Risky Biz Briefing: The i-SOON Data Leak

Risky Biz Briefing: The i-SOON Data Leak
Toiling in the cyber salt mines, Stable Diffusion

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by runZero.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

‎Risky Business News: Srsly Risky Biz: China’s free market espionage machine on Apple Podcasts
‎Show Risky Business News, Ep Srsly Risky Biz: China’s free market espionage machine - 21 Feb 2024
Toiling in the cyber salt mines, Stable Diffusion

Written with Catalin Cimpanu of Risky Business News

An unknown individual or entity has leaked files that suggest a Chinese cyber security company is developing malware and carrying out cyber espionage on behalf of the Chinese government.

The data allegedly belongs to i-SOON, a company based in Chengdu, that also does business as Sichuan Anxun (四川安洵信息技术有限公司).

i-SOON was already on the radar of some cyber security researchers after being sued by a firm from the same city, a company known as 'Chengdu 404'.  According to the US Department of Justice, Chengdu 404 is linked to the cyber espionage group known as APT41. There are also matches in the data leak to Indicators of Compromise (IOCs) from previous cyber espionage campaigns.

A Natto Thoughts report from October last year described i-SOON as one of many Chengdu-based cybersecurity companies that work as contractors for the Chinese government, providing the technical know-how and manpower for internal surveillance operations and cyber espionage. Chengdu, according to reports, is a cyber security talent and recruitment hub for China's Ministry of State Security (MSS). 

What's in the files?

The original i-SOON leak GitHub repository is here, and a machine-translated version of the files is available in this repo.

The data is only loosely organised. According to threat intelligence analysts who have gone through it, the files include internal chats, business pitches, documentation describing the company's products, and what appears to be stolen victim data, such as credentials and even CDRs (call detail records) from hacked telcos. No source code was included.

The business documents include pitches and presentations about the company's services including "penetration testing", surveillance operations, and also descriptions of its tools.

Business pitches included in the leaked files also show i-SOON's interest in landing surveillance contracts in China's Xinjiang province, home of the country's Uyghur Muslim minority.

The i-SOON data also includes files that appear to be documentation or more technical business pitches that describe products of an extremely broad range of capabilities. These include:

  • Malware designed to run on Windows, macOS, Linux, iOS, and Android;
  • A platform to collect and analyse email data;
  • A platform to hack into Outlook accounts;
  • A Twitter monitoring platform;
  • An reconnaissance platform using OSINT data;
  • Physical hardware devices meant to be used for on-premises hacking, typically targeting WiFi networks;
  • Communications equipment using a Tor-like network for agents working abroad.
Screenshot of one of the i-SOON tools designed to access Outlook accounts
Screenshot of one of the i-SOON tools designed to access Outlook accounts

There's a slide deck advertising its "APT Team". We're struck by the irony that a term coined within the US Department of Defense to describe Chinese cyber espionage efforts is now used in the marketing materials of the firms actually carrying out said Chinese cyber espionage. 

Slide from the i-SOON repository advertising APT services
Slide from the i-SOON repository advertising APT services

What does it tell us?

At one level, this leak does not change anything—it is no secret that China is a prolific cyber espionage actor so it probably will not change people's views about the country. However, there are interesting gold nuggets here and the leak also provides a behind the scenes view   of China’s espionage activities. There's a lot of colour here.

One of the leaked internal chats references the Tianfu Cup, a local hacking contest set up by Chinese authorities following the format of ZDI's Pwn2Own.

In these messages, Shutd0wn—the pseudonym of i-SOON CEO Wu Haibo—asked for proof-of-concept code (POC) for exploits used at the Tianfu Cup 2021 edition.

Shutd0wn to lengmo: Regarding the 0-day vulnerabilities in the Tianfu Cup competition, it is said that the POCs were given to the public security bureau. Can we obtain them?

Lengmo to Shutd0wn: We can't get them. I asked that day, and the department gave them to Jiangsu. [The conversation appears to refer to the Ministry of Public Security, although the Jiangsu branch of the Ministry of State Security makes more sense given its historical activity.]

China's vulnerability disclosure rules have changed in recent years to funnel vulnerabilities through its intelligence agencies. There is also strong circumstantial evidence that these vulnerabilities have been used in espionage operations. 

In May 2021, the MIT Technology Review claimed an exploit showcased at the 2018 Tianfu Cup was used to spy on China's Uyghur Muslim minority shortly after it was demonstrated at the contest and before a patch was released. And an analysis by threat intelligence firm Recorded Future of how long it took vulnerabilities to be published to China's national vulnerability database (as compared to publication speed at its US equivalent) also found suggestive patterns. The publication of more severe vulnerabilities (those with a higher CVSS score) and those linked to malware used by Chinese espionage groups was delayed when compared to more run-of-the-mill vulnerabilities. This suggests that the MSS is assessing whether vulnerabilities can be exploited before they are revealed. 

