i-SOON Toolkit: What is “TZ”?
Network investigation and reconnaissance work is so critical for the Chinese Public Security bureaus that it needs a code name, “TZ.”
The Natto Team and many other cyber threat intelligence (CTI) analysts have seized the rare opportunity presented by the leak of Chinese hacker-for-hire company i-SOON’s internal messages. The leaked materials allow us to cross-examine past research findings ; explore threat actors’ tactics, techniques and procedures (TTPs); and probe the motivations and intents of Chinese threat actors. The Natto Team has found one aspect of i-SOON leaked documents that has not been discussed much. This is “TZ”, two letters in the Latin alphabet, likely an acronym. It appears more than 80 times across the over 570 leaked documents, including chat logs, product marketing white papers, compromised data samples, screenshots and images. What does TZ stand for? Interestingly, no explanation can be found through the documents. Even i-SOON’s product marketing whitepaper, Integrated Combat Platform (一体化作战平台), mentioned TZ 17 times, but it did not explain what TZ stood for or meant. It sounds as if TZ was a code name for something. Well, maybe it is time for us to decode the meaning of mysterious TZ.
From What We Knew
i-SOON leaks displayed quite a few two-letter acronyms in various chat logs, contracts, and product marketing papers. Some of them were known Chinese acronyms used in chat rooms or forums when users would like to be discreet and avoid censorship while discussing sensitive topics. These two-letter acronyms were often the initial letters of Chinese characters that had been written out in Pinyin, the standard system of romanized spelling for transliterating Chinese. For example:
AQ - in Pinyin: ān quān; in Chinese: 安全; in English: security; in the context of the leak it refers to offices of the Ministry of State Security.
GA – in Pinyin: gōng ān; in Chinese: 公安; in English: public security; in the context of the leak it refers to offices of the Ministry of Public Security.
QB – in Pinyin: qín bào; in Chinese: 情报; in English: intelligence.
ZC – in Pinyin: zhēn chá; in Chinese: 侦查; in English: detect; investigate; or scouting; or in Chinese 侦察; in English: reconnaissance, or scouting.
JG – in Pinyin: jūn gōng; in Chinese: 军工; in English: military industry.
JK – in Pinyin: jiān kòng; in Chinese: 监控; in English: surveillance or monitoring.
From the above acronyms, we believe TZ stands for a phrase consisting of two Chinese characters whose Pinyin initials are “T” and “Z.” Checking the Chinese dictionary and sorting through hundreds of two-Chinese-character phrases with Pinyin initials “TZ”, the following are phrases the Natto Team believed may be relevant to the context:
tóu zi, 投资, investment
tè zhē, 特侦, short for 特殊侦查(侦察), special investigation, or special reconnaissance
tè zhông, 特种, special (military)
tàn zhē, 探针, probe, detector
tông zhàn, 统战, unification
tông zhì, 统治, rule
tiâo zhàn: 挑战, challenge
tî zh: 体制, system
tû zi: 兔子, rabbit
tóng zhì: 同志, comrade
tîe zi: 帖子, post
tī zi: 梯子, ladder
Adding to the complexity, it appears TZ can also be an acronym for an English phrase as well. On February 20, 2024 (see below), two days after the i-SOON leak, a user on HiNative, a Quora-like global language Q&A platform based in Japan, asked a question in Chinese: what does “network TZ business” mean?”. It is likely this user was reading the same documents as we were. In this case, inquisitive minds think alike.
One responder suggested it means “time zone” in English and provided examples: “网络TZ业务 (wǎngluò TZ yèwù) refers to online time zone services.” … “For example 在这个全球化的时代,网络TZ业务变得越来越重要。(Zài zhège quánqiúhuà de shídài, wǎngluò TZ yèwù biàn dé yuè lái yuè zhòngyào.) (Pinyin transliteration). In this globalized era, online time zone services are becoming increasingly important.” (English translation).
TZ as TimeZone sounds like a plausible suggestion, but we have quite a few other alternatives to choose from too. The difficult part is which one is the answer.
