i-SOON: “Significant Superpower” or Just Getting the Job Done?
Moving beyond a purely technical focus on TTPs and infrastructure, a business analysis of People, Process, and Technology shows i-SOON’s strengths and limitations
The previous Natto Thoughts report on the recent leak of documents from the Chinese IT company i-SOON discussed the complex network of China’s information security companies and their precarious relationship with their “clients.” As we understand, all these companies, no matter whether we call them “hackers-for-hire” or “commercial hacking industry,” are ultimately businesses with profit as their bottom line, as the Natto Team told The Wire China. Therefore, it is helpful for us to look into i-SOON as a case study using the 60-year-old “People, Process, Technology” (PPT) Framework to assess its business operation, how it got its business done and whether it was successful or not. A business-focused analysis of the i-SOON case study can shed a new light on China’s state-sponsored cyber operations. (On types of state-associated cyber operations, see the Natto Team posting “Wazawaka & Co., Part 2: Patriotic Hacker”)
People
i-Soon’s People strategy: practical “attack and defense live-fire capability” is more important than formal education level.
According to the People, Process, Technology framework, the people – the human resources of a company – are the most important element of a business. Hiring the right people and having productive, dedicated and mission-driven employees are crucial for a company’s business success.
i-SOON had around 160 employees across its six locations in China as of October 2022, according to the leak. Sichuan i-SOON was the largest component, with close to 100 employees. As the Natto Team’s previous report noted, Shanghai i-SOON was established in 2010. In 2015, Shanghai i-SOON established its first and only subsidiary, Sichuan i-SOON, and followed with i-SOON branch offices in Yunnan province in 2017, Jiangsu province in 2020, and Zhejiang province in 2021. In addition, i-SOON founder and the CEO Wu Haibo wholly owns a company named Sichuan Daitabosi Information Technology Limited(四川戴塔柏斯信息技术有限公司) (Sichuan Daitabosi), established in 2017. According to business registration information and the i-SOON leaked documents, Sichuan Daitabosi shared the same management team with Sichuan i-SOON and hosted two attack and defense research labs. One is Xingshi Attack and Defense Lab(行什攻防实验室), previously known as the penetration testing team 2; the other is Kuishao Lab(魁杓实验室) which was the penetration test team 3 before. The two research labs were renamed in May 2022.
Low pay and employee retention problem
As media reports on the leak have pointed out, it seems employees of i-SOON “suffered from low pay.” Indeed, the pay records suggest that the pay ranges of i-SOON’s workforce were much lower than the industry average.
A 2021 report issued by China’s Ministry of Industry and Information Technology (MIIT) stated that “the average monthly salary in the cybersecurity industry has reached 22,387 yuan (US$3,500)” in June 2021 and “big cities, such as Beijing, Shanghai, Shenzhen, Guangdong province, Hangzhou, Zhejiang province, and Chengdu, Sichuan province, had high demand for such talent.” However, 90 percent of i-SOON employees were paid less than 22,387 yuan in an October 2022 employee salary record. Even the two research lab employees who were considered critical talents for i-SOON’s business were paid mostly from 9000 rmb (US$1250) to 19,000 rmb (US$2640). Only one engineer reached the claimed national average.
The low pay has caused i-SOON a serious problem of employee retention. i-SOON’s CEO, nicknamed “Shutdown” [also spelled Shutd0wn], and Chief Operating Officer (COO) “lengmo” often lamented that highly skilled software developers and engineers had quit to work for competitors because of higher pay. The two executives discussed how to retain the employees. In one chat log conversation from 2021 between lengmo and an employee who had submitted his resignation, lengmo tried to persuade the employee to look at the bright side of working for i-SOON. He said it might lead to a better career development track, and he offered a promotion if the employee stayed. The employee complained that the salary had not gone up much at all when the company’s business had done well in 2019.
