i-SOON Leak: Unanswered Questions and What Now?
Chinese hackers’ lax operations security; why Chinese officials have to rely on contractors; why i-SOON might not fear blowback from the leak; and how the name-and-shame strategy seems to be failing.
It has been over a month after the massive leak of i-SOON, a Chinese information security company, revealed the operations of China’s hacker-for-hire industry. We have seen many insightful reports about the i-SOON leak, analyzing i-SOON’s commercial offering; diving deeply into i-SOON’s company culture, “fueled by influence, alcohol and sex”; and utilizing analysis of competing hypothesis (ACH) to assess who was responsible for the i-SOON leak. However, there are still many unanswered questions related to the leak and what it all means in terms of understanding Chinese threat groups, conducting threat analysis and preventing or mitigating future attacks. While the Natto Team has received many inquiries from the media and discussed the leak with experts from the industry, we would like to present these unanswered questions and our think-out-loud Natto Thoughts for the community to explore further.
Operations Security
Why do i-SOON and similar companies seem to have very poor operations security?
Chinese hacker groups had been infamously careless in operations security in the past. Operations security (OPSEC), in this context, refers to “a systematic and proven process intended to deny to potential adversaries information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities,” according to the US National Institute of Standards and Technology (NIST).
In 2011, Chinese threat group Night Dragon was identified as “incredibly sloppy,” “making mistakes” and “leaving lots of evidence” in their campaigns, but still successfully targeted Western critical infrastructure such as energy companies and “relied on off-the-shelf hacking tools.” In 2013, APT1, a Chinese People’s Liberation Army (PLA) affiliated group, was also known for using “sloppy tactics” and not bothering to hide their IP (Internet Protocol) address — a unique address that identifies a device on the Internet or a local network – to avoid detection. Nevertheless, the group targeted at least 141 companies in the US, Canada, the United Kingdom, South Africa, and Israel during its seven years of operation. APT1 actors even routinely logged into Facebook, Twitter, and Gmail accounts using their victims’ computers to send out phishing emails, according to US Cybersecurity company Mandiant’s groundbreaking report on APT1. The report explained this “risky tactic” as a way to “sidestep the restrictions of China’s Internet censorship systems, which blocks access to Facebook and other many other western sites,” as the MIT Technology Review pointed out. However, the Mandiant report did not explain why elite APT1 actors would not be provided with alternative ways, such as virtual private network (VPN), services to avoid their own country’s Internet censorship. Were they just not bothering? Were they taking advantage of victims’ machines for convenience? Did they not care much getting caught?
Fast forward 10 years, and the operational sloppiness and seeming unconcern about getting caught do not appear to have changed much. Many of us were surprised that a reporter from the Associated Press could walk straight into i-SOON’s office in Chengdu, China, two days after the company’s leak was exposed and was able to confirm the leak with two employees. The leaked documents showed that i-SOON employees discussed targets and transferred compromised data through personal WeXin accounts. (WeXin (微信) is the largest Chinese social media platform. For users outside of China the app’s English version is called WeChat). It appeared i-SOON did not have much of OPSEC at all. As we know, i-SOON possessed relevant qualifications to work for state security; the Cyber Security and Defense Bureau of the Ministry of Public Security certified it as a supplier of technologies, tools or equipment, and the Ministry of Industry and Information Technology (MIIT) granted it a “Class II Secrecy Qualification for Weapons and Equipment Research and Production Company,” the highest secrecy classification that a non-state-owned company can receive. These secrecy certifications should require the observance of relevant OPSEC standards as commonly expected. Yes, indeed, China’s National Administration of State Secret Protection (国家保密局) has a “Qualification Standard for Class II Secrecy for Weapons and Equipment Research and Production Company” (the Standard). The Standard detailed requirements for companies with this certification. For example, the Standard prohibited the use of unclassified information systems, unclassified information equipment and unclassified storage equipment to store, process and transmit state secret information. Judging from the i-SOON leaks, these standards appear to have been there “just for show”, and companies may not always follow them closely. For i-SOON and its government clients, getting the job done appears to have been more important than adherence to standards, as the Natto Team and other researchers have shown.
As to whether it would be a problem if their operations were exposed, i-SOON’s CEO Wu Haibo (a.k.a Shutdown or Shutd0wn) expressed no worries at all. “It would happen sooner or later, so no big deal,” Wu responded when his chief operation officer lengmo said state security officers had told him “The company has been watched by the United States.” This carefree mindset about being caught likely stemmed from Shutdown’s belief that i-SOON worked for the Chinese state, so they stood on the side of justice. If adversaries exposed their operations, they would face no consequences domestically.
Even sloppy Chinese cyber operations have had successes, as the cases of Night Dragon, APT1, and i-SOON all illustrate. In i-SOON’s case, the operatives have gradually learned to pay attention to OPSEC so their infrastructure could remain undetected longer. For example, Shutdown instructed i-SOON’s two APT teams to work in a separate office building from the main office with a separate Internet connection to avoid “being correlated.”
