Data leak from Shanghai-based i-Soon (Anxun) cybersecurity firm reveals potential workings of a Chinese government-backed hacking group. (Kagenmi from Thinkstock.com)
A data leak from a Shanghai-based cybersecurity firm, i-Soon (also known as Anxun), has led researchers to speculate that it has exposed the operations of a Chinese government-backed hacking group. The company, which reportedly does contract work for various Chinese government departments, including the Ministry of Public Security, Ministry of State Security, and the People's Liberation Army, had over 500 documents published on GitHub last weekend.
According to SentinelOne, the leaked documents provide concrete details about the maturing nature of China's cyber espionage ecosystem and how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire. While the source of the leak is not entirely clear, Malwarebytes researchers suggest it may have been a disgruntled staff member.
The documents reveal that i-Soon has been responsible for compromising at least 14 governments, pro-democracy organizations in Hong Kong, universities, and NATO. They also show that i-Soon competes for low-value hacking contracts from various government agencies. The company's tools include a Twitter stealer, custom Remote Access Trojans (RATs) for Windows and iOS, and an Android version capable of extracting messages from popular Chinese chatting apps.
The leaked documents also include marketing materials and technical documents that demonstrate how the company's products function to compromise and exploit targets. Some documents show i-Soon's involvement in counterterrorism work, including past hacks targeting counterterrorism centers in Pakistan and Afghanistan.
While the leaked documents may have been intended to embarrass the company, they also raise important questions for the cybersecurity community. For defenders and business leaders, the lesson is that their organization's threat model likely includes underpaid technical experts who may pilfer valuable information. This should serve as a wakeup call and a call to action for organizations to bolster their cybersecurity defenses.