Assuming these chat messages are legitimate, they confirm that China's own espionage contractors believe that the government is using its local vulnerability researchers' discoveries for cyber espionage purposes.  

One of the leaked internal chats suggests i-SOON contracts with both China's Ministry of State Security (MSS) and Ministry of Public Security (MPS)—through each agencies' network of local bureaus.

Other chats provide a window into the ecosystem of contractors and subcontractors providing these specialised cyber security services. One suggests the company, along with several other contractors in a highly competitive market, is among the recipients of lists of targets from government agencies. 

There is evidence of an interesting 'try before you buy' approach to espionage here. In one chat, the first participant is trying to sell data from Jens Stoltenberg, the Secretary-General of NATO. The other participant replies that "they looked at the sample but are not interested". The first says that they are "really short of money" and offers to lower their price. But the second person replies that "what you consider valuable may not be considered valuable by others". 

"It's not about whether it is cheap or not", the messages continue, "it's because they don't think it is worth spending money on".

Ouch. Sorry Jens. 

The leak includes what look like a number of target lists that cover a number of governments including Pakistan, India, Malaysia, Turkey, India, Egypt, France, Cambodia, Indonesia, Vietnam, Myanmar, the Philippines, and Afghanistan, as well as NATO, universities, and the Hong Kong pro-democracy movement.

Dakota Cary, a China-focused consultant at SentinelOne who has published extensively on Chinese cyber actors, told Seriously Risky Business he noticed the "cut-rate prices" the company was paid.

"The leaks show that a company, paid relatively little money and competing for low-value contracts from the state, is responsible for massive online hacking campaigns. If hacking into the Vietnamese government was more difficult, we would expect the company to be paid more than USD$60,000", he continued.

Although from a narrow cyber security perspective the leaks themselves are interesting but not earthshaking, there is still the possibility of diplomatic fallout if an affected government takes offence. 

Dr Huong Le Thu, a Southeast Asia expert at the Center for Strategic and International Studies, told Seriously Risky Business that she didn't think this was likely for most of the Indo-Pacific countries involved.  

In the past these countries had been "very careful" about how they react to prior Chinese intrusions, she said, although in this case she thought the Philippines and perhaps India might be potential exceptions. China has been contesting a Philippine presence in the South China Sea, so it depends "on how escalatory [new President] Marcos Jr wants to be". In India, story of the leak could play into the upcoming election "if it suits nationalists moods".  

But this is also an opportunity for US diplomats too, and Le Thu thought that the US would use this to brief countries in the region about Chinese espionage. In the wake of the spy balloon fiasco last year, for example, the US briefed 40 foreign embassies on China’s aerial surveillance program. This seems like a golden opportunity for a set of briefings about Chinese cyber espionage.

This is a lot of fun for those of us who follow Chinese cyber activity closely and provides some fascinating insight into how at least some of the lower tier Chinese espionage contractors work. But it's not any sort of game changer and will not have the impact that the Snowden leaks had on Five Eyes operations.

Disruption, Disruption Everywhere

There is emerging evidence that the worldwide pace of government-sanctioned cyber disruption is picking up.

Since 20 December 2023 there have been a spate of disruption operations that have targeted cybercriminal and nation state adversaries.

This week, the UK's National Crime Authority announced the takedown of the LockBit ransomware gang. This is covered in depth in Risky Business News and briefly covered in this week's 'Three Reasons to Be Cheerful' section. 

Last week, the US Department of Justice (DoJ) announced the court-authorised disruption of a small office/home office (SOHO) router botnet controlled by the GRU (Russian military intelligence). Interestingly, this network leveraged 'Moobot' malware, a Mirai-variant malware associated with a known criminal group that has been around since at least 2019. The GRU then "repurposed the botnet, turning it into a global cyber espionage surveillance platform", says the DoJ press release. 

At the end of January the DoJ announced a similar disruption of the KV-botnet, a botnet used by PRC cyber espionage groups. 

And on 19 December last year the DoJ announced it had taken action against the Alphv/Blackcat ransomware gang, which its press release stated was the "second most prolific ransomware-as-a-service variant". 

That's an unprecedented amount of disruption over the last two months. 

Speaking at the Munich Cyber Security Conference, Anne Neuberger, the White House White House deputy national security advisor for cyber and emerging technologies, said that ransomware takedown operations weren't occurring frequently enough, as reported in The Record

"We’re doing that every 8-12 months, but they have to be more frequent," she said. "We’ve made progress, but there is far more to be done."

Adversary groups adjust when their operations are interrupted or hampered, but it takes time. We're hopeful that these recent disruption operations are not just a flash in the pan, but are instead the start of a new trend.  