In short, carefree was a fact; sloppiness continued; and OPSEC improved by a hair. In the end, getting the job done was key.
The i-SOON Leak’s Possible Consequences and Clients’ Possible Change of Course
What are the possible consequences for i-SOON after the leak? What could the public security agencies learn from the leak if they would?
The short answer is probably no consequence for i-SOON. As we discussed in the previous section, the carefree mindset of Chinese threat groups likely derived from the notion of standing on the side of justice. If this notion is correct, the leaks of i-SOON may not lead to any consequences to the company in China. If the Chinese government were scrupulous, i-SOON’s handling of classified documents could have violated “the Qualification Standard for Class II Secrecy for Weapons and Equipment Research and Production Company”. If i-SOON’s Class II Secrecy certificate were suspended, it could hurt its business revenue. However, i-SOON could work through other certified companies as many companies in the industry have been doing to work on contracts.
The leaked documents disclosed that the Chinese government – particularly the state and local public security offices – neglected to follow standards and procedures for handling contracts or contractors. In most of the cases, central Chinese authorities had issued standards of operations, but the local authorities or relevant companies might have not followed those standards or procedures closely. Judging from the complexity of i-SOON’s business process, which the Natto team discussed previously, the deeply rooted Chinese business culture, in which survival depends on who you know and who you wine and dine with, will not change overnight. Therefore, a possible change of course for the Chinese public security authorities is unlikely.
In-House Cyber Capability of Chinese State and Local Authorities
Why did the Chinese state and local authorities have to rely on services from groups like i-SOON since they should have in-house capabilities? Were the government officials in the Chinese public security apparatus not particularly technically sophisticated?
i-SOON’s leaked documents showed that not just a select few information security companies worked as hackers-for-hire in China. Rather, hundreds of companies like i-SOON — indeed, an entire commercial hacking industry — competed and cooperated with each other to serve the Chinese state and local authorities. Why did the Chinese government officials have to rely on services from companies like i-SOON? Didn’t they have in-house capabilities? The reason lies in two factors – capability resource and strategy.
Capability Resource
China’s resource of skilled cyber experts resides in private sector companies. China has developed a robust cybersecurity industry along with the explosive growth of the country’s information and communications technology (ICT) sector in the past two decades. Private cyber security companies are where the talent and innovation are. These companies develop valuable tools for the state and local authorities to use, such as products and services i-SOON and its partner companies offer. These companies diligently discover vulnerabilities and develop exploits to improve their own efficiency so they can expand their business.
Strategy
Incorporating private sector companies into China’s cyber warfare forces has been a central pillar of the country’s national strategy since the early 2000s. China started to experiment with using the capabilities of information technology (IT) companies to build cyber militia forces in 2005, setting up the first known militia within the Nanhao Group, an IT company outside Beijing. (For more detail see The Emergence of China’s Smart State; “Chapter 8: Becoming a Cyber Superpower: China Builds Offensive Capability with Military, Government and Private Sector Forces”)
As to the in-house cyber capabilities within various levels of the Chinese government, open-source information may not be adequate to evaluate the capability. Sources such as the US indictments and US and UK sanctions made public on March 25-26 2024 give a glimpse of what international law enforcement knows about these. The recent indictments allege that a group called APT31, based in MSS’ Hubei State Security Department in Wuhan, operates through multiple private companies, as a July 2023 report by the research group Intrusion Truth first revealed.
For those who rely on open sources, the leaked i-SOON material provides many clues. For example, business-focused i-SOON treats the government agencies as “clients”. These “clients” seemed to have an overwhelming number of projects for their contractor companies to complete, backed up with government funding. When the government asked for help on tasks, it often meant they may not have enough manpower or capability to handle the number of tasks generated.
i-SOON’s leaked documents revealed that i-SOON targeted not only overseas but also domestic victims, for example offering “anti-terrorism” support to a local authority in Xinjiang in monitoring ethnic Uyghurs. As China’s enormous surveillance state is still growing, China’s surveillance system, such as “Skynet”(天网), has numerous CCTV cameras equipped with facial-recognition technology; these “leave criminals with nowhere to hide.” The surveillance system also involved monitoring, tracking and reporting “key individuals (重点人员),” including paroled criminals, drug addicts, petitioners, religious believers, dissidents and others whom the government “suspected of threatening national security or public order.” Building a giant police state, all levels of government have responsibilities to keep their turf covered. This is likely why i-SOON sales contracts provided products and services to various levels of public security offices, from provincial public security bureaus to county and township level public security offices. Clearly, the public security apparatus heavily relied on private information security companies for products and services. In the meantime, i-SOON employees complained that many of their clients lacked technical knowledge, making their job harder. In a chat log, two employees mocked their public security clients as “SB” (literally “stupid cunt” in Chinese) – meaning stupid or dumb. For example, they had to teach the clients how to log into the products.
