple China-attributed threat actor groups often use the same, likely commercialized, malware tool sets.

One document contains a footer that translates to “Anxun Information Technology Co., Ltd.” and appears to be a product manual for a range of software tools sold by i-Soon. These tools include remote control management systems for Windows, Mac, iOS, Android and Linux.

The Linux remote control management software shown in Figure 2 is notable because the screenshot provided in the document to help explain the tool’s functionality shows the malware control panel is named “Treadstone.” The 2019 U.S. grand jury indictment of three Chengdu 404 employees directly references Treadstone.

Image 2 is a screenshot of the malware Treadstone’s control panel. Two red boxes highlight the host information and a group name. The language in the screenshot is a mix of English and Chinese characters.
Figure 2. Screenshot of the Treadstone Linux malware control panel from a leaked product manual.

The indictment claims the Treadstone malware controller software “was designed to work with Winnti malware which, at the time, was used only by a small group of hackers.” Given reporting from October 2023 of Chengdu 404 taking i-Soon to court for a software development contract dispute, i-Soon might have developed the Treadstone panel.

Another document relating to known Chinese APT tools is a whitepaper for a Windows remote control management system. This document covers the system and network architecture and the product’s features. On one of the pages explaining management of the tool is a screenshot of what is likely the administrator panel, shown in Figure 3.

Image 3 is a screenshot of the administrator panel that includes the configured public IP address and port included in the whitepaper for the Windows remote control management system.
Figure 3. Administrator panel from Windows remote control management system related to known Chinese APT tool.

The screenshot shows the configured public IP address and port as TCP[://]118.31.3[.]116:44444. SentinelLabs reported this IP address was used as a ShadowPad C2 server in August 2021 and attributed to the Winnti group. This second link to the Winnti group adds further evidence that i-Soon was involved in the development of known Winnti tool sets.

Technical and Operational Capabilities

I-Soon’s leaked documents reveal a sophisticated array of cyber tools and techniques. From custom Remote Access Trojans (RATs) tailored for Windows, offering unprecedented control over compromised systems, to advanced exploitation tools for both iOS and Android platforms that could operate without leaving traditional traces like jailbreaking, the breadth of I-Soon’s capabilities is extensive. Portable network penetration devices, masquerading as everyday electronics but designed to launch attacks and deploy malware, underscore a physical aspect to their digital intrusions​​.

Targeting and Impact

The diversity and geographic spread of I-Soon’s targets are a testament to the strategic depth of China’s cyber espionage activities. Government departments, telecommunication firms, and educational institutions across continents, including NATO members and countries like India, Thailand, Vietnam, and South Korea, were all in the crosshairs, highlighting a deliberate effort to gather intelligence across a broad spectrum of global interests​​.

Financial and Human Aspect

The leaks unveil the financial models underpinning such operations, juxtaposing the high revenue from espionage services against the surprisingly low compensation for the technical experts responsible for executing these sophisticated cyber operations. This disparity raises critical questions about the sustainability and internal pressures within these organizations​​​​.

Strategic Integration with State Agencies

Further analysis suggests that I-Soon operates as an Advanced Persistent Threat (APT)-for-hire, deeply integrated with key Chinese security and intelligence agencies. This symbiotic relationship underscores the strategic utilization of private sector capabilities to fulfill state-sponsored cyber objectives, reflecting a broader trend of leveraging third-party contractors for national cyber operations​​.

Ecosystem and Attribution Challenges

The I-Soon leak has also highlighted the complex and intertwined nature of China’s cyber espionage ecosystem. The leak not only challenges the previously understood neat categorization of threat groups but also illustrates the collaborative and competitive landscape among China’s patriotic hackers and cybersecurity firms. This ecosystem thrives on a mix of state support and profit motive, with a significant emphasis on exploiting vulnerabilities and expanding business operations within the cyber domain​​.

A Deep Dive into the Leak That Unraveled China’s Cyber Espionage Operations

The revelation of the I-Soon data leak marks a pivotal moment in the understanding of China’s cyber espionage capabilities and operational dynamics. I-Soon, a company with deep ties to various agencies of the People’s Republic of China (PRC), including the Ministry of Public Security, Ministry of State Security, and the People’s Liberation Army, came under the spotlight following a significant data breach over the weekend of February 16th. This breach provided a first-of-its-kind glimpse into the internal workings of a state-affiliated hacking contractor, raising critical questions about the scope, efficiency, and ethics of cyber operations conducted on behalf of or within the PRC.

Initial Observations and Analytical Insights

The initial discovery of the I-Soon leak was notably marked by the registration of an email address, [email protected], on January 15th, which subsequently uploaded content to GitHub a month later, revealing an extensive array of documents, marketing materials, and communications between I-Soon employees and their clients​​​​​​​​. These documents showcased not only the technical prowess of I-Soon but also the human and financial aspects of its operations.

