In this post, our Labs team delivers a portion of our I-Soon leak data analysis. As with every great analysis document, this one begins with an interesting post that bubbled up on X (formerly Twitter):

The leaked data suggests a moderately sophisticated threat actor ostensibly involved with wide-ranging offensive cyber operations and national security motivations. The leaked documents can be interpreted to confirm that the threat actor, Anxun Information Technology Company, is linked to the Chinese Ministry of Public Security and Jiangsu State Security Department. The leaked data suggests Anxun, also known as I-Soon, has been conducting unauthorized offensive cyber operations against key personnel and organizations across Southeast Asia and elsewhere.

I-Soon’s CEO, Wu Haibo, has a reputation as 'Hongke [Wikipedia.org]', using the handle 'shutd0wn' in the Chinese hacking scene, dating back to the late 1990s (cDc’s Back Orifice release at DEF CON was amazing). For its part, I-Soon continues to be active in China’s national hacking scene through a Capture The Flag (CTF) competition that is claimed to have hosted over 20,000 participants from across China.

Information gathered as the result of a legal action links I-Soon to Chengdu 404 [FBI.gov], another offensive cyber services company. Chengdu 404 has been linked to operations associated with APT41 [MITRE.org] as well. Seemingly related, information contained in the leaks describes services targeting foreign affairs offices and other relevant governmental organizations. This translated slide [X.com] is taken from marketing materials for I-Soon’s Outlook exploitation and forensic services. In this slide, a short list of governmental agencies in India are identified as potential targets.

Originally discovered on GitHub [GitHub.com], the leaked data encompasses a variety of documents, including internal chat logs, product documentation, business records, target information, user credentials, and more.

I-Soon’s marketing materials describe a range of offensive services that include self-described APT capabilities. This is not unlike many other companies that provide offensive security services with a primary difference being I-Soon’s preference towards supporting national causes. For instance, some of the leaked business records outline I-Soon’s efforts to win surveillance contracts.

Product documentation describing I-Soon’s ‘Automated Penetration Testing Platform’ suggests the authors were likely inspired by the Metasploit Framework.

Payload delivery includes custom implants [X.com] for Windows, Mac, Linux, Android, and iOS. Related to physical operations, the documentation also details aspects of a portable WiFi-based attack and tracking platform. While it is interesting to have a view into another team's TTPs, the documented capabilities are relatively common among boutique service providers, with an interest in offensively applied computer science [DTSC.mil].

Relevant mostly because it highlights the interplay of private business and formal nation-state capabilities, chat logs recount a specific instance where a particular exploit was presented during a bug-hunting competition (Taifu Cup). In one section of the log ‘shutd0wn’ describes the team’s efforts to get a copy of the software (a zero-day exploit), claiming that this wasn’t possible because an entity referred to as ‘Jiangsu’ had control of it. While it is possible that all other copies of the capability had been destroyed, this seems unlikely. In this way, there is an increased probability that at least some of the information contained in this leak archive is fabricated. More importantly, this exchange offers a potential insight into the age of the information contained in the archive as well as confirmation of Chinese hacker culture and I-Soon’s potential for influence.

I-Soon appears to be like various other companies offering offensive security services but the leaked documents suggest a broad set of targets [GitHub.com] that are mainly interesting in the context of nation-state advantage. The targets identified in the leaks include organizations based in countries throughout Southeast Asia including Cambodia, Indonesia, Malaysia, Myanmar, the Philippines, Thailand and Vietnam. This is not necessarily surprising given the history of offensive cyber operations in this region [CFR.org]. Furthermore, there are signs that I-Soon has compromised targets in Afghanistan, Egypt, France, India, Pakistan, and Turkey. Finally, the documents reveal breaches involving NATO and various universities. China maintains diplomatic and trade relations with all of the countries listed above. Likewise, a fluctuating, but non-negligible number of Chinese nationals attend the universities listed in the leaked documents .

While intriguing and suggestive, the leaked chat logs and other documents could be the result of legitimate service delivery discussions. It is possible that these assessments were facilitated by governmental agencies to other governmental prospects as part of a diplomatic initiative. Portions of the chat logs detail attempts to sell data related to Jens Stoltenberg, the secretary general of NATO. These actions highlight the varied motivations driving I-Soon’s operations as a company.