Other than the uncompetitive pay, i-SOON’s employee retention dilemma illustrates “big fish eat small fish” atmosphere in the cybersecurity industry in China. The big fishes are the state-level (国家级) companies. State-level companies, in this case, are not necessarily state-owned enterprises (SOE); they can be companies in which the government has significant investment or is considered to have significant value to the country. These “big fishes” often subdue small fishes like what i-SOON considered itself to be. In one chat log conversation in August 2022, Shutdown explained why i-SOON had failed to pay a bonus to employees in 2020, leading to low morale. He said it was because Qi An Xin – one of the largest cyber security companies in China, providing products and services to over 90% of China’s central government departments, central government-led enterprises, and large banks – had promised to “take a stake” in i-SOON, but instead, “Qi An Xin poached many of our core staff, then they changed their mind” about the investment. (It is unclear what he had in mind, as Qi AN Xin already has a 13 percent stake in Shanghai i-Soon. Maybe they were asking Qi An Xin to invest in the subsidiary, Sichuan i-SOON).
Alternative route to recruit
To fight the big-fish-eat-small-fish battle, i-SOON has been taking alternative routes to recruit talent with a focus on “attack and defense live-fire” (攻防实战) practical skills rather than on having a fancy degree on paper.
The leaked documents showed that not all employees of i-SOON had college degrees. For example, a roster of personnel who were qualified to handle classified information showed a total of 15 employees with their qualifications. Of these, only 4 had a bachelor’s degree, 10 had associate degrees and 1 had only a high school diploma. Nevertheless, the employee with a high school degree held the title of software development manager in i-SOON. Considering the i-SOON likely chose its best employees to handle classified information, these 15 employees were likely representative of the education level of i-SOON employees. This means that only around 26 percent of i-SOON employees had a 4-year university degree.
It appears that i-SOON consciously welcomed candidates who lacked a bachelor’s degree. i-SOON’s CEO Shutdown stated that employees with “attack and defense live-fire capabilities” did not need a college degree as long as “they know how to do [the work].”
What is a cybersecurity talent with live-fire capabilities? In 2022, the Chinese Ministry of Education published a “White Paper on the Live-fire Capabilities of Cybersecurity Talents: Attack and Defense Live-Fire Capability Edition” (English translation here). The White Paper defined four types of cybersecurity talent live-fire capabilities: "attack and defense live-fire capabilities," "vulnerability mining capabilities,” "engineering development capabilities," and "combat effectiveness evaluation capabilities." As to the particular attack and defense live-fire capabilities, the White Paper stated the capabilities refer to:
the ability to use cybersecurity technologies and tools to carry out security monitoring and analysis,
risk assessment,
penetration test event research and judgment [i.e. evalution],
security operations and maintenance, and
emergency response in real business environments.
The White Paper noted, “the factors that determine the level of these capabilities include the skill level in attack and defense business technologies, understanding of cutting-edge technology and industry dynamics, and degree of mastery of business models and service scenarios.”
The Natto Team could not determine whether i-SOON’s Shutdown had this official “attack and defense live-fire capabilities” definition in mind, but his past patriotic hacker experience definitely exposed him to people who had practical skills without a fancy degree. In a chat from August 2020, Shutdown directed lengmo to pursue a recruiting strategy focusing on students from less-prestigious technical or regional educational institutions. He said, “We could look for talent in a technical school.”… “(we) have to let HR [Human Resources personnel] expand the recruiting channels … take advantage of hosting college competitions and establish contacts and cooperation with universities in Sichuan province, including those technical schools in 2nd and 3rd tier cities. … Nowadays, many colleges and universities have cybersecurity majors. People who have attack and defense live-fire capabilities do not need degrees from elite universities.”
i-SOON’s recruiting strategy appears a way to sustain the business, but it was not a mainstream talent solution. According to a data analysis of the education status of live-fire attack and defense cybersecurity talents from the 2022 Attack and Defense Live-Fire Capability White Paper, “the ‘bachelor's degree’ group is still the main force in the industry, accounting for 68% [of employees], followed by the ‘master's degree’ group, accounting for 18%, the ‘junior college and higher vocational school’ group accounting for 10%, while the total proportion of people with ‘high school’ or ‘secondary vocational school’ education is less than 5%.”
Process
i-SOON Process strategy: “it doesn’t matter if a cat is black or white, as long as it catches mice.”
According to People, Process, Technology analysis, a process brings together people and technology in a combination of actions or steps aimed at achieving a particular goal. In general terms, processes are repeatable and theoretically produce similar results, regardless of who is performing them.
