Spyware leak offers ‘first-of-its-kind’ look inside Chinese government hacking efforts

in the weekendsSomeone posted a cache of files and documents apparently stolen from I-Sun, a Chinese government hacking contractor.

The leak gives cybersecurity researchers and rival governments an unprecedented opportunity to look behind the scenes of a Chinese government hacking operation aided by private contractors.

like Hack-and-leak operation which targeted Italian spyware maker Hacking Team in 2015, the i-Sun leak includes company documents and internal communications that show i-Sun was allegedly hacking in India, Kazakhstan, Malaysia, Pakistan, Taiwan, and Thailand. Was involved in companies and government agencies. among others.

leaked files were posted on the code-sharing site GitHub on Friday. Since then, observers of Chinese hacking campaigns have begun to increasingly mine the files.

“This represents the most significant leak of data involving a company suspected of providing cyber espionage and targeted intrusion services for Chinese security services,” said John Condra, threat intelligence analyst at cybersecurity firm Recorded Future.

For John Hultquist, chief analyst at Google-owned Mandiant, the leak is “narrow, but deep,” he said. “We rarely get such unfettered access to the inner workings of any intelligence operation.”

Dakota Carey and Alexander Milenkoski, analysts at cybersecurity firm SentinelOne, wrote in a blog Post that “This leak provides the first look of its kind at the internal operations of a state-affiliated hacking contractor.”

And, ESET malware researcher Matthew Tartare said the leak “could help Intel analysts connect some of the compromises they’ve seen to i-SUN.”

One of the first people to be leaked was a Taiwanese threat intelligence researcher who goes by Azaka. On Sunday, Ajaka posted a long thread OnX, formerly Twitter, is analyzing some documents and files that appear to date back as recently as 2022. The researcher highlighted spying software developed by i-Sun for Windows, Mac, iPhone and Android devices as well as designed hardware hacking tools. Can be used in real-world situations to crack Wi-Fi passwords, track Wi-Fi devices, and disrupt Wi-Fi signals.

“Our researchers have finally confirmed that this is how things work out there and that APT groups work just like all of us regular employees (except they are being paid a lot more). ” “The scale is large enough that there is an attractive market for breaking into large government networks,” Azaka told TechCrunch. APTs, or advanced persistent threats, are usually government-backed hacking groups.

According to the researchers’ analysis, the documents show that I-Sun was working for China’s Ministry of Public Security, Ministry of State Security, Chinese Army and Navy; And I-Tsun provided and sold its services to local law enforcement agencies across China to help target minorities such as Tibetans and Uighurs, the Muslim community living in China’s western region of Xinjiang.

Documents link I-Soon to APT41, A Chinese government hacking group It has reportedly been active since 2012, targeting various industries across the globe, including the healthcare, telecommunications, technology, and video game industries.

Additionally, an IP address found in the i-Sun leak hosts a phishing site hosted by digital rights organization Citizen Lab Saw used against Tibetans in a hacking campaign in 2019, Citizen Lab researchers at that time The hacking group was named “Poison Corp.”

Azaka, as well as others, found chat logs between i-Sun employees and management, some of them extremely mundane, such as employees talking about gambling and playing the popular Chinese tile-based game Mahjong.

Carey highlighted documents and chats that show how much – or how little – I-Sun employees are paid.

“He’s being paid $55,000 [US] “That’s not a huge amount of money for such a target — in 2024 dollars — to hack the Economy Ministry of Vietnam,” Carey told TechCrunch. “It makes me think that high-value targets for China How cheap it is to run an operation against. And what it says about the nature of the organization’s security.”

According to Carey, the leak also shows that researchers and cybersecurity firms should carefully consider the potential future actions of mercenary hacking groups based on their past activity.

“This shows that a threat actor’s past targeting behavior, particularly when they are Chinese government contractors, is not indicative of their future targets,” Carey said. “So it’s not useful to look at this organization and say, ‘Oh, they’ve only hacked the healthcare industry, or they’ve hacked X, Y, Z industry, and they hack these countries.’ they are reacting to them [government] Agencies are requesting. And those agencies may request something different. “They may get business with a new bureau and a new location.”

The Chinese Embassy in Washington, DC did not respond to a request for comment.

An email sent to i-Sun’s support inbox remained unanswered. Two anonymous I-Sun employees told the associated press The company held a meeting on Wednesday and told employees that the leak would not impact their business and that they would “continue to operate as normal.”

At this point, there is no information about the leaked documents and files and who posted them to GitHub Recently leaked cache has been removed From your platform. But many researchers agree that the more likely explanation is a disgruntled current or former employee.

“The people who put this leak together gave it a table of contents. And the leaked table of contents shows employees complaining about low wages, the financial conditions of the business,” Carey said. “The leak is designed to embarrass the company.”