Login
A new data leak that appears to have come from one of Chinaβs top private cybersecurity firms provides a rare glimpse into the commercial side of Chinaβs many state-sponsored hacking groups. Experts say the leak illustrates how Chinese government agencies increasingly are contracting out foreign espionage campaigns to the nationβs burgeoning and highly competitive cybersecurity industry.
A marketing slide deck promoting i-SOONβs Advanced Persistent Threat (APT) capabilities.
A large cache of more than 500 documents published to GitHub last week indicate the records come from i-SOON, a technology company headquartered in Shanghai that is perhaps best known for providing cybersecurity training courses throughout China. But the leaked documents, which include candid employee chat conversations and images, show a less public side of i-SOON, one that frequently initiates and sustains cyberespionage campaigns commissioned by various Chinese government agencies.
The leaked documents suggest i-SOON employees were responsible for a raft of cyber intrusions over many years, infiltrating government systems in the United Kingdom and countries throughout Asia. Although the cache does not include raw data stolen from cyber espionage targets, it features numerous documents listing the level of access gained and the types of data exposed in each intrusion.
Security experts who reviewed the leaked data say they believe the information is legitimate, and that i-SOON works closely with Chinaβs Ministry of Public Security and the military. In 2021, the Sichuan provincial government named i-SOON as one of βthe top 30 information security companies.β
βThe leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of Chinaβs cyber espionage ecosystem,β said Dakota Cary, a China-focused consultant at the security firm SentinelOne. βIt shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.β
Mei Danowski is a former intelligence analyst and China expert who now writes about her research in a Substack publication called Natto Thoughts. Danowski said i-SOON has achieved the highest secrecy classification that a non-state-owned company can receive, which qualifies the company to conduct classified research and development related to state security.
i-SOONβs βbusiness servicesβ webpage states that the companyβs offerings include public security, anti-fraud, blockchain forensics, enterprise security solutions, and training. Danowski said that in 2013, i-SOON established a department for research on developing new APT network penetration methods.
APT stands for Advanced Persistent Threat, a term that generally refers to state-sponsored hacking groups. Indeed, among the documents apparently leaked from i-SOON is a sales pitch slide boldly highlighting the hacking prowess of the companyβs βAPT research teamβ (see screenshot above).
i-SOON CEO Wu Haibo, in 2011. Image: nattothoughts.substack.com.
The leaked documents included a lengthy chat conversation between the companyβs founders, who repeatedly discuss flagging sales and the need to secure more employees and government contracts. Danowski said the CEO of i-SOON, Wu Haibo (βShutdownβ in the leaked chats) is a well-known first-generation red hacker or βHonker,β and an early member of Green Army β the very first Chinese hacktivist group founded in 1997. Mr. Haibo has not yet responded to a request for comment.
In October 2023, Danowski detailed how i-SOON became embroiled in a software development contract dispute when it was sued by a competing Chinese cybersecurity company called Chengdu 404. In September 2020, the U.S. Department of Justice unsealed indictments against multiple Chengdu 404 employees, charging that the company was a facade that hid more than a decadeβs worth of cyber intrusions attributed to a threat actor group known as βAPT 41.β
Danowski said the existence of this legal dispute suggests that Chengdu 404 and i-SOON have or at one time had a business relationship, and that one company likely served as a subcontractor to the other.
βFrom what they chat about we can see this is a very competitive industry, where companies in this space are constantly poaching each othersβ employees and tools,β Danowski said. βThe infosec industry is always trying to distinguish [the work] of one APT group from another. But thatβs getting harder to do.β
It remains unclear if i-SOONβs work has earned it a unique APT designation. But Will Thomas, a cyber threat intelligence researcher at Equinix, found an Internet address in the leaked data that corresponds to a domain flagged in a 2019 Citizen Lab report about one-click mobile phone exploits that were being used to target groups in Tibet. The 2019 report referred to the threat actor behind those attacks as an APT group called Poison Carp.
Several images and chat records in the data leak suggest i-SOONβs clients periodically gave the company a list of targets they wanted to infiltrate, but sometimes employees confused the instructions. One screenshot shows a conversation in which an employee tells his boss theyβve just hacked one of the universities on their latest list, only to be told that the victim in question was not actually listed as a desired target.
The leaked chats show i-SOON continuously tried to recruit new talent by hosting a series of hacking competitions across China. It also performed charity work, and sought to engage employees and sustain morale with various team-building events.
