When Beijing calls, hackers in Shanghai answer. Recently leaked documents from I-Soon confirm the Shanghai-based firm has worked with Chinese agencies to implement schemes against government agencies, telecommunications companies, and others, including those living in Xinjiang—China’s autonomous region—where authorities have suppressed, monitored, and detained Uyghur Muslims.
On Feb. 23, IT Brew discovered that the repository containing the files had been disabled, with GitHub stating that access was disabled by staff due to “a violation of GitHub’s terms of service.”
I-Soon has contracts with multiple Chinese agencies, including the Ministry of Public Security (MPS), the Ministry of State Security, and the People’s Liberation Army, according to a report from SentinelOne.
IT Brew contacted MPS for a statement but was unable to reach the ministry after multiple emails were rendered undeliverable.
“It’s clear that multiple bureaus of the Ministry of Public Security, China’s domestic-focused security agency, are the main clients of this firm,” Dakota Cary, a China-focused consultant at SentinelOne, told IT Brew.
What’s inside? A GitHub user first created a repository on Feb. 16, eventually uploading over 500 documents, including WeChat messages, marketing materials, and rows of data, as well as account numbers, bank names, usernames, passwords, and device information relating to telecom companies in South Korea and Kazakhstan. The Washington Post also reported that I-Soon targeted at least 20 foreign governments and territories, including India, Taiwan, Hong Kong, Thailand, South Korea, and the United Kingdom.
IT Brew also observed data collected on Kazakhtelecom, a telecommunications company in Astana, Kazakhstan that employs around 30,000 people.
“Call data records are really good for mapping relationships between individuals,” Cary said. “That is one of the express reasons that they are typically collected. It’s very likely that they have an intelligence requirement or somebody paid and requested of them to try and define a relationship between individuals of interest.”
It is unclear exactly why I-Soon would need to gather sensitive data from telecommunications companies or customers in Kazakhstan or Kyrgyzstan, but Cary said the data collection on the latter may have been related to state government interest in oil contracts, based on one of the leaked conversations that took place.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The leak also contained odd tidbits of information, like I-Soon employees’ grumblings about low pay and screenshots showing prices for Shanghai Disneyland Resort.
In the leak, the security firm also boasted about past work in counterterrorism, targeting Pakistan and Afghanistan, as they seek to offer services in Xinjiang, the SentinelOne report also read.
“But suffice to say, they’re basically applying to this MPS bureau to say, ‘Look, we can hack into targets that you want access to, and we have a history of being able to do this,’” Cary said. He also noted that the firm advertised the ways in which they’ve implemented identity and contact tracing across platforms, using Tibet as an example.
Leaked photos and text also revealed that I-Soon is marketing a device that, on the surface, looks like a typical power bank. The device, however, allows threat actors to infiltrate a victim’s internet network and transfer data back to the hackers.
Azaka Sekai, a Taiwan-based threat intelligence researcher, posted a thread on X—formerly known as Twitter—writing about some of I-Soon’s spyware and software features, one of those being that the firm could provide real-time monitoring of X accounts, publish tweets on behalf of the targeted user, delete posts, read DMs, repost, and more. “These attacks have been going under the general public’s noses for quite a while,” Sekai told IT Brew via Signal. “We are not surprised by the scale of the attacks and number of affected organizations.”
“When we’re thinking about the impact on the [information ops] space, this is a direct blow to the narrative that China has been trying to change for the last two years,” Cary added.