To sum up, private information security companies in China are extremely capable forces in cyber operations. The public security agencies are not so capable, as the i-SOON documents show.
A Possible Name and Shame Strategy on i-SOON
Does the name and shame strategy work?
After the i-SOON leak, some Western cybersecurity analysts assessed that one possible implication of the leak is US legal actions, such as “potential future indictments against i-SOON personnel.” This is the so-called the “name-and-shame” strategy in public cyber attribution that both the US and its partners in the Five Eyes intelligence group of English-speaking countries have been using against Chinese threat actors (China has tried this too). The goal of the name-and-shame strategy is often to compel and deter changes in state and non-state behavior. However, how effective has the name-and-shame strategy been to compel and deter the Chinese threat actors who have been exposed? It seems it is not that much. Here are a couple of examples.
Chengdu 404 business as usual
In September 2020, The US Department of Justice (DoJ) indicted seven Chinese threat group APT41 actors. Five of the seven actors operated Chengdu Silingsi (404) Network Technology Company (成都市肆零肆网络科技有限公司) (Chengdu 404). As of the time of this writing, Chengdu 404 operates business as normal, according to a Chinese business registration database. Chengdu 404 has registered 17 more proprietary software products since the indictment. Chengdu 404 also requested financing help from the Chengdu SME (Small Medium Enterprise) Service Center, a subsidiary of Chengdu Municipality Economic and Information Technology Commission, in June 2021 (hxxp://www.cdsme[.]com/xinxizhongxin/zhongxindongtai/20210625/17535.html). This indicates that Chengdu 404 was likely looking for municipal sponsorship for ongoing business operations or even for expansion. The company placed “help wanted” ads on various Chinese recruitment platforms. Finally, the i-SOON leak revealed Chengdu 404 had worked on multiple projects with i-SOON and other domestic industry partners. Only one mention in the leaked chat log stated hearsay from an insider that a few government offices had some concerns working with Chengdu 404 because of the company’s public exposure.
Chengdu 404’s business-as-usual attitude is also reflected in its observed targeting activities as well. In the three-month period at the end of 2021, after the APT41 indictment was released, APT41 actors targeted 13 more victims globally, according to a report from the US Department of Health and Human Services. Analysts from Mandiant, which is now part of Google, analyzed APT41 activity from May 2021 to February 2022, spanning the period before and after the indictment. That activity did not stop. APT41 used two zero-days, targeted at least six US state governments, and continued exploiting a vulnerability in the web-based Animal Health Reporting Diagnostic System (USAHERDS) application.
So after being put on the US Wanted list, Chengdu 404 carried on its business as usual.
Goldsun, a malware developer arrested and released, then back home to train China’s next generation in computer skills
In August 2017, the US DoJ charged Yu Pingan, a.k.a. “Goldsun,” with conspiring with two other Chinese nationals to hack into at least five US companies between 2011 and 2014. Malware tools Yu created and used included one known as “Sakula,” which was used in the 2015 data theft from the US Office of Personnel Management and from a number of insurance companies, including Anthem. Goldsun was arrested in Los Angeles when he entered the US for a conference on August 23, 2017 and had pleaded guilty to conspiracy to commit computer hacking.
Goldsun was considered a legend in the Chinese hacker community. He was very active in various Chinese forums related to exchanging hacking techniques, hacking tools, and reverse engineering skills starting in 2005. Goldsun was an early member of “t00ls”, a well-known Chinese language online information security community, and a member of WRSKY (FireFox Base 火狐基地 or Firefox Technology Alliance 火狐技术联盟), a large underground community of hackers with advanced skills, many of whom have founded their own information security businesses. Goldsun also had his own platform “0day China” (www[.]zerodaycn[.]com) that sold exploit kits.
In February 2019, a federal judge sentenced Goldsun to time served and allowed him to return to China. A Reuters’ report wrote: “In addition to jail time, Yu was ordered to pay nearly $1.1 million in restitution to five companies that were victims of the hacking. The fine was to be paid in installments of $100 a month, with no interest, according to the judgment. The payment schedule would take more than 900 years to complete.” … “Jeremy Warren, a San Diego criminal defense attorney who represented Yu, said: ‘With a Chinese national, a school teacher, there's no real expectation of payment.’”
In November 2019, a Reuters’ Shanghai-based reporter found Goldsun teaching at Shanghai Commercial School, a state-run vocational technical high school which he had taught prior to his arrest in the US. Goldsun taught two basic computer courses, including one on internet security.
How ironic the case is, like a play of the circle of life.
Well, do we have any other strategies if the name-and-shame strategy has not compelled or deterred threat actors’ behavior? Let’s continue generating more Natto Thoughts.