i-SOON: Kicking off the Year of the Dragon with Good Luck … or Not
Chat logs in the i-SOON leak show China’s hacker-for-hire industry is subject to Chinese business culture: in the race for profits, survival depends on who you know and who you wine and dine with.
On February 18, the first working day after a week-long Lunar New Year holiday, i-SOON, a Chinese information security company on which the Natto team reported last October, posted on its WeChat public account a red banner with the greeting 开工大吉 (kai gong da ji), meaning “Good luck with your work throughout the new year.” However, this first business day in the year of the Dragon was not so blessed for i-SOON. A massive leak – including i-SOON’s product marketing white papers, compromised data samples, chat logs among employees and clients, screenshots and images related to the company’s business operations from at least 2020 to 2022 – was posted on GitHub. As of this writing, GitHub has taken down the leaked documents. The Associated Press confirmed the leak’s authenticity with two employees of i-SOON.
As various media reports illustrated, the leak “open(s) the lid on China’s commercial hacking industry” and provides “unprecedented insight into the world of China’s hackers for hire.” Yes, indeed, the Natto team agrees that these leaked documents provide a rare opportunity for cyber threat researchers to cross-examine past research findings, to further explore threat actors’ tactics, techniques and procedures (TTPs), and most importantly, to understand the motivations and intents of those behind the keyboard.
i-SOON and Chengdu 404: More Complicated than We Thought
The Natto Team would like to go back to what we wrote in October 2023 about i-SOON and Chengdu 404. Does the i-SOON leak tell us more about the two companies’ relationship and connections than we suspected before?
In the October report, based on a software development contract dispute case between Chengdu 404 and i-SOON, the Natto Team wrote:
This likely means Chengdu 404 commissioned a software development contract to Sichuan i-SOON, then somehow the contract did not go as Chengdu 404 hoped. As we mentioned earlier, Chengdu 404 itself registered 17 copyrighted software tools in the past three years, so it clearly has its own software development capability. If the company paid i-SOON to help them, that could be for some tools for which i-SOON had specialized knowledge. What is i-SOON good at? Judging by i-SOON’s lists of patents and proprietary software, its certification to provide “equipment” for state security, and the nature of working with public security bureaus, i-SOON likely provided services and tools for surveillance purposes and other state security needs.
Well, the Natto Team’s analysis seems accurate. However, the leak showed that the relationship and connections between the two companies were way more complicated than we knew. They were business partners and competitors; they were each other’s suppliers; they were bid buddies for the government contracts as well as, of course, drinking buddies.
i-SOON and Chengdu 404 had at least five business contracts, according to this month’s leak:
In May 2019, Chengdu 404 purchased from i-SOON an anonymous payment gateway system. Anonymous payment gateways are often used to hide the tracks of money transfers.
In August 2019, i-SOON purchased technical services from Chengdu 404 to serve i-SOON’s network device security test project. A network device security test likely is a penetration test for network devices.
In August 2019, i-SOON signed a technical service contract with Chengdu 404 to use its “Sonar-X Big Data Analysis Platform,” which it described as an “Information Risk Assessment System.” “Sonar-X served as an easily searchable repository for social media data that previously had been obtained by Chengdu 404,” the US Department of Justice wrote in 2020 in an indictment of several Chengdu employees.
In January 2020, i-SOON purchased from Chengdu 404 a fuzz testing platform. Fuzz testing is an automated software testing method that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities.
In November 2020, Chengdu 404 signed an agreement with i-SOON to cooperate in technical research on “software vulnerability of information systems” (系统信息软件脆弱性技术研究). The agreement was signed after the DoJ Chengdu 404 indictment was unsealed in September 2020. Vulnerability research has been a hot research topic since at least 2017, when the Natto Team first observed this. The Chinese government considers that the essence of cyber warfare is vulnerability, a flaw or weakness in an IT system that can be exploited. This concept goes beyond technical vulnerabilities in software and encompasses broader weaknesses in whole networks. By 2021 – just a few months after the Chengdu 404/i-SOON agreement, the Chinese government would issue rules effectively nationalizing vulnerability disclosures.
