A recent data breach involving Shanghai-based cybersecurity company i-Soon, also known as Anxun, has spotlighted the intricate web of China's state-sponsored cyber espionage activities. SentinelOne researchers have unravelled this web, revealing that i-Soon, a contractor for various Chinese government entities such as the Ministry of Public Security, Ministry of State Security, and the People’s Liberation Army, plays a central role in orchestrating sophisticated hacking operations.
Over the weekend, an astonishing cache of more than 500 internal company documents found its way onto GitHub, offering an unprecedented peek into the mechanics of a Chinese government-backed hacking group. These documents, SentinelOne notes, provide "some of the most concrete details seen publicly to date," illustrating the maturity and complexity of China's cyber espionage ecosystem. The leak speculated to originate from a disgruntled employee within i-Soon, exposes the company's competitive drive in the marketplace for hackers-for-hire, directly influenced by governmental targeting directives.
The contents of the leaked documents are as revealing as they are concerning. They detail i-Soon's involvement in cyber operations against at least 14 governments, pro-democracy organizations in Hong Kong, universities, and even NATO, aligning with prior intelligence on several known threat actors. SentinelOne's analysis paints a picture of i-Soon as a contender in a low-bid hacking contract arena, fulfilling multiple Chinese government agencies' diverse cyber espionage demands.
The arsenal of tools and tactics at i-Soon's disposal is extensive and sophisticated. The leak outlines a variety of malicious capabilities, including a Twitter (now X) account stealer capable of extensive surveillance and impersonation, custom Remote Access Trojans (RATs) for multiple operating systems, specialized equipment for internal network attacks, and comprehensive user lookup databases for social engineering. Moreover, the documents divulge i-Soon's marketing efforts and technical prowess, boasting about its counterterrorism hacking credentials and showcasing custom hardware designed for clandestine data exfiltration.
SentinelOne's report highlights the technical aspects and the human element of cyber espionage. The leaked documents expose employee grievances over low pay and an office culture that trivializes serious security work, juxtaposing the high stakes of their operations against the mundane realities of their work environment.
This leak embarrasses i-Soon and prompts a significant introspection within the cybersecurity community. It challenges previous attributions and reassesses the threat landscape shaped by Chinese cyber operations. For businesses and cybersecurity defenders, the revelations serve as a stark reminder of the complex, often underappreciated threats posed by well-funded but internally conflicted cyberespionage groups.
The i-Soon data leak marks a critical moment in cybersecurity, offering a rare glimpse into the shadowy world of state-sponsored hacking. It underscores the urgent need for robust cyber defences and international cooperation to mitigate the risks posed by such formidable adversaries. As the global community digests the implications of these revelations, the incident reaffirms the importance of vigilance and proactive security measures in the ever-evolving cyber threat landscape.