Close readers of The Stack may recall mention of i-Soon, the Chinese offensive security contractor working for its government – a trove of its tools was dumped on GitHub in February 2024 in a fascinating breach.
On Wednesday a federal court unsealed an indictment charging eight i-Soon employees and two Ministry of Public Security (MPS) officers for “widespread hacking of email accounts, cell phones, servers…”
The indictment reveals that i-Soon targeted the US’s Defense Intelligence Agency (which specializes in defense and military intelligence) among other federal organisations. Victims included two unnamed New York-based newspapers and several human rights organisations.
i-Soon: Big phishers
i-Soon, working as a hacker-for-hire, “conducted computer intrusions at the request of the MSS [China’s Ministry of State Security] or MPS.”
“i-Soon [also] conducted computer intrusions on its own initiative and then sold, or attempted to sell, the stolen data to at least 43 different bureaus of the MSS or MPS in at least 31 separate provinces and municipalities in China,” the Department of Justice alleged this week.
The indictment gives a peek into i-Soon’s Tactics, Techniques and Procedures (TTP) – including its clear guidance on ensuring spear-phishing attacks have the right pinch of social engineering in the mix (“chat with the target first before giving the link” ). It also, to The Stack, re-emphasises what a target plain text emails are for such groups.
“Email” shows up 63 times in the indictment and i-Soon would typically, when successful, download the contents of an inbox and sell it on.
Opsec fails a let-down for the team
(In March 2024, opsec failings by i-Soon let security researchers at Trend Micro raid its servers for malware samples, configuration and log files. The cybersecurity firm analysis showed that the favoured tactic of the group was brute-forcing government email addresses and then piggybacking on an initial compromised email address for extensive spear-phishing – needless to say, most recipients are more likely to click on malicious links sent from a colleague's compromised email than one from a stranger.)
Its offensive security platform let it bypass MFA for Outlook, Gmail, and X accounts the indictment suggests; once a target had clicked a malicious link. It does not provide any further technical details on the technique here or potential vulnerabilities exploited in these services.
The FBI said in a separate statement: “The Ministry of State Security (MSS) and its domestic police agency the Ministry of Public Security (MPS), weaponize InfoSec companies by tasking companies that advertise legitimate cybersecurity services to also use their expertise to gain unauthorized access to victim networks to collect for China's intelligence services. This ecosystem of InfoSec companies and freelance hackers enables and encourages indiscriminate global cyber activity, while providing the Chinese government with a layer of plausible deniability.”
Trend Micro noted in early 2024 that i-Soon had also been seen building SoftEther VPN servers on compromised public-facing servers to support post-exploitation movement in victims’ networks; exploiting CVE-2023-32315, a CVSS 7.5 command execution vulnerability on the open-source OpenFire XMPP server; and exploitingCVE-2022-21587; a widely exploited CVSS 9.8 command execution on Oracle Web Applications Desktop Integrator.
Arguably more exotically, it has been spotted using a still evolving backdoor called XDealer. As Trend Micro identified, XDealer DLL loaders were “signed with valid code signing certificates issued by GlobalSign to two Chinese companies… one is a human resource company, while the other is a game development company. It’s likely that their certificates were stolen and abused to sign malicious executables,” the company said.
