Executive Summary
- On 16th February 2024, an individual with the email ID - [email protected] uploaded a collection of multiple files on Github titled I-SOON.
- These files are allegedly from a Chinese cyber security company that provides cyber intelligence and tools with spyware capabilities to its clients. The repository contains employee complaints and information, information about the financial issues faced by the company, chats between organization seniors, product details from the company, information about the company’s espionage operations and organizations targeted by this company.
- The clients of this company are major government institutions from the People’s Republic of China, implying the support from the nation-state for resources.
- The files contain conversations between the employees and the company’s affiliates. These conversations reveal the type and scale of espionage this company was involved in. The company not only collects information from the neighbouring states but also on individuals from China.
- This data was collected from organisations like NATO, various government bodies and telecommunication companies of multiple neighboring countries of the People’s Republic of China.
- Indian organisations like BSNL, Air India, EPFO, Apollo hospitals and the Bureau of Immigration have been mentioned in the files. However, no user data connected with them has been leaked.
- In one leaked image, the company could be seen advertising the main targets of its Intelligence Service in India being the Ministry of Foreign Affairs, Ministry of Defense, Ministry of Home Affairs and Ministry of Finance.
- The company also offered training and educational programs based on offensive cyber security to the students of various educational institutions based in China.
- One set of files showcased the various capabilities of the tools and software created by this company. These tools include Remote Access Tools (RATs) specially crafted for each operating system including all active versions of Windows, Mac OS, Android, IOS and Linux. Surveillance toolkits for all major global and chinese social media sites. Fully automated penetration testing tools and lot more.
Capabilities of the tools offered -
As an APT group the company had access to a variety of tools in its arsenal. We found that their product offerings were very interesting. We have listed out their functions and how they were used by the Chinese APT below.
Key Product Categories
Product Name: Twitter Control System
Purpose: Surveillance, control, and manipulation of conversations on Twitter, likely with a focus on targets outside the country of origin.
Key Features
- Account Hijacking: Employs both social engineering tactics ("phishing" links to trick users) and potentially technical exploits to seize control of Twitter accounts.
- Data Exfiltration: Collects not only public tweets but also private messages for intelligence gathering.
- Emotion Manipulation: Ability to comment, like, or retweet posts from compromised accounts, likely to influence sentiment within discussions.
- Target Monitoring: Tracks specific Twitter users with keyword alerts, likely employed to identify opposition voices or track the spread of particular ideas.
- Stealth Focus: Designed to avoid detection, using minimal network activity and likely obfuscated code.
Potential Applications
- Foreign Influence Operations: Designed to sow discord, spread disinformation, or silence critics in other countries.
- Domestic Oppression: Could be used by a repressive government to monitor dissidents and control the online narrative.
- Intelligence Gathering: Provides insight into public opinion and potential threats (from the perspective of the entity using this tool).
Technical Considerations
- Zero-Day Vulnerability Exploitation: The "untraceable" nature suggests the ability to leverage undisclosed software flaws for initial access.
- Secondary Validation: Used to circumvent Twitter's own security checks, likely by impersonating a legitimate login flow.
- SaaS Model: Cloud-based deployment indicates ease of use and scalability for the operators.
Ethical Concerns
- Privacy Violations: This system enables large-scale surveillance without user consent.
- Control of Information: Creates the power to manipulate online discussions and suppress dissenting views.
- Targeting of Individuals: The emotional monitoring component suggests the potential for harassment or blackmail.
We found some other interesting tool sets as well
Digital Information Solutions:
- Seizure Platform: Acquires target mailbox permissions and content through non-invasive techniques.
- Twitter Surveillance platform: Monitor, register, and authenticate Twitter accounts.
- Remote Control Management Systems (Windows, Mac, iOS, Android, Linux): Control and monitor remote operating systems, including processes, services, screen captures, and file access.
- WiFi Wireless Device: Insensitively inserts into networks to extract data (location, contacts, messages, etc.)
- WiFi Resistance Attack Systems: Decrypt WiFi passwords, detect network users, set up Socks Agents, and decrypt routing device logins.
- DDoS system: Botnet client to DDoS websites, servers, and networks with a throughput of 10~100 Gbps..
- Automated Penetration Testing Platform: Scans, exploits, and gains access to networks and devices. Supports various attack methods.
- WiFi Terminal Positioning Restoration Device: Locates WiFi devices with high accuracy using signal strength and direction which can be controlled with a dedicated smartphone.
- Email analysis intelligence decision-making platform: Massive email data analysis, mining personal info, email network analysis, IPs from email headers, and email attachment extraction. Rapid analysis and retrieval of terabyte-level email data, keyword searches & auto-translation
- Security Coverage:
- Anonymous Anti-Zhang Wall: Makes online presence anonymous by hiding IP addresses, physical locations, etc. Similar to the TOR network.
Other Products:
- Domestic Criminal Investigation System: Enquiries real-time registration information of internet users on platforms like Baidu, Weibo, WeChat.
- Anti-Gambling Platform: Investigates online gambling activity.
