Private Contractor Linked to Multiple Chinese State-Sponsored Groups

A recent leak from I-SOON, a Chinese IT and cybersecurity company, has revealed connections to several state-sponsored cyber groups including RedAlpha, RedHotel, and Poison Carp. The leak exposes a sophisticated espionage network involving the theft of communications data for individual tracking. Analysis confirms operational and organizational ties between I-SOON and these groups, highlighting I-SOON's role as a digital quartermaster providing shared cyber capabilities in China's aggressive cyber ecosystem. Despite the leak, I-SOON is expected to continue operations with minor adjustments. The revelation enhances understanding of Chinese cyber espionage and may impact future US legal actions against I-SOON operatives.

Pulse ID: 684c80bf12cda0093015c01e
Pulse Link: https://otx.alienvault.com/pulse/684c80bf12cda0093015c01e
Pulse Author: AlienVault
Created: 2025-06-13 19:49:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#China #Chinese #CyberSecurity #Espionage #ISoon #InfoSec #OTX #OpenThreatExchange #RAT #bot #AlienVault

Эволюция шпионского софта под iOS

Возможности программного обеспечения Sysdiagnose для компьютерной криминалистики на iOS Среди некоторых пользователей распространено мнение, что смартфоны под iOS лучше защищены от бэкдоров и вредоносного ПО, чем смартфоны Android. Отчасти это справедливо. Софт в каталоге App Store более жёстко модерируется, так что у обычных граждан меньше шансов подхватить зловреда. Но с точки зрения уязвимостей операционная система iOS совсем не уступает другим ОС. Соответственно, и вредоносные программы для неё создают регулярно. Под iOS создаётся коммерческий шпионский софт, который применяется на государственном уровне против конкретных граждан — гражданских активистов, журналистов, бизнесменов. В нём применяют более интересные уязвимости и изощрённые эксплоиты, чем в обычных троянах. Для обнаружения таких зловредов требуются специальные инструменты.

https://habr.com/ru/companies/globalsign/articles/890860/

#iOS #Pegasus #Predator #iCloud #Advanced_Data_Protection #сквозное_шифрование #E2E #эксплоиты #0day #iPhone #0Click #1Click #NSO_Group #iSoon #Hermit #Mobile_Verification_Toolkit #MVT #форензика #компьютерная_криминалистика #Sysdiagnose #режим_блокировки

Remember I-Soon?
DOJ charged a few people in relation to it earlier this week.

https://www.justice.gov/opa/pr/justice-department-charges-12-chinese-contract-hackers-and-law-enforcement-officers-global

#iSoon #iS00n

NHK紀錄片「追蹤中國洩漏的文件」

感謝網友熱心翻譯並提供字幕

由日本NHK電視台製作的紀錄片，詳細揭露中國政府國安系統與民間資安公司聯手竊取各國政府機密、操作社群媒體輿論風向的手法。

片長45分鐘，但內容毫無冷場：

1.安洵企圖駭入政治大學
2.安洵竊取歐盟內部資料
3.中國官民合作模式分析
4.中國滲透海外民運人士社群
5.戰爭新型態：認知戰
6.Dcard假帳號操作街頭遊行
7.假帳號操作社群平台輿論手法
8.台灣法務部對認知戰的防範

歡迎分享。

#NHK
#安洵文件
#isoon

https://www.youtube.com/watch?v=YTkpV0Zw13s

The i-Soon-Leaks: Industrialization of Cyber Espionage
#iSoon
https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/cyber/2024-08-08-bfv-cyber-insight-part-2.pdf?__blob=publicationFile&v=5

https://intrusiontruth.wordpress.com/2024/08/07/is-the-ccp-the-biggest-apt/ from @intrusion_truth #iSoon

Das BfV veröffentlicht nun Details zum #iSoon-Leak, die nochmals die Professionalisierung privater chinesischer Cyberangreifer unterstreichen: Eine Schattenwirtschaft, die Hochwertziele im Vorfeld auskundschaftet und anschließend gezielt taktisch angreift:
https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-08-01-bfv-cyber-insight-teil-1.pdf?__blob=publicationFile&v=3

Our second speaker, Petteri Nakamura, is on stage with the "Hacking as a Service. What to Learn from the Data Leak of a Chinese State Affiliated APT Actor" talk

#TurkuSec #isoon #leak

Western governments struggle to coordinate response to Chinese hacking

#Chinese #hacking attempts are not isolated events. Rather, they constitute the #ecosystem in which all western governments must navigate their relationships with Beijing.

In a report published on 27 March, Google said China “continues to lead the way for government-backed exploitation”.
#APT31 alone has been linked to hacks in France, Finland and of Microsoft, while New Zealand said this week that another well-known Chinese hacking outfit, #APT40, attacked its parliament in 2021 (the Chinese embassy in New Zealand denied the allegations).

A recent leak of data from the Chinese cybersecurity firm #iSoon revealed the extent to which China’s hackers for hire compete for government contracts,
sometimes hoovering up data from foreign agencies "on spec" with the hope of selling it to the highest bidder.
In the case of APT31, the US Department of Justice alleges that the hacking operation was💥 directly run by a provincial department of China’s ministry of state security.💥
But in general, said Mei #Danowski, a China cybersecurity expert and author of the "Natto Thoughts" newsletter,
🔸nearly every cybersecurity firm in China 🔸would have some sort of contract with government clients.
With a cybersecurity industry worth an estimated $13bn, that is a lot of potential hackers.