These five business contracts indicated i-SOON and Chengdu 404 had bi-directional business relationship. They were each other’s suppliers, and they also cooperated in technical research, in particular vulnerability research, likely including vulnerability discovery and exploitation. At the same time, although we are still not able to determine the details of the lawsuit concerning a software development dispute, the existence of the case showed they were competitors as well. When business didn’t go in the direction they hoped for, one partner took the other to the court.
Several leaked chats between the CEO of i-SOON, Wu Haibo, a.k.a Shutdown (sometimes written as “Shutd0wn”) and the general manager, Chen Cheng, a.k.a lengmo, suggested that i-SOON and Chengdu 404 conducted bid rigging to manipulate the government contract bidding processes. On the day the US Justice Department unsealed their Chengdu 404 indictment, Shutdown and lengmo laughed about the exposure of Chengdu 404 employees. When asked whether i-SOON had any key projects with Chengdu 404, lengmo said “No,” then added, “Does it count we were bid buddies?,” referring to companies that engage in a system of “accompanying bidders”(陪标) to collaborate to manipulate government contract bidding processes. Shutdown answered, “Well, those guys were from the governing board of the drinking committee,” implying that they were not only bid buddies but also drinking companions. Shutdown added, “Now they are (APT) number 41. When we see them next time, we should ask them to drink 41 shots of baijiu liquor.”
i-SOON and Other Information Security Companies: An Intricate Network
If the connections of i-SOON and Chengdu 404 gave us a glimpse of how Chinese information security companies work as hackers-for-hire for the government, the i-SOON leak vividly depicts the intricate relationships among information security companies, China’s public security and state security agencies, various other government bodies, and the military. (“Public security” agencies handle policing within China and among overseas Chinese, while “state security” bodies handle foreign threats). Within this landscape, information security firms have cultivated their own ecosystem, navigating the complexities of engaging with diverse government entities and operating both collaboratively and independently. In some instances, these companies engaged in fierce competition, actively recruiting talent from one another, while in others, they collaborated to manipulate contract bidding processes.
A sample of i-SOON’s contract list illustrates how information security companies worked cooperatively. A document titled “Sichuan i-SOON Contract Ledger,” contained 120 contracts that i-SOON initiated between July 2016 and June 2022. Interestingly, the “contracting parties” (签约方) of nearly 50 percent of these contracts were different from “end users”(最终用户) of products and services. Contracting parties often were “xxx Science and Technology Limited Company” or “xxx Information Technology Company” or “xxx Network Technology Company.” Natto Team research suggests that most of these companies were companies like i-SOON that provide information technology products and services. Since the end users of the contracts were various levels of public security apparatus, including provincial, municipal and third-tier cities, state security agencies and the military, this likely indicated i-SOON was a subcontractor or supplier to these contracting parties, which would then sell their products to the “end users.”
Another sample of “Sichuan i-SOON Procurement Contract Ledger” listed a total of 52 purchase contracts, ranging from “technical service procurement contract” to “product procurement contract” and “technology development contract”, with 46 companies and two individuals. Among these procurement contracts, only one was with a government agency – the Third Research Institute of the Ministry of Public Security, which focuses on the development of surveillance technologies, such as AI-based “smart surveillance,” and censorship technologies. In this particular case, i-Soon purchased a remote forensic query system. The case also suggested that technology companies from the private sector have been the main suppliers of cyber tools and services to i-Soon to serve its business needs.
The leaked chat log conversations indicated these information security companies constantly competed for the best talent. In one chat log, i-SOON executives worried that several of their skilled technical engineers were poached by Qi An Xin, a top information security company. “Some clients are reluctant to give us contracts anymore because we lost key talent,” Shutdown said.
At the same time, i-Soon and other Chinese IT companies shared tools, malware and vulnerabilities – with a price. In an August 2020 chat, Shutdown and lengmo discussed whether they could purchase a Linux Trojan malware from another company for one of their projects because this company had supplied similar malware before. Shutdown also asked lengmo whether an exploit for a QQ vulnerability was available from a named company for them to use. (note: QQ is an instant messaging software service developed by the Chinese technology company Tencent). lengmo said, “Probably not, unless it was an important client with good relationship with us,” … “if we want to use it, they charge us 100,000RMB (US$13,000) a piece; no charges if it doesn’t work.”