- Practical Training Platform: Simulates network penetration environments for cybersecurity training.
Features and Capabilities
- Data Acquisition: Many products focus on extracting data from devices, accounts, and networks, often without the target's knowledge.
- Control: Products enable remote control over operating systems, social media accounts, and network traffic flows.
- Vulnerability Exploitation: Tools are designed to find and exploit security weaknesses in various devices, operating systems, and networks.
- Anonymity: Products mask the user's real identity and location online.
- Investigation Support: Products assist in investigations involving online criminal activity.
Attribution with APT 41
A blog from Natto Thoughts, revealed the connection between APT 41, a chinese state sponsored hacking group and I-SOON.
- Images from the data reveal i-SOON has documented business relationship with Chengdu 404, the front company for APT41 operators, .
- On delving deep we found i-SOON operates in a strikingly similar manner to Chengdu 404, cultivating ties with government security agencies and universities.
- Further, i-SOON's CEO, Wu Haibo, possesses a background as a prominent "red hacker" within early Chinese hacking circles. Chats leaked reveal Wu Haibo uses the nickname “shutdown” for his online presence, based on which multiple attributions of his real life identity and digital footprint has been revealed.
- i-SOON is qualified to conduct classified work for China's state security apparatus, a privilege often associated with APT groups. This is enforced by the leaked images where I-SOON has signed contracts with multiple police departments and government agencies to supply privileged surveillance information of unknowing citizens.
- The company's focus on surveillance technology, including possible ties to mobile malware, mirrors the tactics employed by Chinese APTs. Tools such as twitter control system, Trojan horses for all major OSs, Automated penetration testing platform and database collection of multiple other state agencies and organizations further enforce this point.
- Chengdu's established reputation as a hub for Chinese hacking activity further amplifies the potential connection between i-SOON and APT groups.
Real life attribution of “I-SOON”
- Based on the information available on PitchBook, I-SOON has received investment from CASH Capital and Qihoo 360 Technology.
- As per the information on QiChaCha, I-SOON has 15 legal cases against it. This is also in line based on the leaked chats, that the employees and suppliers filed arbitration cases against I-SOON for their dues.
Real life attribution of “Shutdown”
- Shutdown’s real name is Wu Haibo.
- Wu Haibo (吴海波) , a.k.a shutdown, is a well-known first-generation red hacker or Honker (红客) and early member of Green Army (绿色兵团) which was the very first Chinese hacktivist group founded in 1997.
- He used his personal email address, [email protected] to register the domain i-soon[.]net in 2010.
- From the same email account he has registered two other domains RUN-YEAH[.]COM and vulscan[.]online
- WHOIS records also reveal the phone number used while registering - +86-13761671735
- His Twitter account is shutd0wn1895
- His Skype’s username is shutdown_24
- He also has an account on book reading platform goodreads, with the username as 83718223-wu-haibo. He last accessed this account on July 1, 2018
Real life attribution of “Lengmo”
- Lengmo’s real name is Jesse Chen
- He also used to run a blog on lengmo[.]net which is now down. One could still find the archives on the wayback machine.
- Majority of the activity on his blog was in the year 2013.
- On the same blog he has revealed his email address - [email protected] and [email protected]
- Through the email we were able to find his linkedin profile - https://www.linkedin.com/in/jesse-chen-344153110/
- Lengmo uses the username !4p47hy on WeChat with his location set to Iceland.
- Although on his twitter - https://twitter.com/l3n6m0, he claims to be in Świętajno, Polska
- Going through the historical records of lengmo[.]net, we found another email id associated with lengmo - lengmo@vip[.]qq[.]com. using this email id lengmo registered multiple domains.
- This also gives another confirmation that lengmo’s real name is Jesse Chen.
- "C.Rufus Security Team" is a Chinese group famous for releasing Gh0st RAT on the open Web in March 2008.
- Lengmo didn’t stop here, he had another email address on yahoo as lengmo@yahoo[.]cn using which he registered 3 more domains.
Not only monitoring other countries but citizens of China as well
Multiple images in the leak reveal that the company has or was trying to form contracts with state agencies to supply surveillance information.
Images related to the quotation attempts from I-SOON reveal they were trying to supply surveillance instruments to a government agency in LHASA (The administrative capital of Tibet Autonomous Region), for which there are mentions in the chats between “shutdown” and “lengmo” the higher ups of ISOON.
Some notable buyers who purchased surveillance or remote access tools, Yuxi Public Security Bureau, Chongqing institute of Social Issues, UNIT 938 Hubei, Changting (Xiamen) Network Technology.
Data from Files - e182d867-dc18-43fd-a418-26dcf784242f_*_*.png
Access to data -
As per the data found in the leaked data the company had access to various organizations from multiple countries namely below -
Hong Kong:
- 89.4 MBs of User table and Emails from Democratic People's Livelihood Association College Entrance Examination Student Data
- 82.3MB of User table data from 2020.06 - 2021.11 from CSL Communication Company
India:
- Data from Apollo Hospitals
- Ability to Query 95.2GB of India's entry and exit information from the Bureau of Immigration upto 2020
- 5.49GB PC file from Ministry of Internal Affairs, PMO dated 2021.04 - 2021.10
Kazakhstan:
Telecommunications Providers
- Kcell Telecom (kcell.kz): 820GB of data, including Call Detail Records (CDRs) and user table information, spanning from 2019 to 2021.
