China I-Soon Data Leak Details

Data obtained from a cybersecurity vendor based in China, known to work closely with the Chinese government, has recently come to light, revealing a myriad of hacking tools and services. This disclosure, while lacking a definitive source, appears to be a deliberate leak by a discontented member of the group.

The vendor under scrutiny, i-Soon (also recognized as Anxun), is believed to function as a private contractor, operating as an Advanced Persistent Threat (APT)-for-hire, providing its services to China’s Ministry of Public Security (MPS).

The leaked data is organized into several groups, encompassing complaints about the company, chat records, financial information, products, employee details, and information regarding foreign infiltration. According to the exposed data, i-Soon has successfully infiltrated numerous government departments, including those of India, Thailand, Vietnam, South Korea, and NATO.

Noteworthy tools utilized by i-Soon include:

  • Twitter (now X) Stealer: Offering features such as acquiring the user’s Twitter email and phone number, real-time monitoring, reading personal messages, and posting tweets on the user’s behalf.
  • Custom Remote Access Trojans (RATs) for Windows x64/x86: Equipped with features like process/service/registry management, remote shell, keylogging, file access logging, obtaining system information, remote disconnection, and uninstallation.
  • The iOS Version of the RAT: Claims to authorize and support all iOS device versions without jailbreaking, offering features such as hardware information, GPS data, contacts, media files, and real-time audio records as an extension (Note: this part dates back to 2020).
  • The Android Version: Capable of extracting messages from popular Chinese chatting apps like QQ, WeChat, Telegram, and MoMo. It can elevate the system app for persistence against internal recovery.
  • Portable Devices for Network Attacks: Designed for network attacks from within.
  • Special Equipment for Operatives Working Abroad: Aimed at establishing secure communication.
  • User Lookup Database: Contains phone numbers, names, and emails, correlated with social media accounts.
  • Targeted Automatic Penetration Testing Scenario Framework.

While some of the information is dated, the leaked data provides an insider’s perspective into the operations of a leading spyware vendor and APT-for-hire.

This revelation is expected to unsettle affected entities, potentially prompting a reassessment of international diplomacy and highlighting vulnerabilities in the national security apparatus of multiple countries.

The implications of this leak extend beyond immediate cybersecurity concerns. It raises questions about the relationship between private contractors and government entities in the realm of cyber warfare. The blurred lines between state-sponsored activities and for-hire operations underscore the need for a robust international framework to address and regulate cyber threats.

Given the complex nature of this situation, the repercussions may be significant. The affected countries, including India, Thailand, Vietnam, South Korea, and NATO members, may reassess their cybersecurity strategies and diplomatic ties in response to this breach.

The leak also serves as a reminder of the ongoing challenges in maintaining the security of sensitive information. As technology continues to advance, the tools available to malicious actors become increasingly sophisticated. This incident emphasizes the need for constant vigilance, adaptive security measures, and international collaboration to counter emerging threats effectively.

Not all the material has undergone examination as there is a substantial amount, and translation poses a significant challenge. Ongoing updates will be provided if any additional noteworthy information emerges. The global cybersecurity community will likely closely monitor developments, as the repercussions of this leak may extend far beyond the initial exposure of hacking tools and services.