SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
I-Soon suffers data breach revealing state hacking activities
Fri, 1st Mar 2024

A recent data breach at I-Soon, a Chinese private security company, has disclosed significant details of the firm's purported hacking activities. I-Soon, which contracts for several Chinese agencies, including the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army, experienced the data leak in the weekend of 16th February. While the identity of the perpetrator and their motives remain uncertain, the leak offers an unprecedented view of the operations of a state-affiliated hacking contractor.

The I-Soon leak provides solid evidence of China's evolving cyber espionage strategies and target selection. The leaked documents give insight into the financial and strategic motivations behind operations against global entities, providing a broad understanding of state-backed cyber undertakings. This case underscores the importance of understanding the sophisticated strategies employed by state-affiliated hackers, stressing the urgent need for a critical reassessment of current cybersecurity defences.

The exact authenticity of the documents is yet to be validated. Despite this, the contents of the leak do confirm public threat intelligence, while efforts to further substantiate the documents are ongoing. Significantly, the leak offers the most tangible details seen publicly so far, exposing the maturing nature of China’s cyber espionage ecosystem. This leak explicitly shows how government's targeting requirements are leading to a competitive marketplace of independent contractor hackers for hire.

From the perspective of its workforce, I-Soon suffers from low pay and a non-traditional office culture. The leaked files suggest the company is responsible for compromising a minimum of 14 governments along with pro-democracy organisations in Hong Kong, academic institutions, and NATO. The leaked documents are compatible with previous intel on several known threat groups.

The information leaked details victim data and targeting lists, and also includes names of the clients who requested them. It suggests a competitive struggle for low-value hacking contracts from many government agencies. This indicates that historical targeting data from Advanced Persistent Threats assumed to be PRC contractors does not give sturdy guidance on potential future targets.

The leaked documents offer the threat intelligence community a unique opportunity to revisit their past attribution efforts and gain a deeper appreciation of the intricate Chinese threat landscape. The analysis enabled by the leaked documents illustrates the crucial role played by third-party contractors in facilitating and executing many of China’s offensive operations in the cyber domain.

For companies looking to defend themselves against such threats, the lesson is stark. The prevalent model of threats tends to come from underpaid technical professionals making just a fraction of the value they could potentially extract from target organisations. The situation serves as a wake-up call and demands an immediate response to counter these threats better.