i-SOON: Another Company in the APT41 Network
A lawsuit casts light on the ecosystem of IT companies related to Chengdu 404, the company allegedly behind Chinese state-sponsored hacking group APT41.
A recent court case in Chengdu, Sichuan Province, China has caught Natto Team’s attention because it involves a company that US officials have alleged to be linked with Chinese offensive hacking. This court case is an intellectual property dispute in which the company known as Chengdu 404 – which allegedly stands behind Chinese state hacking operation known as APT41 – sued a company known as Sichuan i-SOON. The case, which pitted Chengdu Silingsi (404) Network Technology Company (成都市肆零肆网络科技有限公司) as the plaintiff against Sichuan i-SOON Information Technology Company(四川安洵信息技术有限公司) as the defendant, centered on a software development contract dispute. As of this writing, there is no publicly available information about the case, except that it was scheduled to go to trial on October 17, 2023. The existence of this case suggests that Chengdu 404 and Sichuan i-SOON had a business relationship. A look at Sichuan i-SOON adds to our understanding of the ecosystem of IT companies in which Chengdu 404 – and, by extension, the hackers of APT41 – operate.
As readers may recall, in August 2020 a US court indicted three alleged hackers – Qian Chuan (钱川, Jiang Lizhi (蒋立志), and Fu Qiang (付强) - associated with threat group APT41 and with the company Chengdu 404. Within this company, according to the indictment, Qian Chuan (a.k.a Squall) was President, Jiang Lizhi (a.k.a Black Fox) served as Vice President for the Technical Department, and Fu Qiang, (a.k.a StandNY) served as Manager for Big Data Development. The aka online handles of the three hackers suggest they have had heavy online presence in the Chinese hacker communities.
On the surface, the US exposure of the APT41 hackers and their associated Chengdu 404 company in 2020 would seem to have stymied the company’s activity; visitors to its website, www.umisen[.]com, receive a 404 “Not Found” error code. However, the Natto Team’s research in a variety of Chinese government sources shows that Chengdu 404 continues its business operations. The company registered 17 more proprietary software since then. Chengdu 404 also requested financing help from the Chengdu SME (Small Medium Enterprise) Service Center, a subsidiary of Chengdu Municipality Economic and Information Technology Commission, in June 2021 (hxxp://www.cdsme.com/xinxizhongxin/zhongxindongtai/20210625/17535[.]html). This indicates that Chengdu 404 was likely looking for municipal sponsorship for ongoing business operations or even for expansion. The company placed “help wanted” ads on various Chinese recruitment platforms. Finally, the October 2023 lawsuit also suggests that Chengdu 404 operates business as usual.
The interesting point of the court case between Chengdu 404 and Sichuan i-SOON, despite the lack of case detail, is that Sichuan i-SOON is a company that also resides in Chengdu and that conducts similar business, such as network technology services and software development. Chengdu 404 was established in May 2014, while Sichuan i-SOON was set up 10 months later in March 2015. Size-wise, currently Chengdu 404 has 101 employees, while Sichuan i-SOON has 72, according to business registration information.
Even more interesting is i-SOON’s connection to hacking. Like the three indicted hackers operating Chengdu 404, the CEO of i-SOON, Wu Haibo (吴海波) , a.k.a shutdown, is a well-known first-generation red hacker or Honker (红客) and early member of Green Army (绿色兵团) which was the very first Chinese hacktivist group founded in 1997. (For more on this early generation of patriotic hackers, see the chapter “Becoming a Cyber Superpower: China Builds Offensive Capability with Military, Government and Private Sector Forces” in the book “The Emergence of China’s Smart State”). In addition, like Chengdu 404, i-SOON also had connections with universities throughout Sichuan province, through hosting hacking competitions and offering training courses through its i-SOON Institute.
At least on the surface, many features of i-SOON resemble Chengdu 404. Is there any other evidence on possible ties between Sichuan i-SOON and any Chinese APT activities?
A variety of cyber threat intelligence (CTI) analyses have pointed out that Sichuan Province is a “known hot spot for hacking” and that Chengdu, the capital of Sichuan Province, has “become a hub for Chinese advanced persistent threat (APT) activity.” Could i-SOON be one of these Chengdu companies with ties to APT activity?
Who is Sichuan i-SOON?
Sichuan i-SOON is a subsidiary of Shanghai i-SOON Information Technology, which was established in 2010. Besides Sichuan i-SOON, Shanghai i-SOON has other three subsidiaries and offices located in Nanjing, Jiangsu Province, Taizhou and Ningbo, Zhejiang Province. Sichuan i-SOON is a center for product research and development for i-SOON.