TZ Used in the i-SOON Leaks
The Natto Team started by looking into the context when TZ appeared in phrases in the i-SOON leaked documents. Here are TZ phrases we discovered:
TZ业务: TZ business
TZ实战业务: TZ live combat business
TZ 工作: TZ work
TZ平台: TZ platform
TZ 武器装备: TZ weapon and equipment
TZ队伍: TZ team
TZ任务: TZ task
TZ市场:TZ market
TZ 销售队伍: TZ sales team
TZ指导处处长: chief of TZ Guidance Office
国家TZ的定位: positioning of the State TZ
TZ类的公司: TZ type companies
TZ队长; TZ副大队长: TZ captain; TZ vice-captain
TZ一线的人: TZ frontline people
TZ培训: TZ training
TZ 投资: TZ investment
TZ的黄埔军校: TZ’s Whampoa Military Academy (note: the Whampoa Military Academy is the first military academy established by Sun Yat-sen, the first provisional president of the Republic of China. https://thechinaproject.com/2021/06/16/the-profound-legacy-of-chinas-whampoa-military-academy/)
TZ领域的培训: TZ field training
TZ建设: TZ building
网安TZ: network security TZ
网络TZ队伍: network TZ team
TZ行业: TZ industry
TZ服务能力: TZ service capability
TZ总队: TZ unit/brigade
TZ比武: TZ competition
TZ能力: TZ capability
TZ实验室: TZ lab
As previously mentioned, i-SOON’s Integrated Combat Platform product marketing white paper used the acronym TZ intensively. In the Preface section of the white paper, it stated:
“In recent years, along with the continuous development and building of network TZ teams and TZ laboratories nationwide, network TZ teams of the public security bureaus at all levels have reached a high level in terms of both technical personnel talent reserve and tools and equipment development. Specialized network TZ laboratory teams have achieved good results in combating various types of online criminal activities and obtaining key clues and intelligence to protect national security. It has also demonstrated the importance of the network TZ team in the future of cyberspace guarding, governance, maintenance and other work.
However, with the development of the Internet and mobile networks such as 5G, the network TZ work has begun to have the characteristics of diversity, randomness, complexity, and tediousness, etc., and it is easy to have improper collaboration, improper cover, insufficient preparation, and insufficient contingency in the daily network TZ work, which leads to unclear tasks, slow implementation, and inefficiency in the TZ work.
Therefore, based on the current development trend and business direction of network TZ business, it is necessary to carry out integrated planning and build a professional integrated combat management platform for TZ business that is secure, covert, mobile, flexible and coordinating in daily TZ work, as well as with the full integration of various resources.
This comprehensive combat management platform is oriented to the task, network environment, resources and security protection all in one, with technical measures which are secure and concealed. The platform can scientifically manage the mechanism for the use of TZ weapons and equipment and improve the norms of task flow.” (Translated using DeepL.com (free version) with Natto Team edits)
This is a long description of TZ but does not say what TZ is. However, from the description, it appears that Chinese public security bureaus at all levels have TZ teams and do TZ work.
Looking into Chinese-language sources on the organizational structure of the public security bureaus and drawing on the Natto Team’s previous i-SOON research, we came across an obscure biographical profile on Baidu Baike, a Chinese version of Wikipedia, that listed the person’s workplace as “Political Commissar of the Network (Cyber) Special Investigation (Reconnaissance) Unit of the Cyber Security and Defense office of the Public Security Department of Jiangxi Province.” This clue suggested that the Cyber Security and Defense Bureau of the Ministry of Public Security (公安部网络安全保卫局) – for which i-SOON was one of the original certified suppliers – has a unit (支队) called 网络特侦支队 (wâng luò tè zhēn zhī duì) – Network (Cyber) Special Investigation (Reconnaissance) Unit. This could be shortened to Network TZ Unit. Aha, TZ in this case likely stands for special investigation or special reconnaissance. To further confirm this finding, the Natto Team went back to the Integrated Combat Platform marketing paper again and discovered that on at least one occasion the marketing paper used the phrase “特侦队伍” - special investigation/special reconnaissance team - without using the TZ acronym. This was in the part where it said the platform “can facilitate technicians of the special investigation/reconnaissance team to carry out collaborative and synthetic operations. The team can share techniques, tools and equipment and results, giving full play to the advantages of collective combat.”
Note: in Chinese 特侦 , tè zhēn (TZ) is short for either 特殊(种)侦查 (tè shū (zhông) zhēn chá ) meaning special investigation or 特殊(种)侦察 (tè shū (zhông) zhēn chá ) meaning special reconnaissance. 侦查zhēn chá and 侦察zhēn chá have the same Pinyin but the second Chinese character is different, so 侦查and 侦察 have a slight difference in meanings. Reading between the lines of i-SOON documents, TZ can mean either of these two phrases according to the context. “Special” likely refers to investigations or reconnaissance activities carried out covertly and/or by the public security or state security bureaus.
