iSoon's Secret APT Status Exposes China's Foreign Hacking Machination

A trove of leaked documents has revealed the Chinese government works with private sector hackers to spy on foreign governments and companies, domestic dissidents, ethnic minorities, and more.
On Feb. 16, an anonymous individual with unknown motives pulled back the curtain at Anxun Information Technology, also known as iSoon, a Shanghai-based company best known on the outside for providing cybersecurity training courses.
Behind the scenes, it seems, the company is a hack-for-hire operation servicing government agencies of the People's Republic of China's, including its Ministry of Public Security, Ministry of State Security, and the People's Liberation Army.
Analysts have drawn overlaps between iSoon and multiple known Chinese APTs.
Adam Meyers, head of counter adversary operations at CrowdStrike, tells Dark Reading that the group maps specifically to Aquatic Panda.
Among the more than 500 leaked documents are marketing materials, product manuals, lists of clients and employees, WeChat instant messages between those clients and employees, and much more.
Analysts are still pouring through the material, which, altogether, begins to paint a picture of the Chinese state's primary targets and goals in cyberspace.
Who iSoon Is Hacking iSoon's targets have included domestic targets, such as pro-democracy organizations in Hong Kong, and members of ethnic minorities, such as Uyghurs from China's Xinjiang province.
They've spanned agencies of at least 14 governments - in Vietnam alone, for example, the Ministry of Internal Affairs, the Ministry of Economy, the Government Statistics Office, and the Traffic Control Police - and possibly the North Atlantic Treaty Organization.
It has also hacked into private organizations across Asia, from gambling to airline to telecommunications companies.
According to Dakota Cary, consultant at SentinelOne and a nonresident fellow at the Atlantic Council's Global China Hub, there's an important lesson to be drawn from this cyber hit squad's wide range of targets.
Cheap Deals for Government Exploits Documents leaked over the weekend also reveal widely varying rates at which the Chinese government pays iSoon for access to its victims.
Access to the private website of Vietnam's traffic cops, for example, ran up a tab of $15,000, while data from its Ministry of Economy was billed at $55,000.
According to The New York Times, certain personal information gleaned from social media accounts were worth up to $278,000 to the government, which has long been known to target individual opponents of the ruling party.
Particularly in contrast with the prices fetched in the vulnerability market.
Lots of New Information, but Nothing Changes iSoon sports an arsenal of fun malicious tools - a Twitter infostealer, pen testing tools, and fancier hardware devices, including special battery tacks and a tool designed to look like a powerbank, both of which serve to pass information from a victim network to the hackers.
Most of what it uses are already known malware within the Chinese APT ecosystem, such as the Winnti backdoor and the ancient PlugX remote access Trojan.
For him, the most interesting aspect of the leaks were the behind-the-scenes shenanigans - employee complaints about low pay, gambling over mahjong in the office, and the like.
For Cary, the takeaway is just how little some organizations fetch in the cyber espionage market.


This Cyber News was published on www.darkreading.com. Publication date: Thu, 22 Feb 2024 21:40:35 +0000


Cyber News related to iSoon's Secret APT Status Exposes China's Foreign Hacking Machination