i-SOON's Role in China's Cyber Espionage Network
The recent disclosure of data from i-SOON, a leading entity in China's cybersecurity domain, highlights the intricate interplay between state-sponsored cyber activities and the burgeoning private cybersecurity industry within the country.
This incident sheds light on the sophisticated nature of China's cyber espionage endeavours, revealing a commercial dimension where government agencies outsource espionage tasks to the competitive cybersecurity market.
i-SOON, based in Shanghai and recognized for its cybersecurity training programs, has been implicated in several cyber intrusions targeting government systems in the UK and Asia, as evidenced by over 500 documents leaked on GitHub.
These documents underscore the company's role in cyberespionage campaigns at the behest of Chinese government agencies, showcasing a less public facet of its operations that involves conducting and maintaining cyberespionage efforts.
This revelation is particularly significant in the context of the escalating cyber threats from organised and sometimes state-backed entities.
The Australian government, along with the Five Eyes intelligence alliance and institutions such as the Australian Cyber Security Centre and the Australian Signals Directorate, has been emphasising the need for heightened vigilance against foreign interference and cyber threats.
The strategy underscores a comprehensive approach towards bolstering cyber defences, enhancing threat intelligence sharing, and implementing stringent cybersecurity measures to safeguard national interests and critical infrastructure.
The Inner Workings: i-SOON's Corporate Struggles and Government Ties
The i-SOON data leak provides concrete evidence of the complex ecosystem supporting China's cyber espionage operations, revealing the extent to which private companies are engaged in activities that align with state objectives.
This scenario reflects a broader trend where cyber warfare and espionage are increasingly outsourced to private sector entities, thereby blurring the lines between state and non-state actors in the cyber domain.
Security experts who reviewed the leaked data say they believe the information is legitimate, and that i-SOON works closely with China’s Ministry of Public Security and the military. In 2021, the Sichuan provincial government named i-SOON as one of “the top 30 information security companies.”
“The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem,” said Dakota Cary, a China-focused consultant at the security firm SentinelOne.
“It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.”
The strategic implications of such revelations are profound, underscoring the necessity for nations, especially those within the Five Eyes alliance, to reassess their cybersecurity postures and collaborative efforts in countering state-sponsored cyber activities.
Mei Danowski is a former intelligence analyst and China expert who now writes about her research in a Substack publication called Natto Thoughts.
Danowski said i-SOON has achieved the highest secrecy classification that a non-state-owned company can receive, which qualifies the company to conduct classified research and development related to state security.
i-SOON’s “business services” webpage states that the company’s offerings include public security, anti-fraud, blockchain forensics, enterprise security solutions, and training.
Danowski said thatIndeed, among the documents apparently leaked from i-SOON is a sales pitch slide boldly highlighting the hacking prowess of the company’s “APT research team”.
The leaked documents from i-SOON, including in-depth conversations among its founders, reveal the company's struggles with declining sales and the imperative to secure more staff and government contracts.
Mei Danowski highlighted that CEO Wu Haibo is a renowned figure in the Chinese hacking community, known for his early involvement with the Green Army hacktivist group.
The documents also touch on a legal battle between i-SOON and Chengdu 404, a firm implicated by the U.S. Department of Justice for concealing cyber intrusions linked to the notorious APT 41.
Danowski's insights suggest a fiercely competitive cybersecurity industry in China, marked by companies vying for talent and contracts, blurring the distinctions among different APT groups.
The leak uncovers i-SOON's ambiguous role in this competitive landscape, possibly contributing to or being part of the APT designation through activities such as targeting specific groups identified in a Citizen Lab report.
The dialogue within the leaked files reveals i-SOON's efforts to bolster its workforce through hacking competitions and attempts to maintain morale despite the company's challenging work environment and the employees' grievances over pay and working conditions.
The timing of the leak, right after the Chinese New Year, and the registration of the Protonmail account used for the leak suggest a disgruntled employee's deliberate action.
International Ramifications: Shifting the Global Cybersecurity Landscape
This incident underscores the information asymmetry benefiting China, facilitated by the Great Firewall, and highlights the rarity and value of such data leaks to Western security researchers.
SentinelOne's Dakota Cary expressed enthusiasm over the leak, emphasising the scarcity and significance of obtaining such insights from within China's closely guarded cyber landscape.
The year 2023 witnessed several major cybersecurity incidents that underscore the pervasive threat of state-sponsored and organised cybercrime.
Notably, the DP World Port and the Optus hack in 2022 exemplify the types of sophisticated cyberattacks that can potentially originate from state-backed foreign organised crime syndicates.
These events have propelled the Australian government and its allies to mandate more stringent cybersecurity protocols and to advocate for a cooperative international stance against cyber threats.
The Australian Cyber Security Centre and the Australian Signals Directorate's emphasis on caution regarding foreign interference is indicative of a larger, global need to address the sophisticated and evolving nature of cyber threats emanating from organised entities, including those backed by state actors.