- Beeline Telecom (beeline.kz): 637GB of data, including CDRs and user table information, spanning from 2019 to 2020.
- Tele2 Telecom (tele2.kz): 1.09TB of data. Further details on the specific data types are needed.
- Telecom Fixed Line Operator (telecom.kz): 257GB of data. Further details on the specific data types are needed.
Other Sources
- Pension Fund (tenpf.kz): 1.92GB of data, including CDRs and user table information, spanning from 2019 to 2020.
- User Information: 14.8 GB data table. Additional context is needed to determine the nature of this information.
Malaysia
Government Ministries
- Ministry of Works (kkr.gov.my): 288MB of email data. Access permissions include email permissions only.
- Ministry of Home Affairs (moha.gov.my): 6.85GB of email data, collected from April 2021 to December 2021. Access permissions include both email and intranet.
- Ministry of Foreign Affairs (kin.gov.my): Two datasets, each 6.59GB, consisting of PC files and email data. Data was collected from January 2021 to December 2021, with the termination date of December 20, 2021.
Telecommunications
- DIGI Telecom: 89.5 GB dataset containing CDR (Call Detail Records) and BTS (Base Transceiver Station) table information. Data was collected in May 2021 and accessed via full intranet control.
Mongolia
- 539MB of PC files from the Police Department.
- 2.37GB of email data from the Ministry of Foreign Affairs (mfa.gov.mn) collected around April 2021
Myanmar
- MPT Communication Company: 11GB of call log data covering June 2020 to September 2021.
- e-mofa.gov.mm (Likely Ministry of Foreign Affairs): 1.06GB of email data collected on May 26th, 2021.
Pakistan
- Zong: CDR and user table data spanning from 2019 to 2021.
- Punjab Counter-Terrorism Center: 1.43GB of email data collected from May 2021 to January 2022.
South Korea
- Korea_99 Population: 10.5MB data table.
- Population Data: 14.7GB data table.
- LG U+ Operator: 3TB of call log data from 2019 to 2021.
Thailand
- CAT Telecom.
- AIS Telecom (www.ais.co.th): 17.7GB of data, including user table and data table information. It is also mentioned that they had full control of the company Intranet.
- Ministry of Foreign Affairs (mfa.go.th): 3.33GB of data.
- TOT Operator (tot.co.th): 38.9MB data table.
- Ministry of Defence Royal Thai army headquarters, Ministry of National Defense communications department.
Other affected countries
- Megacom from Kyrgystan, CDR and user table data spanning from 2019 to 2021.
- Bayan Operator Data from the Philippines, 3.31GB data table.
- 2.8 Million lines from Vietnam Airlines, 87,918 lines of Telecom operator data and data from the Social Affairs Department from Vietnam.
- Scientific and Technological Research Council of Turkey
- Government data from Nepal
- 2TB of Call log data from 2016-2018 from Roshan Operator from Afghanistan
- Public Tax Service records and data from the secretariat of European affairs of North Macedonia
References
- *Intelligence source and information reliability - Wikipedia
- #Traffic Light Protocol - Wikipedia
- https://github.com/I-S00N/I-S00N (Original Data)
- https://github.com/soufianetahiri/Anxun-isoon (Translated Data)
- https://nattothoughts.substack.com/p/i-soon-another-company-in-the-apt41 (Pointers about connection with APT 41)
Appendix
The content in the images has been translated into English for better understanding using public tools. Some information may be incorrectly translated. CloudSEK holds no responsibility for disputes arising due to translation errors.
Images from the repository which have mentions of India and Indian companies.
Image revealing information about the data from EPFO India, text in the image reveals a project was launched to collect this information, and it was shared as a large success. 320 million lines containing the Names, PF numbers, Date of Birth, Gender, Father or Husband’s name, UAN, etc was leaked. The data amounted to 13.3 GB and was latest till July 8, 2021.
Another database titled UAN_REPOSITORY was also exfiltrated by the company. This breach had 180 million records and was 20.8GB. This was leaked on July 8, 2021 as well.
An image revealed the various folders the employee had access to. These folders are likely named based on the data they contain. Mentions of Peru, Oman, Ethiopia, Australia, Papua New Guinea, Palentnie, North Macedonia, Bosnia and Herzegovina, East Timor, Congo, Kazakhstan, Djibouti, Guinea, Cambodia, Romania, South Africa, Nauru, India and South Africa are found in the image.
A similar image revealing the targeted organizations is also found in the leak.
I-SOON claimed in their brand brochure about their ability and proficiency in targeting Indian government agencies.
I-SOON claiming in their brand brochure about their ability and proficiency to serve as an APT group with their focus on India and Tibet