When TZ Means Special Investigation/Reconnaissance of Networks
To expand our understanding of what a special network investigation or reconnaissance team, lab, task, competition, capability, training, or business entails the Natto Team re-examined the context of i-SOON documents when TZ was mentioned and conducted further research in Chinese procurement websites, various official government websites and Chinese search engine. We discovered it appears that building the capability of special network investigation and reconnaissance has been a priority in various levels – national, provincial, and local – of Chinese public security bureaus. The investment on this effort appears significant, judging from government procurement orders for special network investigation/reconnaissance products and services. Companies like i-SOON that offer such products and services have seen a huge business opportunity in this area.
For example, in September 2020, the Cyber Security and Defense Department of Chongqing Municipality Public Security Bureau requested a bid “Procurement of TZ Platform Upgrade and Supporting Hardware.” (see screenshot below). The budget for the procurement order was 1.82 million RMB (around US$267K).
In the leaked i-SOON communications, when i-SOON’s CEO Wu Haibo, aka shutdown or shutd0wn, discussed the company’s business direction, he emphasized repeatedly the importance of TZ products to the company’s revenue. In one chat conversation with the company chief operations officer, lengmo, shutdown stated that the market and the clients had a huge demand for network investigation/reconnaissance products and requested lengmo to develop a strategy to improve the scalability of the company’s current products. Not only provincial level public security clients but also county level and township level needed the products, shutdown said. The chat conversations also mentioned that several competitors were developing products and services related to network investigation/reconnaissance and that i-SOON worked with industry partners to sell the products and services as well. In addition, i-SOON’s business had benefited from offering network investigation/reconnaissance training programs to the public security bureaus.
Pivoting on this clue, the Natto Team searched sources such as Sogou, a Chinese search engine for training programs similar to the ones i-SOON offered. Such programs seemed to be in high demand. For example, the Public Security Bureau in Hubei province had a province-wide “Special Network Investigation/Reconnaissance Professional Work Training” course for officers who worked for the Cyber Security and Defense offices at various levels (see screenshot below).
Well, why is network reconnaissance so special? Probably every CTI analyst can easily give the answer based on the Cyber Kill Chain, the framework outlining the steps in any cyber threat operation. In any such campaign, reconnaissance is the first step: to gather information on the target, identify weak points of the targeted system and set up an effective attack plan. i-SOON knew it, and so did the Chinese public security bureaus. Network reconnaissance can also be used defensively, as in penetration testing, to identify the vulnerabilities of a system one is protecting. For its part, network investigation usually refers to forensics for incident response and for law enforcement to investigate criminal incidents. Network reconnaissance and investigation are both relevant to the work of public security bureaus.
To conclude, The Natto Team replaced “TZ” with “reconnaissance” in the following paragraphs from the preface section of i-SOON’s Integrated Combat Platform marketing paper that previously mentioned. Does this all make sense now?
“In recent years, along with the continuous development and building of network reconnaissance teams and reconnaissance laboratories nationwide, network reconnaissance teams of the public security bureaus at all levels have reached a high level in terms of both technical personnel talent reserve and tools and equipment development. Specialized network reconnaissance laboratory teams have achieved good results in combating various types of online criminal activities and obtaining key clues and intelligence to protect national security. It has also demonstrated the importance of the network reconnaissance team in the future of cyberspace guarding, governance, maintenance and other work.
However, with the development of the Internet and mobile networks such as 5G, the network reconnaissance work has begun to have the characteristics of diversity, randomness, complexity, and tediousness, etc., and it is easy to have improper collaboration, improper cover, insufficient preparation, and insufficient contingency in the daily network reconnaissance work, which leads to unclear tasks, slow implementation, and inefficiency in the reconnaissance work.
Therefore, based on the current development trend and business direction of network reconnaissance business, it is necessary to carry out integrated planning and build a professional integrated combat management platform for reconnaissance business that is secure, covert, mobile, flexible and coordinating in daily reconnaissance work, as well as with the full integration of various resources.
This comprehensive combat management platform is oriented to the task, network environment, resources and security protection all in one, with technical measures which are secure and concealed. The platform can scientifically manage the mechanism for the use of reconnaissance weapons and equipment and improve the norms of task flow.”
Excellent read and awesome work on Hacked