As mentioned previously, i-SOON and Chengdu 404 were bid buddies – “accompanying bidders”(陪标) in bid rigging. i-SOON appears to have had more than one company with which they could team up to enhance their bids. In one chat, Shutdown and lengmo discussed how to use the name and the qualifications of an information security company in Xi’an, Shaanxi Province to bid a contract with the local public security bureau since the company in Xi’an was well-connected.
i-SOON and its “Clients”: Wide-Ranging but with a Public Security Focus
The Natto Team’s i-SOON report from October identified “business partners” spanning all levels of public security agencies, including the Ministry of Public Security, 10 provincial public security departments, and more than 40 city-level public security bureaus. The recent leak clearly verified i-SOON’s line of public security clientele, but also revealed that i-SOON served the Chinese People’s Liberation Army (PLA) and other government agencies. In the leaked Sichuan i-SOON contract list, 66 of the 120 contracts served various public security bureaus; 22 contracts served state security agencies’ needs; only one contract served the PLA – and that was also the only contract classified as “secret” – and the remaining 31 contracts served other government agencies, research institutes, state-owned enterprises, and universities.
i-SOON as a Business: Struggle, Struggle and Struggle
Since the early 2000s, the Chinese government has realized that private companies in the Information and Communications Technology (ICT) industry are valuable resources to build China as a “cyber superpower.” Highly skilled talent from the information security companies develop tools and participate in government cyber security initiatives, such as lending their employees and products to build cyber militias, a cyber warfare reserve force. By participating in government initiatives and working on government contracts, information security companies have become hackers-for-hire for the Chinese government. If any of us previously assumed that the Chinese government handed contracts with clear requirements to the information security companies to conduct cyber operations, we were probably wrong, judging from the i-SOON leak.
The leak showed that companies like i-SOON courted the government’s favor to obtain contacts to run its business, not only through dinner parties or meeting in night clubs, but also by proactively making educated guesses about the government’s next targets. Often, i-SOON has to figure out themselves what is valuable for their government clients. In January 2022, one person – likely an i-SOON employee – complained to another person, saying, “Now the clients are harder and harder to please. Unless the data we found matches what they need exactly, it is more and more difficult to cooperate with them.” In another chat log an employee tried to figure out what might interest the clients. “One idea is to have an inquiry system searching for those Uyghur ethnic people from Xinjiang who are in exile. If (we) need to do this, (we) need to have data from Turkey first. It is very difficult to do that. Whoever can do it, the other side [i.e. the government client] will definitely pay for it.” (Not for lack of trying: the i-Soon leak data appears to include credentials for the email service of Turkey’s Tubitak scientific council. However, that may not have yielded data relevant to Uyghur exiles).
Meanwhile, i-SOON followed closely on government policy directions to adjust their business operations. When the Ministry of Public Security issued guidance on the importance of “network defense and offense exercises” (网络攻防演习) and required all levels of Public Security Bureaus to conduct the exercise regularly, i-SOON executives saw this as an opportunity to promote the company’s Capture the Flag (CTF) training program to the Public Security bureaus. Shutdown said to lengmo, “We are pretty good at doing trainings. Our CTF trainings are well recognized.” “Yes, many municipality bureaus have been asking us to help,” lengmo replied.
To keep its business moving, i-SOON organized team building events to boost morale and participated in charity work and supported local universities to build a good business reputation. When Shutdown and lengmo discussed helping to organize a local university hacking competition, Shutdown said, “The questions for the competition cannot be too easy. Otherwise, it is an embarrassment for the company and sounds like we don’t know enough.” Two of them also discussed the details of how much the company should donate to a poverty relief program in a city to build relationships for future business opportunities.
i-Soon’s business struggles suggest China’s hacker-for-hire or commercial hacking industry is just like other businesses. It is profit driven; it is subject to China’s business culture – who you know, who you dine and wine with, and who you are friends with. Of course, the abilities to get the job done cannot be ignored.
In the next i-SOON report, the Natto Team will discuss how i-SOON gets the job done.
Love to see fresh blog on the block. Keep up the work!
Great original insights from NATTO. Original public blog i-SOON since Oct 2023