However, the chats include multiple conversations between employees commiserating over long hours and low pay. The overall tone of the discussions indicates employee morale was quite low and that the workplace environment was fairly toxic. In several of the conversations, i-SOON employees openly discuss with their bosses how much money they just lost gambling online with their mobile phones while at work.
Danowski believes the i-SOON data was probably leaked by one of those disgruntled employees.
βThis was released the first working day after the Chinese New Year,β Danowski said. βDefinitely whoever did this planned it, because you canβt get all this information all at once.β
SentinelOneβs Cary said he came to the same conclusion, noting that the Protonmail account tied to the GitHub profile that published the records was registered a month before the leak, on January 15, 2024.
Chinaβs much vaunted Great Firewall not only lets the government control and limit what citizens can access online, but this distributed spying apparatus allows authorities to block data on Chinese citizens and companies from ever leaving the country.
As a result, China enjoys a remarkable information asymmetry vis-a-vis virtually all other industrialized nations. Which is why this apparent data leak from i-SOON is such a rare find for Western security researchers.
βI was so excited to see this,β Cary said. βEvery day I hope for data leaks coming out of China.β
That information asymmetry is at the heart of the Chinese governmentβs cyberwarfare goals, according to a 2023 analysis by Margin Research performed on behalf of the Defense Advanced Research Projects Agency (DARPA).
βIn the area of cyberwarfare, the western governments see cyberspace as a βfifth domainβ of warfare,β the Margin study observed. βThe Chinese, however, look at cyberspace in the broader context of information space. The ultimate objective is, not βcontrolβ of cyberspace, but control of information, a vision that dominates Chinaβs cyber operations.β
The National Cybersecurity Strategy issued by the White House last year singles out China as the biggest cyber threat to U.S. interests. While the United States government does contract certain aspects of its cyber operations to companies in the private sector, it does not follow Chinaβs example in promoting the wholesale theft of state and corporate secrets for the commercial benefit of its own private industries.
Dave Aitel, a co-author of the Margin Research report and former computer scientist at the U.S. National Security Agency, said itβs nice to see that Chinese cybersecurity firms have to deal with all of the same contracting headaches facing U.S. companies seeking work with the federal government.
βThis leak just shows thereβs layers of contractors all the way down,β Aitel said. βItβs pretty fun to see the Chinese version of it.β
U.S. and U.K. authorities have seized the darknet websites run by LockBit, a prolific and destructive ransomware group that has claimed more than 2,000 victims worldwide and extorted over $120 million in payments. Instead of listing data stolen from ransomware victims who didnβt pay, LockBitβs victim shaming website now offers free recovery tools, as well as news about arrests and criminal charges involving LockBit affiliates.
Investigators used the existing design on LockBitβs victim shaming website to feature press releases and free decryption tools.
Dubbed βOperation Cronos,β the law enforcement action involved the seizure of nearly three-dozen servers; the arrest of two alleged LockBit members; the unsealing of two indictments; the release of a free LockBit decryption tool; and the freezing of more than 200 cryptocurrency accounts thought to be tied to the gangβs activities.
LockBit members have executed attacks against thousands of victims in the United States and around the world, according to the U.S. Department of Justice (DOJ). First surfacing in September 2019, the gang is estimated to have made hundreds of millions of U.S. dollars in ransom demands, and extorted over $120 million in ransom payments.
LockBit operated as a ransomware-as-a-service group, wherein the ransomware gang takes care of everything from the bulletproof hosting and domains to the development and maintenance of the malware. Meanwhile, affiliates are solely responsible for finding new victims, and can reap 60 to 80 percent of any ransom amount ultimately paid to the group.
A statement on Operation Cronos from the European police agency Europol said the months-long infiltration resulted in the compromise of LockBitβs primary platform and other critical infrastructure, including the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom. Europol said two suspected LockBit actors were arrested in Poland and Ukraine, but no further information has been released about those detained.
The DOJ today unsealed indictments against two Russian men alleged to be active members of LockBit. The government says Russian national Artur Sungatov used LockBit ransomware against victims in manufacturing, logistics, insurance and other companies throughout the United States.
Ivan Gennadievich Kondratyev, a.k.a. βBassterlord,β allegedly deployed LockBit against targets in the United States, Singapore, Taiwan, and Lebanon. Kondratyev is also charged (PDF) with three criminal counts arising from his alleged use of the Sodinokibi (aka βREvilβ) ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.
