Internally, it is certainly the biggest betrayal of China: an employee of the company I-Soon revealed data and services that were used to attack foreign companies and governments. China denies the issue of foreign hackers, but the leaked data is overwhelming and the disclosure of the tools' capabilities is reminiscent of the day of the Snoden leaks. Now China has its own Snowden.
According to research by specialists at Malwarebytes and SentinelOne, this is what happened: Data from a Chinese cybersecurity provider working for the Chinese government revealed a number of hacking tools and services. Although the source is not entirely clear, it appears that a disgruntled employee of the group intentionally leaked the information.
Hackers in Chinese government services
The provider i-Soon (aka Anxun) is believed to be a private contractor working as an Advanced Persistent Threat (APT) for the Chinese Ministry of Public Security (MPS). The leaked data is divided into a few groups such as: B. Complaints about the company, chat records, financial information, products, employee information and details about foreign infiltration. According to the leaked data, i-Soon has infiltrated several government agencies, including those from India, Thailand, Vietnam, South Korea and NATO.
Some of the tools i-Soon has used are impressive enough. Some highlights:
- Twitter (now
- Custom RATs (Remote Access Trojans) for Windows x64/x86: Features include process/service/registry management, remote shell, keylogging, file access logging, system information retrieval, remote disconnection, and uninstallation.
- The iOS version of the RAT also claims to authorize and support all non-jailbroken iOS device versions, with features such as hardware information, GPS data, contacts, media files and real-time audio recording as an extension. (Note: This part is from 2020)
- The Android version can backup messages from all popular Chinese chat apps QQ, WeChat, Telegram and MoMo and is capable of boosting the system app for persistence against internal restore.
- Portable devices for attacking networks from within.
- Special equipment for employees working abroad to establish secure communication.
- User search database that lists user data including phone number, name and email and can be correlated with social media accounts.
- Targeted scenario framework for automated penetration testing.
Governments and NATO were the targets
While some of the information is outdated, the leaked data provides a glimpse into operations at a leading spyware provider and APT-for-Hire. In the coming weeks and months, the find will certainly spark some discussions in international diplomacy. Many countries will use the evidence to uncover the gaps in their national security. According to the companies Malwarebytes and SentinelOne, only the tip of the iceberg has been exposed. There is probably still a lot of material to be translated. Although this will take several more months, it will provide many important insights into state hackers from China.
Subscribe to our newsletter now
Read the best news from B2B CYBER SECURITY once a month
Via Malwarebytes Malwarebytes protects home users and businesses from dangerous threats, ransomware and exploits that are undetected by antivirus programs. Malwarebytes completely replaces other antivirus solutions in order to avert modern cybersecurity threats for private users and companies. More than 60.000 companies and millions of users trust Malwarebyte's innovative machine learning solutions and its security researchers to avert emerging threats and eliminate malware that antiquated security solutions fail to detect. You can find more information at www.malwarebytes.com.
About SentinelOne SentinelOne is a global leader in AI security. The Singularity platform detects, prevents, and responds to cyberattacks at machine speed – enabling organizations to secure their endpoints, cloud workloads, containers, digital identities, and mobile and network-connected devices quickly, accurately, and easily.