When it comes to how to achieve the optimum result, i-SOON’s management style gives the air of barely restrained chaos. That is, to borrow a saying from former Chinese leader Deng Xiaoping on the virtues of pragmatism, “it doesn’t matter if a cat is black or white, as long as it catches mice.” i-SOON’s executives and employees seemed to exist constantly on the edge, forever looking for new contracts and saving existing contracts from failing, because each business deal had so much uncertainty and so many moving parts.
i-SOON’s business offerings
The Natto Team’s October 2023 report on i-SOON noticed that i-SOON’s “business services” webpage advertises public security, anti-fraud, blockchain forensics and enterprise security solutions as well as trainings. In 2013, i-SOON established a department for research on APT network penetration methods. Business partners that i-SOON listed included all levels of public security agencies, including the Ministry of Public Security, 10 provincial public security departments, and more than 40 city-level public security bureaus.
The 2024 i-SOON leak fleshes out a rich picture of what the company really offered. Analysts from HarfangLab, an Endpoint Detection and Response (EDR) service provider based in France, detailed i-SOON’s commercial product and service offerings in a report published on March 1, 2024. The report explained the functionalities of i-SOON’s products in the category of offensive software, platforms, appliances (hardware products), and social media tools and gave an overview of i-SOON’s services and consulting business. Offerings include a “Network traffic countermeasures system (网络流量反制系统)” – i.e. a DDoS-for-hire system – an Integrated Combat Platform, and tools for monitoring social media and storing and querying stolen personal data. The Natto Team won’t repeat the effort in this regard. However, we would like to focus on i-SOON’s business process.
Business process: chasing, tagging along, teaming up and diversifying
i-SOON’s business process focused both on producing products and developing services and on selling them to clients. To sell its products and services, i-SOON often contracted with industry partners, as the previous Natto Thoughts report discussed. The leaked chat log conversations suggest i-SOON also twinned its products and services with other companies’ business offerings to share profit. When tagging along with industry bigwigs, i-SOON often had to sacrifice profit in the hope of more business opportunities in the future. For example, when Shutdown discussed with lengmo a technical support service project for Qi An Xin, lengmo complained that it represented “high overhead, low profit” for i-SOON. lengmo suggested limiting this kind of technical support arrangement in the future. Shutdown explained that the goal of working alongside Qi An Xin was to grow with the big market, since Qi An Xin had contracts to support the Public Security Bureau’s 2 billion yuan (US$278 million) cyber security services.
From the i-SOON leak, the Natto Team noticed i-SOON has had a closer business relationship with Qi An Xin than with any other companies. One likely reason was that Qi An Xin is Shanghai i-SOON’s second largest investor, with 13 percent of shares. Looking into two years of chat log history between Shutdown and lengmo, spanning the period August 2020-August 2022, the company name “Qi An Xin” was mentioned most often, with 100 mentions. This means Qi An Xin was in the conversations of these two executives at least once a week.
To make a successful business deal, i-SOON often teamed up with other companies to enhance their bids in bid rigging schemes as we discussed in the last Natto Team report. i-SOON also collaborated with companies that had specific qualifications required by clients, such as certain security clearance levels, to bid for projects. If they won the contract, i-SOON often paid 10 percent or more in profit-sharing to those companies for contributing employees with the needed qualifications.
i-SOON also diversified its consulting services according to clients’ needs by either sending security consultants to client sites or bringing clients in to work with i-SOON’s technical service staff. Additionally, in at least one case discussed in the chat log, one of i-SOON’s public security clients requested the company to put two of its employees on i-SOON’s payroll in return for the client's continued patronage. In essence, the client appeared to be trying to offload the employees’ costs from its own budget onto i-SOON. (An alternative possible motive of the Chinese security entity –to embed its own personnel into i-SOON to monitor the company for loyalty – may have been the case a generation ago. However, based on close observation of the current workings of Chinese security agencies, the Natto Team assesses that the security agency's motive for embedding the employees is less likely for surveillance than to share the financial burden).
