PRC State Hacking: ‘Chinese Edward Snowden’ Spills I‑Soon Secrets in Huge Dump of TTPs
Whistleblower in hacker contractor firm for Chinese government blows lid off tactics, techniques and procedures.
An enormous cache of documents and data from a Chinese hacking outfit got leaked by an insider. The state sponsored company, I‑Soon, seems to have a disgruntled mole who made all its secrets public.
Analysts will be poring over the data for months. In today’s SB Blogwatch, we lap it up, like a Pooh laps hunny.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: What will we do?
Underpaid, Overworked and Angry
It’s tag team time. Christian Shepherd, Cate Cadell, Ellen Nakashima, Joseph Menn, Aaron Schaffer, Pei-Lin Wu, Vic Chiang and Lyric Li report—“Vast international hacking effort”:
“Unusual glimpse inside”
A trove of leaked documents … shows that Beijing’s intelligence and military groups are carrying out large-scale, systematic cyber intrusions against foreign governments, companies and infrastructure. … Containing more than 570 files, images and chat logs, [it] offers an unprecedented look inside the operations of one of the firms that Chinese government agencies hire for on-demand, mass data-collecting operations.
…
The files … detail contracts to extract foreign data over eight years and describe targets within at least 20 foreign governments and territories. … Chat logs included in the leak describe selling unspecified data related to NATO. … Another file shows employees discussing a list of targets in Britain. … Hackers with the People’s Liberation Army have breached computer systems in about two dozen key American infrastructure entities over the past year
…
Experts are poring over the documents, which offer an unusual glimpse inside the intense competition of China’s national security data-gathering industry. … iSoon, also known as Auxun, [is] a Chinese firm headquartered in Shanghai. … Part of an ecosystem of contractors that emerged out of a “patriotic” hacking scene established over two decades ago, it now works for a range of powerful [Chinese] government entities including the Ministry of Public Security, the Ministry of State Security and the … military.
What’s in it? Tom Uren and Catalin Cimpanu elaborate—“The i-SOON Data Leak”:
“Surveillance operations”
It is no secret that China is a prolific cyber espionage actor. … i-SOON was already on the radar of some cyber security researchers after being sued by a firm from the same city, a company known as ‘Chengdu 404,’ [which] is linked to the cyber espionage group known as APT41. There are also matches in the data leak to Indicators of Compromise (IOCs) from previous cyber espionage campaigns.
…
The files include internal chats, business pitches, documentation describing the company’s products, and what appears to be stolen victim data. … The business documents include pitches and presentations about the company’s services including “penetration testing,” surveillance operations, and also descriptions of:
• Malware designed to run on Windows, macOS, Linux, iOS, and Android;
• A platform to collect and analyse email data;
• A platform to hack into Outlook accounts;
• A Twitter monitoring platform;
• An reconnaissance platform using OSINT data;
• Physical hardware devices meant to be used for on-premises hacking; …
• Communications equipment using a Tor-like network for agents working abroad.
Who leaked it? All aboard the Brian Krebs cycle—“China’s APT Menace”:
“Disgruntled employees”
The leak illustrates how Chinese government agencies increasingly are contracting out foreign espionage campaigns to the nation’s burgeoning and highly competitive cybersecurity industry. … The leaked documents, which include candid employee chat conversations and images, show a less public side of i-SOON, one that frequently initiates and sustains cyberespionage campaigns commissioned by various Chinese government agencies.
…
However, the chats include multiple conversations between employees commiserating over long hours and low pay. … Security experts who reviewed the leaked data say they believe the information is legitimate [and] was probably leaked by one of those disgruntled employees.
What’s going on? russfink has a think:
I have to wonder, was this upload intentional or a mistake? Could be … a Chinese version of Snowden recoiling against the state’s actions.
Interesting question. And elcor has a related whatabout:
You mean like the US? I mean this is Assange week after all, let’s not forget what was uncovered that sent him to prison.
What are these “physical hardware devices”? An_Old_Dog learns a new trick: [You’re fired—Ed.]
Compromised USB battery [that] uploads data. In other words, plants false evidence against … enemies of bureaucrats and leaders within the Chinese government.
But what if it’s a false flag op? 姜大翼—@DakeKang—waxes reassuring:
A few days ago, files from a contractor for Chinese police quietly dumped online went viral. But though analysts thought the files authentic, they weren’t 100% confident. Now, after a visit to the company’s offices, I can confirm the leak is real.
…
I visited I-Soon’s office in Chengdu. … Security was surprisingly lax — I was able to walk right in and up to the reception. … Employees told me that both the company and Chinese police are investigating how the files were leaked. … This is likely not China’s best and brightest hacking operation.
…
What this all adds up to so far is that these hacks of overseas networks and foreign states is actually for a domestic purpose: Controlling and stifling government critics, dissidents, and repressed minorities, such as Tibetans, Hong Kongers and Uyghurs. … For “social stability” and keeping Chinese citizens in line. … To regulate public opinion. … To keep the internet clean.
The solution? mikloskiss suggests isolation:
US industry: Stop off-shoring to China to make better margins and juice your stock price. You are killing America.
US consumers: Stop buying Made in China when there is an alternative—even if you have to pay more.
…
The job you may save one day may be your own. … China is not our friend.
Meanwhile, this Anonymous Coward has wider, higher concerns:
I’m concerned that with all this talk about cyber, Congress is going to take its eye off the ball, and lose interest in closing the balloon gap.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Alejandro Luengo (via Unsplash; leveled and cropped)