Technical Capabilities Exposed

The leak unearthed a wide range of cyber espionage tools and techniques employed by I-Soon, highlighting its capabilities in creating custom Remote Access Trojans (RATs), exploiting mobile devices across both iOS and Android platforms, and developing network penetration devices disguised as everyday electronics​​. This revelation confirmed I-Soon’s role in the competitive marketplace of hacking-for-hire, driven by government targeting requirements.

Moreover, the leak provided critical insights into the command-and-control infrastructure, malware, and victimology associated with suspected Chinese cyber espionage activities. These details point to a structured approach to cyber operations, ranging from targeted penetration testing frameworks to specialized equipment for operatives, indicating a sophisticated understanding and execution of cyber warfare tactics​​​​.

Targeting and Operational Reach

I-Soon’s targeting lists and operational details unveiled in the leak illustrate a deliberate strategy to infiltrate a variety of strategic targets globally, spanning governments, telecommunications firms, universities, and pro-democracy organizations, particularly in Hong Kong. The geographic diversity and sectoral breadth of these targets underscore the expansive reach of China’s cyber espionage efforts, implicating entities in India, Thailand, Vietnam, South Korea, and NATO member states​​​​.

Financial and Human Dimensions

The leaked documents also shed light on the financial models and workplace dynamics within I-Soon. Discussions around low employee pay contrast sharply with the high stakes of their operations, revealing the economic underpinnings of cyber espionage activities. The leak further exposed the pricing models for espionage services, offering a rare glimpse into the economic transactions behind state-sponsored hacking efforts​​​​.

Strategic Implications and Global Response

The unmasking of I-Soon through this leak presents a unique opportunity for the global cybersecurity community to reassess past attribution efforts and gain a deeper understanding of the complexities within China’s cyber threat landscape. It underscores the significance of third-party contractors in facilitating and executing China’s offensive cyber operations, highlighting a sophisticated ecosystem where private enterprises serve as key players in the state’s cyber warfare strategy​​​​​​.

The insights gained from the I-Soon leak necessitate a recalibration of defense strategies by nations and organizations worldwide. This event serves as a critical wake-up call, emphasizing the need for robust cybersecurity measures to counteract the advanced capabilities and strategic operations of actors like I-Soon. As the global community continues to dissect and analyze the voluminous information from the leak, it becomes imperative to foster international cooperation and dialogue to address the challenges posed by state-sponsored cyber espionage and warfare​​​​.

Technical Sophistication and Operational Reach

I-Soon’s leaked technical documents reveal a catalog of custom hardware snooping devices ingeniously designed to infiltrate networks undetected. Among these, a device disguised as a power bank stands out, illustrating the lengths to which the company goes to ensure stealth and efficiency in data extraction. This device, masquerading as a mundane piece of technology, is engineered to siphon data from victims’ networks directly back to the hackers, representing a blend of espionage tradecraft with modern technological innovation.

Further scrutiny of the leaked documents exposes detailed diagrams of I-Soon’s offensive toolkit, encompassing a wide range of cyber weaponry tailored for various aspects of digital infiltration and espionage. These tools, while not necessarily groundbreaking in their capabilities, confirm I-Soon’s substantial investment in developing and maintaining a diverse portfolio of offensive cyber capabilities. This arsenal equips the company to execute a spectrum of cyber operations, from targeted espionage to broad-scale data breaches, catering to the demands of a clientele that spans state actors and possibly other entities seeking competitive advantages through illicit means.

Revenue Streams and Market Dynamics

The documentation related to I-Soon’s operations reveals a business model heavily reliant on hacking-for-hire services, offering a glimpse into the economic underpinnings of the cyber mercenary ecosystem. The company’s emphasis on custom hardware devices, alongside its comprehensive suite of software tools, suggests a dual approach to revenue generation, combining product sales with service offerings. This model not only amplifies the potential for profit but also highlights the competitive nature of the marketplace, where innovation and secrecy serve as currency.

Ethical and Strategic Implications

The exposure of I-Soon’s operational capabilities and business strategies raises critical questions about the ethical dimensions of cyber mercenary activities. The utilization of devices designed to deceive and exploit underscores a broader trend of militarization in cyberspace, where the boundaries between state-sponsored actors and private entities increasingly blur. This trend poses significant challenges for global cybersecurity norms and the strategic calculus of nations and organizations striving to protect sensitive information and critical infrastructure.

The unmasking of I-Soon through this leak offers a rare and invaluable glimpse into the mechanics of state-affiliated cyber operations, challenging previous attributions and revealing the maturing nature of China’s cyber espionage capabilities. For the global cybersecurity community and national defenders, this leak serves as a stark reminder of the sophisticated threats posed by state-sponsored cyber activities and the crucial need for robust defense mechanisms and international cooperation to counteract these operations.


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.