CEO Wu Haibo is the sole controller of i-SOON and its subsidiaries. The website of the company reflects his patriotic hacker background. According to the company’s website, he chose the name i-SOON from its tagline - 安全无界洵无止境, which means cybersecurity has no boundaries, and there is no end to learning. The i-SOON website claims its company culture aspires to “become a solid national defense reserve force with a strong sense of political responsibility and a spirit of high responsibility to the Party and the People.” In a 2011 interview with Chinese Computer newspaper (中国计算机报 ), Wu Haibo discussed his Honker journey and views of his ethical mission: he said a real Honker with high technical skills should guide his choice of action according to the spirit of “certain things that a gentleman would do, or not do” (君子有所为有所不为). This quotation came from Mencius, a 4th century BC philosopher known as the “Second Sage” of Confucianism. Coincidentally or not, three APT41 hackers expressed the same view of their entrepreneur spirit with the same quote from Mencius in an interview in 2018.
i-SOON’s “business services” webpage advertises public security, anti-fraud, blockchain forensics and enterprise security solutions as well as trainings. In 2013, i-SOON established a department for research on APT network penetration methods. Business partners that i-SOON listed included all levels of public security agencies, including the Ministry of Public Security, 10 provincial public security departments, and more than 40 city-level public security bureaus.
i-SOON also possesses relevant qualifications to work for state security. i-SOON is a designated supplier for the Ministry of State Security. In 2019, i-SOON appeared among the first batch of certified suppliers (列装单位) for the Cyber Security and Defense Bureau of the Ministry of Public Security (公安部网络安全保卫局) to provide technologies, tools or equipment. Subsequently, in 2020, i-SOON received a “Class II secrecy qualification for weapons and equipment research and production company (武器装备科研生产单位二级保密资格)” from the Ministry of Industry and Information Technology (MIIT). The Class II, the highest secrecy classification that a non-state-owned company can receive, qualifies i-SOON to conduct classified research and development related to state security. After acquiring these certifications, in July 2021, i-SOON was shortlisted for a cyber security protection project for the public security bureau of Aksu region in the Xinjiang Uyghur Autonomous Region. (The Chinese government reportedly carries out intensive surveillance of the population in that majority-Muslim region of the country, including by infecting residents’ mobile phones with malware. i-SOON’s possible involvement in mobile malware is described below). Also in 2021, the Sichuan provincial government designated Sichuan i-SOON one of “the top 30 information security companies.”
Sichuan i-SOON, as a center for product research and development, has a number of patents and proprietary software. As of October 2023, Sichuan i-SOON registered 11 patents and 59 proprietary software tools. Judging from the descriptions of the patents, several of them have surveillance applications. For example, one patent, titled as “an intelligent platform and its application in assisting criminal investigation,” describes a system for breaching the computer systems of target organizations or individuals for surveillance in advance of any suspected crime. It uses specific selection rules to designate a range of targets for this monitoring. The listed proprietary software ranges from “sensitive information collection system” to “special investigative warfare platform” and “virtual currency tracking system.”
i-SOON’s government-linked service qualifications, partnership with the public security apparatus, R&D capability and achievements have certainly made recognized contributions to Chinese state cyber security needs. i-SOON displayed 15 thank-you letters from its partners and clients. Most of them were from provincial and municipal public security bureaus.
Did Sichuan i-SOON and Chengdu 404 (APT41) Partner in Mobile Attacks?
In the software development contract dispute case, Chengdu 404 was the plaintiff. This likely means Chengdu 404 commissioned a software development contract to Sichuan i-SOON, then somehow the contract did not go as Chengdu 404 hoped. As we mentioned earlier, Chengdu 404 itself registered 17 copyrighted software tools in the past three years, so it clearly has its own software development capability. If the company paid i-SOON to help them, that could be for some tools for which i-SOON had specialized knowledge. What is i-SOON good at? Judging by i-SOON’s lists of patents and proprietary software, its certification to provide “equipment” for state security, and the nature of working with public security bureaus, i-SOON likely provided services and tools for surveillance purposes and other state security needs.
APT41’s activities have included a focus on breaching mobile devices. In July 2023, researchers from Lookout, a US-based cloud security company, reported on two advanced Android surveillanceware, WyrmSpy and DragonEgg, with the command-and-control (C2) infrastructure hard-coded into the malware’s source code. The C2 hard-coded URL was a subdomain of umisen[.]com, the website of Chengdu 404. Lookout first collected samples of WyrmSpy in 2017 and detected DragonEgg in early 2021. The Lookout report suggested that APT41’s focus since 2017 on targeting mobile devices “shows that mobile endpoints are high value targets with coveted data.” This focus on mobile phone surveillance aligns with an area of i-SOON’s expertise. As mentioned above, i-SOON has numerous surveillance-related patents and nearly won a contract for a mobile surveillance project related to China’s Xinjiang region, a particular target of Chinese government mobile malware-based surveillance. The thank-you letter i-Soon received from the network security team of Kashgar region public security bureau in Xinjiang suggests i-Soon has carried out projects for public security officials in the Xinjiang region.