The complexity of i-SOON’s business process reflects the Chinese business culture, as the previous Natto Thoughts report discussed. It also shows how i-SOON, as a small-to-medium size company, struggled to compete with “state-level” companies like Qi An Xin because i-SOON’s business resources were not on the same level.
Technology
i-SOON Technology strategy: find and exploit vulnerability
The third leg of the PPT framework is technology. In the words of one PPT overview, “Technology provides tools that people can leverage to carry out the processes. It also helps in automating certain processes for quick and tangible results. Given its benefits, organizations can be tempted to invest more in technology. However, they should ensure that the technology fits well into the organization.”
As mentioned above, other reports have shown the tools that i-SOON employees used to develop the data exfiltration and surveillance services i-SOON offered to clients. Some of those tools were automated, such as the “automated penetration testing platform” with “advertised ‘deep learning’ capabilities, thanks to which it can extract information and classify emails automatically.” The i-SOON leaked documents do not have enough information to evaluate how i-SOON invested in technology to enable its employees to develop these tools. However, on several occasions, Shutdown, lengmo and other employees did discuss investing in the acquisition of Trojan malware, 0-day vulnerabilities and exploits from third parties. i-SOON also follows vulnerability disclosure closely. When the US government advisory about a vulnerability in the Log4j2 logging tool was released on December 10, 2021, employees of i-SOON were asking whether anyone has seen an exploit for Log4j2.
So What?
i-SOON is neither as sophisticated as some analyses have portrayed it, nor as unsophisticated as others have depicted.
An examination of i-SOON with the People, Process and Technology framework, shows that i-SOON as a company was not very impressive from a business perspective. The education level of i-SOON’s workforce was below the national level; the business process faced hurdles from the “big fish eat small fish” reality of the industry; and i-SOON constantly hunted for tools to improve its data-stealing efficiency and productivity to supplement its own limited research and development capability.
At the same time, i-SOON capabilities were likely greater than others have estimated. For example, the HarfangLab i-SOON report assessed that i-SOON does not possess in-house exploit development capability. It is unclear to what extent i-SOON’s personnel were able to develop their own exploits, but not for lack of trying. In one chat log conversation, Shutdown indicated that one member of the attack and defense research lab discovered and exploited a vulnerability from a gambling platform. “This vulnerability will help us to handle the gambling platform’s custom service terminals easily,” Shutdown said. As mentioned above, employees of i-SOON were discussing the Log4j2 vulnerability and commenting that they had seen a proof-of-concept for exploiting it but had not seen an actual exploit. They said another Chinese company in their circle was working on it. In another chat log conversation between two i-SOON employees, one said, “Sometimes when (I was) lucky and discovered a vulnerability, (I could) target multiple targets.”
With its main business focus on detecting vulnerabilities and cyber intrusions for hire, i-SOON might draw on and operationalize exploits others had developed: whatever it took to get its job done. In the leak documents i-SOON boasted of having breached or being able to access organizations in more than 30 countries. Some of its tools were quite sophisticated.
So, was i-SOON a “significant superpower” as a threat actor? A recently released video presentation from a September 2022 invitation-only conference pointed to overlaps between i-SOON and the Chinese APT group Red Scylla (a.k.a Earth Lusca or Red Hotel), as the Natto Team also did in its October 2023 report. The 2022 presentation characterized Red Scylla / Earth Lusca as a “significant superpower” threat actor, “one of the most prolific, deeply connected, and most technically advanced actors around” and “one of the most pervasive, capable China-based actors in recent history” based on observed technical data and related analysis through the so-called diamond model framework. Other analysts have pointed to overlaps between i-SOON and APT activity known as “Earth Empusa,” “Evil Eye” or “Poison Carp”. It appears that these APT operations, directed by Chinese government agencies, rely on a variety of companies like i-SOON for tools and services to carry out their operations. Yet, in isolation, a company like i-SOON is far from a “significant superpower.”
An i-SOON employee complained in a chat that their access to a US target had been lost. Another employee said, “It’s normal. That’s why (we) hardly ever target US targets because it is so easy to lose access and easy to be exposed.” So, it seems i-SOON hackers were not yet good enough to maintain backdoors in US targets. A Chinese government entity might outsource that work to a different company. If that’s the case, we’d better be prepared.