The I-Soon data leak, Chinese APTs, and implications for Southeast Asia

By Sylvie Truong, The Readable
Feb. 29, 2024 10:26AM GMT+9

On February 16, an unidentified individual uploaded data onto GitHub—a platform favored by software engineers—claiming that I-Soon, also known as Anxun in Mandarin, a Chinese IT security services firm, operates as an independent hacking contractor. The firm was accused of developing malicious software and conducting cyber espionage activities on behalf of the Chinese government.

Wu Haibo, the CEO of I-Soon and a renowned hacker recognized by the alias “Shutd0wn,” was previously a member of the “Green Army,” the first hacktivist group in China, established in 1997. Founded in Shanghai in 2010, I-Soon has since broadened its reach, establishing several subsidiaries throughout China. According to the Associated Press, conversations with two I-Soon employees revealed that Chinese officials are investigating the origins of the leaked files. Although the source of the leaks remains unknown, numerous cybersecurity experts deem the disclosed information to be credible.

Taiwanese security analyst @azakasekai_ first brought the I-Soon data leak to public attention and uncovered lists of victims that detail the scope of the data theft. The alleged victims span a range of sectors including government, telecommunications, healthcare, aviation, and academia across various countries. These countries include Afghanistan, Cambodia, Hong Kong, India, Indonesia, Kazakhstan, Kyrgyzstan, Malaysia, Mongolia, Myanmar, Nepal, Pakistan, Philippines, South Korea, Thailand, Turkey, Vietnam, Egypt, Nigeria, Rwanda, France, among others.

The leaked data comprises a diverse array of documents, such as product manuals for hacking services, descriptions of purported hacking tools, spreadsheets listing victims, internal correspondences among employees, marketing proposals, sales documents, and beyond. If verified, this data leak illuminates the role of Chinese companies in creating espionage technologies for the government and their participation in cyber espionage efforts.

APT41 is a notably active Chinese hacking collective, with key members presently on the wanted list of the United States Federal Bureau of Investigation (FBI). The acronym APT stands for Advanced Persistent Threat, denoting state-backed hacking groups. The FBI reports that APT41 has executed cyberattacks across an extensive array of sectors, such as government, defense, education, telecommunications, manufacturing, and social media. Their operations have targeted a wide range of countries, including but not limited to Australia, Brazil, Germany, Sweden, the United States, Tibet, Chile, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, and Thailand.

APT41 employs ShadowPad, a sophisticated type of malware, as one of its primary tools. ShadowPad is recognized as a component of the arsenal utilized by several Chinese APT groups, including APT41. In a significant event in 2023, ShadowPad was detected exfiltrating credentials and compromising computers in the national power grid of an undisclosed Asian country. Furthermore, it played a role in a cyberattack on India’s electrical grid and has been involved in cyber operations targeting critical infrastructure in Malaysia, Kazakhstan, Kyrgyzstan, Tajikistan, Uzbekistan, Pakistan, Afghanistan, and Europe.

In October 2023, Mei Danowski, a former intelligence analyst, pointed out in her analysis that Chengdu 404, a hacker-for-hire organization affiliated with APT41, had filed a lawsuit against I-Soon concerning an intellectual property dispute. This action implies potential associations between I-Soon and APT41. Notably, the U.S. Department of Justice had indicted three executives from Chengdu 404 in 2020, citing their participation in cyber intrusion activities and their connections to APT41.

On February 22, Will Thomas, a cyber threat analyst, released an analysis named “Lessons from the iSoon Leaks.” In this report, Thomas explores crucial links between I-Soon and recognized Chinese cyber threat entities. Through an examination of indicators of compromise (IoCs) derived from the leaked data, Thomas was able to pinpoint numerous connections. These IoCs act as evidence within the leaked information, illuminating possible ties to established cyber threat actors and malicious software.

Thomas pinpointed a connection through an Internet Protocol (IP) address (74.120.172[.]10) uncovered in the I-Soon data leak. This IP address is linked to a dubious phishing site and had been previously identified as an IoC in a 2019 report by CitizenLab, a research lab at the University of Toronto that investigates espionage activities. The IoC has been associated with the Chinese threat group POISON CARP, which is known for its connections to the Chinese Ministry of Public Security. Additionally, Thomas highlighted a linkage between I-Soon and the Chinese cyber threat entity JACKPOT PANDA. This connection was established through the IP address (8.218.67[.]52) found within the leaked data, an address that had been mentioned in a report by cybersecurity firm Trend Micro, which focused on the online gambling industry—a sector that I-Soon referenced in one of the leaked documents.

Furthermore, Thomas discusses a white paper on one of I-Soon’s products, which details a malware software controller named “Treadstone.” According to this document, Treadstone is engineered to integrate with Winnti malware. The Winnti Group is also recognized as APT41 within the cybersecurity community. Additionally, this white paper also establishes connections to Chengdu 404. Lastly, another white paper on an I-Soon product that Thomas references indicates associations with known ShadowPad Command and Control servers (C2s). These malware C2s are crucial for hackers to manage and communicate with compromised computer systems.

Southeast Asia’s balancing act between cybersecurity and diplomacy

In the wake of the I-Soon data leak, Southeast Asia stands at a pivotal juncture where cybersecurity concerns and diplomatic relations converge. Despite mounting evidence pointing towards Chinese involvement in cyberattacks, numerous Southeast Asian countries are wary of openly assigning blame. Indeed, considering the deep economic connections many of these nations share with China, involving extensive investments in infrastructure projects, there is an acknowledged necessity to weigh cybersecurity issues against economic interests. This intricate situation presents a challenge for governmental decision-making, as authorities grapple with the dilemma of speaking out while trying to sidestep possible adverse outcomes.

Despite these challenges, however, there exists a silver lining in the form of an opportunity for collective action and strategic collaboration. The revelations brought to light by the data leak not only highlight the cybersecurity threats and concerns for regional stability but also pave the way for joint initiatives aimed at bolstering cybersecurity resilience. Thus, amidst the prevailing issues, there is a sense of optimism regarding the potential for productive dialogue and advancements within the cybersecurity domain in Southeast Asia.

The cover image of this article was designed by Areum Hwang. This article was reviewed by Dain Oh and copyedited by Arthur Gregory Willers.

Sylvie Truong is a regular contributor to The Readable. Her interest in cybersecurity began in 2015, while working as a biomedical research assistant at Columbia University’s Irving Medical Center. She worked in the Molecular Imaging and Neuropathology Division, analyzing data using various software programs. Due to her experience there, she developed an interest in cybersecurity and implementing better practices to protect personal data, valuable research information, and more. Sylvie holds a master’s degree in neuroscience and education from Columbia University.