Is Sichuan i-SOON an APT?
Could i-SOON undertake its own APT activities to serve the Chinese state? From the company’s qualifications and capabilities, it is possible. APT 41 operates as an interlinked network, sharing malware, expertise and connections, as Intrusion Truth, a mysterious investigative group that exposes the real identities of Chinese hackers, has stated. As we know, Chengdu has become a hub of Chinese hacking activity; in that city, the interlinked hacking network could be even stronger than in other regions. So, what other hacking activities happen in Chengdu?
RedHotel (a.k.a Earth Lusca) from Chengdu
In January 2022, Trend Micro identified Earth Lusca, a threat actor originating from China with a source region near Chengdu. Earth Lusca overlaps with a Chinese APT group that Recorded Future has named RedHotel. (Recorded Future initially used the provisional name TAG-22 when it first reported on the group in 2020. Other names researchers have used for the group include Charcoal Typhoon, CHROMIUM, Red Scylla, Aquatic Panda, and ControIX.) In an August 2023 profile, Recorded Future reported that RedHotel operates “at a global scale” and assessed, based on the group’s infrastructure, that it likely resides in Chengdu. Recorded Future noted, “RedHotel’s targeting purview, tooling, and modus operandi closely resemble the operations of other private contractor groups affiliated with China’s Ministry of State Security (MSS), including other Chengdu-based threat activity groups such as RedGolf (aka APT41, Brass Typhoon).” RedHotel used ShadowPad and Winnti custom malware families that a wide range of Chinese APT groups privately share. Trend Micro also discovered that Earth Lusca has used malware commonly used by other Chinese threat groups, including by APT41 and the Winnti Group cluster; however, it found that Earth Lusca's techniques and infrastructure are separate.
Examining Earth Lusca’s targets, Trend Micro listed the following:
Gambling companies in Mainland China
Government institutions in Taiwan, Thailand, Philippines, Vietnam, United Arab Emirates, Mongolia, and Nigeria
Educational institutions in Taiwan, Hong Kong, Japan, and France
News media in Taiwan, Hong Kong, Australia, Germany, and France
Pro-democracy and human rights political organizations and movements in Hong Kong
Covid-19 research organizations in the United States
Telecom companies in Nepal
Religious movements that are banned in Mainland China
Various cryptocurrency trading platforms
Recorded Future identified RedHotel victim organizations in even more countries than Trend Micro, including Afghanistan, Bangladesh, Cambodia, Czechia, India, Laos, Malaysia, and Palestine. Targeted organizations spanned academia, aerospace, government, media, telecommunications, and research and development sectors.
Earth Lusca’s operation targeting universities in Hong Kong in 2019 appears to be the same operation as one that Slovak cybersecurity firm ESET attributed in 2020 to what it called the Winnti Group, judging from overlaps in infrastructure, capability, and targeting. Recorded Future identified the similar overlaps as well.
Could Sichuan i-SOON stand behind RedHotel/Earth Lusca operations?
Identifying the real people behind a given intrusion set such as RedHotel/ Earth Lusca requires data and evidence. The fact that APT41 operates as an interlinked network, sharing expertise, connections, and malware families such as Winnti, has complicated the intrusion analysis. Perhaps it is helpful for us to explore the attribution from the network of connections involving Chengdu 404 and i-SOON.
By gathering what we knew, Natto Team identified the following overlaps between Sichuan i-SOON and Chengdu-based APT groups such as RedHotel/Earth Lusca:
Sichuan i-SOON has business connections with Chengdu 404, a company operated by APT41 actors.
Sichuan i-SOON operates with a similar business models as Chengdu 404, working with state and local security agencies while making connections with universities through training and scholarship programs and hacking competitions.
Sichuan i-SOON’s CEO Wu Haibo was a well-known first-generation Chinese red hacker with deep connections with Chinese hacker communities.
Sichuan i-SOON is in Chengdu, Sichuan. Redhotel (aka Earth Lusca) operated from Chengdu as well.
Sichuan i-SOON partners with various levels of public security bureaus. Chinese public security bureaus oversee domestic security issues including Taiwan and Hong Kong. Redhotel’s targeting of educational institutions and news media in Taiwan and Hong Kong and of religious movements banned in mainland China resembled the scope of work responsibilities of Chinese public security bureaus. As mentioned above, i-SOON received a thank-you letter from the network security team of a public security bureau in another sensitive region, Xinjiang, and it was short-listed for a project in that region.
Natto Team understands these connections may not be enough to identify i-SOON as an APT group working for the Chinese government. However, we believe it does not hurt to provide our think-out-loud Natto Thoughts to the community to explore further. Comments, suggestions and tips are welcome.
You must be interested in this GitHub repo: https://github.com/I-S00N/I-S00N.