Unmasking I-Soon | The Leak That Revealed China's Cyber Operations

The leak from I-Soon, a company contracting for various Chinese government agencies including the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army, occurred over the weekend of February 16th. The source of the leak and motives behind it remain unknown, but it offers unprecedented insight into the operations of a state-affiliated hacking contractor. While the authenticity of the documents is still being verified, they confirm existing threat intelligence and illustrate the competitive landscape of China’s cyber espionage ecosystem, driven by government targeting requirements.

I-Soon, whose employees express dissatisfaction with low pay and engage in office gambling, is implicated in compromising at least 14 governments, pro-democracy organizations in Hong Kong, universities, and NATO. The leaked documents align with prior threat intelligence on several known threat groups. Notably, the leak reveals the company's pursuit of low-value hacking contracts from numerous government agencies, challenging assumptions about the predictability of future targets based on historical data.

The leaked data, rapidly disseminated through machine translation tools, has enabled a broader range of analysts to examine and extract findings. While geographically-specialized analysis remains valuable, the barrier to entry for interpreting such data has significantly decreased.

Security Officer Comments:
Initial observations indicate that the leaked documents include marketing materials, technical documents showcasing the company's offensive capabilities, and internal communications. The company boasts about past counterterrorism work in Xinjiang and lists other terrorism-related targets it has hacked. Technical documentation displays custom hardware surveillance devices and offensive toolkits, confirming the company's focus on hacking-for-hire and offensive operations.

The leaked information provides indicators of suspected Chinese cyberespionage activities previously observed by the threat intelligence community. The relationships between these indicators and past intrusions are still under evaluation. Some leaked documents detail the fees earned by hacking specific organizations, highlighting the financial incentives driving such operations. Employees express frustration over pay and express desires to seek employment elsewhere.

Suggested Corrections:
Overall, the leak raises important questions for the cybersecurity community and underscores the evolving nature of state-affiliated cyber operations in China.