Isoon APT Operation Linked to Chinese Hacking Crew

As revelations about iSoon, a private Chinese IT security firm, emerge from a significant data leak, it’s clear that this company plays a crucial role in China’s cyber espionage landscape. Based in Shanghai, iSoon, also known as Anxun Information Technology, operates as a hacking-for-hire entity, contracting with key Chinese government agencies, including the Ministry of Public Security and the Ministry of State Security. This strategic partnership enables the firm to engage in surveillance and espionage against foreign governments and dissidents, often targeting sensitive sectors like telecommunications and education.

The recent data leak on GitHub in February 2024 unveiled extensive insights into iSoon’s operations. The leaked documents, confirmed authentic by researchers and an iSoon employee, included sales materials, chat logs, and details about cyber espionage tools. This unprecedented disclosure sheds light on the intricate web of China’s cyber espionage ecosystem, revealing how private firms like iSoon contribute to state-sponsored activities. The leaked data included over 500 files that provide researchers with detailed operational information about the firm.

Despite the leak’s media coverage, it’s likely that iSoon’s operations will remain largely unaffected, given its entrenched role in these activities. Moreover, iSoon’s connections to Chinese Advanced Persistent Threat (APT) groups like RedHotel, RedAlpha, and Poison Carp further complicate the landscape. The leak demonstrated overlaps in malware infrastructure and tactics, indicating a long-standing collaboration that dates back to 2015.

iSoon’s entrenched role in cyber espionage ensures its operations remain resilient, despite recent revelations and connections to APT groups.

For instance, iSoon’s credential phishing campaigns mirror those conducted by RedAlpha, suggesting a shared toolkit among these entities. This intertwining of operations not only complicates attribution but also highlights the cooperative yet competitive nature of the private hacking landscape in China.

The firm’s global targets span at least 22 countries, showcasing its reach and ambition. With tools such as Treadstone and ShadowPad, iSoon executes operations that include financially motivated hacking and ransomware campaigns. Notably, documents indicate that iSoon has also targeted NATO, signaling its focus on high-profile international organizations.

The firm’s support for the surveillance of dissidents and ethnic minorities across Asia further emphasizes its broad objectives. In this context, iSoon represents a pivotal player in the Chinese hacking ecosystem, where private companies increasingly take on roles traditionally held by government entities.

As the Chinese government outsources cyber operations to firms like iSoon, the landscape continues to evolve, making it essential for global stakeholders to remain vigilant against these sophisticated threats.