Site icon IT World Canada

Leaked documents may show the inside of China’s hacking strategy

Illustration of a keyboard with China flag

Image by Kagenmi from Thinkstock.com

A leak of data from a Shanghai-based cybersecurity company has researchers speculating that it has exposed the workings of a Chinese government-sponsored hacking group.

The company is called i-Soon — also known as Anxun — which, according to researchers at SentinelOne, does contract work for many Chinese government departments, including the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army.

Last weekend, a cache of more than 500 company documents was published on GitHub. “The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem,” says SentinelOne. “It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.”

Although the source is not entirely clear, researchers at Malwarebytes say it’s likely a disgruntled staff member of the group leaked the information on purpose.

I-Soon employees complain about low pay and gamble over mahjong in the office, says SentinelOne. But the meat of the documents show the company appears to be responsible for the compromise of at least 14 governments, pro-democracy organizations in Hong Kong, universities, and NATO. The leaked documents align with previous threat intel on several named threat groups, SentinelOne says.

“Victim data and targeting lists, as well as names of the clients who requested them, show a company who competes for low-value hacking contracts from many government agencies,” says SentinelOne. “The finding indicates that historical targeting information from Advanced Persistent Threats thought to be PRC [People’s Republic of China] contractors does not provide strong guidance on future targets.”

Malwarebytes says the documents show i-Soon’s tools include

Many of the files are versions of marketing materials for advertising the company and its services to potential customers, says SentinelOne. In a bid to get work in Xinjiang – where China subjects millions of Ugyhurs to what the UN Human Rights Council has called genocide – the company bragged about past counterterrorism work, the report says. The company also listed other terrorism-related targets the company had hacked previously, as evidence of its ability to perform these tasks, including targeting counterterrorism centers in Pakistan and Afghanistan.

Technical documents showed potential buyers how the company’s products function to compromise and exploit targets. Included in the documentation were pictures of custom hardware snooping devicesincluding a tool meant to look like a powerbank for charging portable devices that passed data from the victim’s network back to the hackers. Other documentation diagrammed some of the inner workings of I-Soon’s offensive toolkit. While none were surprising or outlandish capabilities, they confirmed that the company’s main source of revenue is hacking for hire and offensive capabilities.

The selection of documents and chats leaked on GitHub seem meant to embarrass the company, says SentinelOne, but they also raise key questions for the cybersecurity community. One document lists targeted organizations and the fees i-Soon earned by hacking them. Collecting data from Vietnam’s Ministry of Economy paid out US$55,000;  i-Soon was paid less for data from other ministries. Another leaked messaging exchange shows an employee hacking into a university not on the targeting list. Their supervisor labeled that as an accident.

“The leaked documents offer the threat intelligence community a unique opportunity to re-evaluate past attribution efforts and gain a deeper understanding of the complex Chinese threat landscape,” says SentinelOne.

For defenders and business leaders, it adds, “the lesson is plain and uncomfortable. Your organization’s threat model likely includes underpaid technical experts making a fraction of the value they may pilfer from your organization. This should be a wakeup call and a call to action.”

Exit mobile version