With the indictments of Sungatov and Kondratyev, a total of five LockBit affiliates now have been officially charged. In May 2023, U.S. authorities unsealed indictments against two alleged LockBit affiliates, Mikhail βWazawakaβ Matveev and Mikhail Vasiliev.
Vasiliev, 35, of Bradford, Ontario, Canada, is in custody in Canada awaiting extradition to the United States (the complaint against Vasiliev is at this PDF). Matveev remains at large, presumably still in Russia. In January 2022, KrebsOnSecurity published Who is the Network Access Broker βWazawaka,β which followed clues from Wazawakaβs many pseudonyms and contact details on the Russian-language cybercrime forums back to a 31-year-old Mikhail Matveev from Abaza, RU.
An FBI wanted poster for Matveev.
In June 2023, Russian national Ruslan Magomedovich Astamirov was charged in New Jersey for his participation in the LockBit conspiracy, including the deployment of LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the United States awaiting trial.
LockBit was known to have recruited affiliates that worked with multiple ransomware groups simultaneously, and itβs unclear what impact this takedown may have on competing ransomware affiliate operations. The security firm ProDaft said on Twitter/X that the infiltration of LockBit by investigators provided βin-depth visibility into each affiliateβs structures, including ties with other notorious groups such as FIN7, Wizard Spider, and EvilCorp.β
In a lengthy thread about the LockBit takedown on the Russian-language cybercrime forum XSS, one of the gangβs leaders said the FBI and the U.K.βs National Crime Agency (NCA) had infiltrated its servers using a known vulnerability in PHP, a scripting language that is widely used in Web development.
Several denizens of XSS wondered aloud why the PHP flaw was not flagged by LockBitβs vaunted βBug Bountyβ program, which promised a financial reward to affiliates who could find and quietly report any security vulnerabilities threatening to undermine LockBitβs online infrastructure.
This prompted several XSS members to start posting memes taunting the group about the security failure.
βDoes it mean that the FBI provided a pentesting service to the affiliate program?,β one denizen quipped. βOr did they decide to take part in the bug bounty program? :):)β
Federal investigators also appear to be trolling LockBit members with their seizure notices. LockBitβs data leak site previously featured a countdown timer for each victim organization listed, indicating the time remaining for the victim to pay a ransom demand before their stolen files would be published online. Now, the top entry on the shaming site is a countdown timer until the public doxing of βLockBitSupp,β the unofficial spokesperson or figurehead for the LockBit gang.
βWho is LockbitSupp?β the teaser reads. βThe $10m question.β
In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadnβt offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head β offering $10 million to anyone who could discover his real name.
βMy god, who needs me?,β LockBitSupp wrote on Jan. 22, 2024. βThere is not even a reward out for me on the FBI website. By the way, I want to use this chance to increase the reward amount for a person who can tell me my full name from USD 1 million to USD 10 million. The person who will find out my name, tell it to me and explain how they were able to find it out will get USD 10 million. Please take note that when looking for criminals, the FBI uses unclear wording offering a reward of UP TO USD 10 million; this means that the FBI can pay you USD 100, because technically, itβs an amount UP TO 10 million. On the other hand, I am willing to pay USD 10 million, no more and no less.β
Mark Stockley, cybersecurity evangelist at the security firm Malwarebytes, said the NCA is obviously trolling the LockBit group and LockBitSupp.
βI donβt think this is an accidentβthis is how ransomware groups talk to each other,β Stockley said. βThis is law enforcement taking the time to enjoy its moment, and humiliate LockBit in its own vernacular, presumably so it loses face.β
In a press conference today, the FBI said Operation Cronos included investigative assistance from the Gendarmerie-C3N in France; the State Criminal Police Office L-K-A and Federal Criminal Police Office in Germany; Fedpol and Zurich Cantonal Police in Switzerland; the National Police Agency in Japan; the Australian Federal Police; the Swedish Police Authority; the National Bureau of Investigation in Finland; the Royal Canadian Mounted Police; and the National Police in the Netherlands.
The Justice Department said victims targeted by LockBit should contact the FBI at https://lockbitvictims.ic3.gov/ to determine whether affected systems can be successfully decrypted. In addition, the Japanese Police, supported by Europol, have released a recovery tool designed to recover files encrypted by the LockBit 3.0 Black Ransomware.
FreshRSS 