Three Reasons to Be Cheerful This Week:

  1. LockBit's entire criminal enterprise seized by international law enforcement action: Operation Cronos, led by the UK's National Crime Agency, seized infrastructure, froze cryptocurrency wallets, released keys and decryption tools, arrested members and imposed sanctions. Particularly pleasing was the excellent trolling of LockBit members and affiliates carried out by Op Cronos. Risky Business News has comprehensive coverage
  2. Tech companies sign AI election accord: A coalition of tech companies announced the accord at the Munich Security Conference last week. The Associated Press described the accord as "largely symbolic", but with a number of significant elections taking place this year, there is no doubt that AI technologies will be used in deceptive ways. Firms that have signed up so far include Microsoft, OpenAI, Amazon, Meta, StabilityAI, TikTok and X, among others. 
  3. Spyware firm Variston bleeding staff: Former employees of Variston, a Barcelona-based spyware maker, told TechCrunch that attention and public reporting from Google's Threat Analysis Group made life difficult for the startup. This has caused an exodus of staff from the company, and some former employees even say Variston is shutting down. 

In this Risky Business News sponsored interview, Tom Uren talks to Rob King, runZero’s Director of security research. The pair talk about the world of Operational Technology protocols and how Rob dissects these protocols to be sure that active discovery of OT devices is safe.

‎Risky Business News: Sponsored: Breaking apart OT protocols on Apple Podcasts
‎Show Risky Business News, Ep Sponsored: Breaking apart OT protocols - 18 Feb 2024

Try runZero for free at https://www.runzero.com/try/signup/


How Threat Actors Use AI

Last week Microsoft and OpenAI both published reports examining how various cyber threat actors are using AI services such as Large Language Models (LLMs, the technology behind ChatGPT ).

The reports cover an array of state-affiliated threat actors from the usual suspects—Russia, Iran, North Korea and China. OpenAI's report summarises the activity:

These actors generally sought to use OpenAI services for querying open-source information, translating, finding coding errors, and running basic coding tasks. 


  • Charcoal Typhoon [Ed: China] used our services to research various companies and cybersecurity tools, debug code and generate scripts, and create content likely for use in phishing campaigns.
  • Salmon Typhoon [Ed: China] used our services to translate technical papers, retrieve publicly available information on multiple intelligence agencies and regional threat actors, assist with coding, and research common ways processes could be hidden on a system.
  • Crimson Sandstorm [Ed: Iranian] used our services for scripting support related to app and web development, generating content likely for spear-phishing campaigns, and researching common ways malware could evade detection.
  • Emerald Sleet [Ed: North Korea] used our services to identify experts and organisations focused on defense issues in the Asia-Pacific region, understand publicly available vulnerabilities, help with basic scripting tasks, and draft content that could be used in phishing campaigns.
  • Forest Blizzard [Ed: Russian] used our services primarily for open-source research into satellite communication protocols and radar imaging technology, as well as for support with scripting tasks.

Both reports describe these activities as either 'experimental' or that they provide only 'limited, incremental' advantages over currently available non-AI powered methods. 

In all the cited cases the accounts associated with these groups have been terminated.

Usernames for Signal

Signal has announced upcoming changes that make phone numbers more private on the app. 

These features are currently in beta, but within Signal a user will be able to give out a username instead of a phone number and will be much better able to control who sees their number.

These are definitely privacy-enhancing features, but we wonder about whether this increases the likelihood the service will be used in malicious ways. More coverage in Wired.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq reassess Russian cyber activity in the early days of its invasion of Ukraine. 

‎Risky Business News: Between Two Nerds: Russian cyber doctrine on Apple Podcasts
‎Show Risky Business News, Ep Between Two Nerds: Russian cyber doctrine - 19 Feb 2024

From Risky Biz News:

New NSO Group capability reproduced after court disclosure: ENEA, a Sweden-based telecom security firm, claims it reproduced a user fingerprinting technique advertised and sold by Israeli spyware vendor NSO Group.

Named MMS Fingerprinting, the technique can collect information on a target's smartphone and operating system just by sending an MMS message.

NSO Group claims no user interaction is needed besides knowing the target's phone number.

ENEA says that it learned about this technique after reading court documents filed by WhatsApp in 2019 in its lawsuit against NSO Group—with MMS Fingerprinting being mentioned in a contract between an NSO reseller and Ghana's telecom regulator.

[more on Risky Business News]

Microsoft will replace Secure Boot certificates to avoid 2026 boot-pocalypse: Microsoft has released this week an optional servicing update that rotates digital certificates used by the Secure Boot feature.

The update is likely to unclench some sphincters in the IT administration and cybersecurity community, as the certificates were set to expire in 2026.

Once the certificates expired, Windows systems where Secure Boot was enabled would have failed to boot. The issue would have also impacted some Linux systems that use Microsoft certificates for their bootloader, such as Ubuntu.

[more on Risky Business News]

Pegasus in Poland: Polish Prime Minister Donald Tusk says he has obtained official documentation confirming that the country's previous government extensively used the Pegasus spyware. Tusk says the former government targeted a "very long" list of targets. The list is much larger than previous reports, and most targets were opposition politicians. Tusk described the hacking campaign as "illegal." Poland's previous government was led by the right-wing Law and Justice (PiS) party. [Additional coverage in the Associated Press and Gazeta.pl]