That leaves western governments struggling to coordinate an effective response to hacks or hacking attempts.
In many cases, the Chinese government has #plausible #deniability about responsibility, and it is not always clear what the impact of data breaches are.
Audrye #Wong, an assistant professor at the University of Southern California, said that while #Russian-based hacks oftene “sow discord and chaos”, #China was “more cautious” and “still very much cares about shaping perceptions of China and the Chinese Communist party”.

Many western international security experts refer to the maxim that while Russia may be the storm, China is climate change.

https://www.theguardian.com/world/2024/mar/29/western-governments-struggle-coordinate-response-chinese-hacking?CMP=Share_iOSApp_Other

TurkuSec April Meetup

Date: 05.04.2024 (Friday)
Time: 17:45 – Onwards
Venue: SparkUp Turku (Tykistökatu 4B)

"Digital natives are not cybersecurity natives" by Joel Latto

“Hacking as a Service. What to Learn from the Data Leak of a Chinese State Affiliated APT Actor” by Petteri Nakamura

More info: https://turkusec.fi/turkusec-april-meetup-4/

#TurkuSec #Meetup #Turku #cybersecurity #awareness #isoon

Heute in den 18 Uhr Nachrichten bei #SAT1 und den 19 Uhr Nachrichten in #ProSieben – das Tagesthema: #TikTok-Verbot – hat die #Bundesregierung genügend in der Hand, um ein allgemeines #Verbot der Social Media-App auszusprechen? Klar ist jedenfalls: Wenn der chinesische Staat Spionage betreiben will, kann und wird er das auch ohne TikTok tun – und das haben wir allein schon mit den jüngsten Enthüllungen zur privaten Hackerfirma #Isoon vor wenigen Wochen mehr als deutlich gesehen.

Recorded Future publishes a 24 page report on i-SOON and their connections to offensive cyberespionage operations attributed to RedHotel, RedAlpha and POISON CARP. The links indicate that they are likely sub-teams focused on specific missions within the same company. i-SOON's victims span 22 countries, with government, telco and education being the most targeted sectors. i-SOON also supports domestic including the targeting of ethnic and religious minorities and the online gambling industry. i-SOON very likely uses and sells access to custom malware families like Winnti and ShadowPad. IOC provided. 🔗 https://www.recordedfuture.com/attributing-i-soon-private-contractor-linked-chinese-state-sponsored-groups

#ISOON #cyberespionage #China #APT #threatintel #IOC #redhotel #redalpha #poisoncarp #winnti #shadowpad

New #blog post!

Our latest blog post dives into the recent #iSoon leak, shedding light on China's expansive hacker-for-hire ecosystem. The leak, comprising over 500 files, unveils iSoon's operations, challenging many preconceptions within the cybersecurity community.

1/🧵

Excellent article de #Mediapart sur I-Soon. Très honoré d'y être cité :-)
https://www.mediapart.fr/journal/international/040324/bienvenue-i-soon-chez-les-cybermercenaires-qui-espionnent-la-solde-de-pekin #isoon #i-soon #cyberespionnage #cyberespionage

A comprehensive analysis of I-Soon's commercial offering

https://harfanglab.io/en/insidethelab/isoon-leak-analysis/

#china #isoon

#Hackers for sale: what we know about #China’s massive I-Soon cyber leak
"Government agencies fr #PRC’s neighbours, including Kyrgyzstan, #Thailand, Cambodia, Mongolia & Vietnam, had websites or email servers compromised, the #leak revealed. There are long lists of #targets, fr British govt departments to #Thai ministries. #ISoon staff also boasted in leaked chats tt they secured access to #telecom #service providers in Pakistan, Kazakhstan, Mongolia, Thailand & Malaysia"
https://hongkongfp.com/2024/02/24/hackers-for-sale-what-we-know-about-chinas-massive-i-soon-cyber-leak/

The leak exposed #iSoon's espionage tools, such as a Twitter (now X) stealer for login credentials, custom Remote Access Trojans (RATs) for Windows, and several types of hardware, including advanced spyware for mobile devices.

4/🧵

The leaked documents revealed #iSoon providing hacking and data-gathering services to Chinese government agencies. It appears the company’s main client is the Chinese Ministry of Public Security.

2/🧵

Leaked documents provide rare insight into Chinese state-sponsored #espionage

On February 16, a whistleblower leaked numerous documents on GitHub exposing the operations of #iSoon, a Shanghai-based company tied to Chinese state-sponsored hacking.

1/🧵

Alles ist käuflich: Die Preisliste des chinesischen Hacker-Unternehmens I-Soon, die vor wenigen Tagen aus bislang ungeklärten Umständen auf GitHub veröffentlicht wurde, zeigt mehr als eindrucksvoll die Abgründe staatlich finanzierter Cyberangriffe auf - und der Konkurrenzdruck ist enorm. Meine Einschätzung dazu im STERN: https://www.stern.de/politik/ausland/die-preisliste-der-hacker-aus-china---was-ein-leak-ueber-die-firmen-aus-fernost-verraet--die-uns-ausspaehen-sollen-34494576.html #cybersecurity #isoon #china