A highlighted capability that comes up in much of the leaked data describes I-Soon’s ability to compromise ‘Outlook accounts’ using their products. I-Soon also markets the ability to crack email attachments as part of a ‘Outlook mailbox forensics’ service.  This is particularly interesting when considered in the context of past breach notifications [Microsoft.com] and recently disclosed vulnerabilities [Microsoft.com] related to Storm-0558 [Microsoft.com].

Also included in the leaked data are Call Detail Records [IEEE.org] (CDR) and Location Based Services [IEEE.org] (LBS) records. A threat actor with access to this data could track devices associated with key individuals while they are connected to a telecommunications provider’s infrastructure. When assessing risk and impact, two differentiators become useful: the level of privilege gained by the threat actor and various factors related to post-exploitation persistence. Real-time access to logging systems or infrastructure components offers enhanced capabilities over time-delayed access to the same log data. Clandestine, privileged access to telecommunications infrastructure components provides a reliable and more easily anonymized method of tracking key individuals.

That said, even without access to infrastructure components, this type of data can be purchased through commercial data brokers. Products sold by these brokers may include a blend of infrastructure data as well as data gathered from various software, installed on an individual’s device. These products are available to interested buyers such as I-Soon or an associated entity.

Other interesting information contained in the leaked documents include:

• A travel router [X.com] to obfuscate network traffic, using a TOR-like network

• Documentation for I-Soon’s software products that include:

  • Taozong Security Intelligence Platform [GitHub.com]

  • Automated Penetration Testing platform [GitHub.com]

  • Individual Soldier Toolbox [GitHub.com]

Here again, these software represent commodity capabilities when compared against their peers.

These documents provide insights into I-Soon’s commercial offerings and operational standards. The leaked documents, when analyzed as a whole, seem to confirm the dual-purpose nature of I-Soon’s business and motivations. As of this posting, analysis is ongoing, yet one of the most remarkable findings from the product documentation is that they describe a relatively standard offensive toolkit, encompassing moderately sophisticated exploitation capabilities. Effectively, the linked documents outline I-Soon’s version of a ‘hacktop’: the type that would be familiar to anyone who builds their offensive cyber capability from a common Linux or BSD distribution. Stated differently, I-Soon’s capabilities are interesting both academically and practically, but this leak doesn’t burn any significant capability. No source code was leaked as part of the archive.

There is a non-zero potential that some, or all, of the information in the leak archive is fabricated.

The history of offensive cyber activities as part of espionage campaigns across Asia is well-understood. The drivers behind these activities range from ‘critical to national security’ to ‘just looking around, thanks.’ Considering this, it is reasonable to incorporate knowledge gained from this leak into future defensive cyber strategies. Lessons learned can be assumed valid when operating in any potentially hostile region, both as a company and as individuals. Regardless of authenticity, the leaked documents underscore the complexity and magnitude of contemporary cyber espionage efforts, emphasizing the difficulty in finding compelling evidence that can be used to attribute specific cyber attacks to particular actors or nations. Ultimately, involving commercial service providers as part of an espionage action further muddles global attempts to mitigate these threats.

About 23p Labs

23P Labs constantly tracks emerging threats. We use this type of gathered intelligence to inform the threat models that are the foundation of our work. 23P offers assessment, consultation and training solutions to measure your organization’s ability to detect and respond to modern threat actors of all known capability levels.

23p Labs would like to thank the researchers who translated and shared this information. The information contained in these leaks provides insights into I-Soon's operations. Likewise, it also serves as a valuable resource for cybersecurity researchers and practitioners to better understand and defend against these motivated threat actors.This work helps all of us - offensive and defensive practitioners - gain a better understanding of these active threat actors.

For this post, our translations of the leaked documents were synthesized from output generated by Google Translate and several LLMs.

Links:

Original GitHub Leak Repository: https://github.com/I-S00N/I-S00N

Michael Taggert’s Leak Repository: https://github.com/mttaggart/I-S00N/

Ministry of Public Security: https://en.wikipedia.org/wiki/Ministry_of_Public_Security_(China)

Jiangsu State Security Department: https://en.wikipedia.org/wiki/Jiangsu_State_Security_Department

PitchBook Entry for Anxun Information Technology Company: https://pitchbook.com/profiles/company/433635-85

MITRE Profile of APT41: https://attack.mitre.org/groups/G0096/

Natto Group Analysis: https://nattothoughts.substack.com/p/i-soon-another-company-in-the-apt41

CISA Guidance to Detect APT Activity: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a

Secured By Design™