The iSoon Leaks

Speaker 1: On February 16, this email account, registered only a month earlier, starts to upload a trove of files to GitHub.

Speaker 2: Some of my friends from the industry and people I know said, oh, just look at this. This is huge.

Speaker 1: It's a big corporate data leak to ring in the new year. And these files, internal messages, emails, chat logs, product marketing presentations, they tell the story of a corporate culture. It's honestly pretty familiar to anyone that has ever worked in an office. There's the usual stuff, urgent deadlines, people complaining about low pay or being overworked. There's people talking about wining and dining clients, about proposals and winning the big contract, about meetings that could have been emails. All the familiar stuff, it's right there. But if you keep reading, then you get to the unfamiliar stuff. You can start to put together a picture of how this company makes money, the kinds of products and services they provide, and who their clients are.

Speaker 2: They claim they provide software development and network technology services.

Speaker 1: Keep going, and you're gonna read all about how they're responsible for helping breach 14 governments around the world. You'll read about the custom hardware and snooping devices they sell, the software exploits they develop in house, you're gonna find out how much a data leak from this nation is worth versus this nation, how much they charge to get access to an individual's social media credentials. You will learn about how this company does contract work for several People's Republic Of China agencies, including the Ministry of Public Security, the Ministry of State Security, and the People's Liberation Army. You will learn about the agencies they have been paid to hack within the governments of Rwanda, Indonesia, Malaysia, Thailand, Vietnam, Cambodia, Nigeria, Mongolia, Myanmar, Taiwan, India, and some shady stuff in Kyrgyzstan. The company at the heart of this leak is called iSun. And with this data leak, we get a pretty unprecedented look at the inner workings of a Chinese state sponsored hacking for hire operation.

Speaker 2: What I always want to do, you know, from cybersecurity perspective, threat intelligence perspective, to understand the motivation and intent of a given threat group.

Speaker 1: When I imagine state sponsored hacking, I imagine a big, tall, brutalist structure. Its name unlisted in any directory into which flows a steady stream of shadowy hacker mercenary people. But as with a lot of things, eventually the state looks to outsource, and things just gradually get corporatized. They turn to the private sector for consultants and vendors, they write RFPs, and they put out projects to tender and review proposals. Eventually, as we learn from the I soon leaks, even state sponsored hacking and international cyber espionage eventually becomes a very corporate job. It becomes work.

Speaker 2: As a researcher, you try to understand the threat landscape about Chinese cyber operations.

Speaker 1: When the iSOON files first appeared on GitHub, May Wendowski, a cyber security researcher, was one of the first people to really dive into it, and she wrote about what she found, at length, on her excellent substack, NattoThoughts, and as the story started to go wide, her analysis became the foundation of a lot of the big reporting on it. I wanted to understand the leak a little bit better, so I called her up.

Speaker 2: From what we understand from a hiking perspective, it's definitely hackers for hire.

Speaker 1: This is my conversation with security researcher, May Wendowski, on the iSoonLeaks, the ecosystem of hacking for hire companies in China, and what it means when shadowy work goes corporate. Here, on Hacked. May, thank you so much for taking the time to sit down and talk with me about all this.

Speaker 2: Yeah. Welcome. Glad to be here.

Speaker 1: So just to start, tell me a little bit about iSun. What does this company do, and how do they fit into the cybersecurity landscape in China?

Speaker 2: Sure. So iSun is a Chinese information security company. That's their official category. On their website, they claim they provide software development network technology services, you know, such as blockchain forensics and enterprise security solutions as well as trainings. So the company was headquartered in Shanghai, one of the largest city in China, but also with subsidiaries and offices, like, in at least, four locations across, across China. And Sichuan Isoom, this is one of their subsidiaries located in Chengdu, city and at Sichuan province, was one of their considered biggest subsidiaries focused on research and the development. That's also their pen testing centers. That's just officially how they describe themselves. But what we understand because a lot of their clients, they do business with all kind of clients, you know, enterprise clients, individuals, and the men you know, some of the Chinese government. But we don't really know at this point how big part their business is with Chinese government. But from the leaked document, we're gonna talk about it. We have understand a lot of their clients are trans government clients.

Speaker 1: We are talking about this, as you said, because of this recent round of leaks that you have written about at length. Can you share the story of how these leaks came to light?

Speaker 2: Somebody posted leaked on GitHub. I I don't have a GitHub account, so somebody was telling me about this whole thing. There's something you know, data's about an iPhone. Since I wrote iPhone at this company in last October, four months before this leak, some of my friends from the industry and people I know said, oh, just look at this. This is huge. So once I start looking at this leak, I was like, wow. This is just something I would never had the chance to know that much.

Speaker 1: So these leaks appear on a git on GitHub. Someone tells you to go read them, and you you dive into this giant leak from iSoon. I think you described them in some of your writing as as providing kind of a window into the China's hacker for hire industry. What did we learn in these leaks?

Speaker 2: We have learned so much. First of all, as a researcher, you try to understand the threat landscape about Chinese cyber operations. A lot of times, we rely on open source information like me. Mainly, that's only source open source information. But here, we can see from, like, from insider to understand how they work day by day. That's just the overwhelming for me, kinda, like, peek into somebody's private conversation, talk about their business, how they operate it. You know, I will never get the chance to do that. So, yeah, it definitely it's it's just overwhelming just to know some of the stuff that we understand is is real. Mhmm.

Speaker 1: A big part of it seemed to be the diversity of services that iZune provides that go beyond what's on the website. It seems like there there was discussions about DDoS attacks, social media monitoring. Can you tell me a little bit about the services they offer and how that feeds into larger Chinese state sponsored cyber activities. What what kind of services did we learn about from these leaks?

Speaker 2: So, there are services, on the surface, they said, you know, software development and enterprise security stuff. So they actually had, like, patents, proprietary softwares related to do DDoS attack and, how to do surveillance services. And some of the software, develop, they develop can provide a database to search all they call important person, literally the person the, the government need to watch for. So there's a variety of, software at the service they developed to provide the prod like a product and the tools to the government clients and all the other companies. It they needed, you know, working for the government.

Speaker 1: So it's interesting. You know, so many of these so much of what's in these leaks are internal communications between iSoon employees, and it gives you a sense of almost the work culture. Can you tell me a little bit about how the company operates? You know, how these big government contracts get won. There's a lot of discussion about how clients get glad handed and taken out for drinks to try and win the big contract. Can you tell me a bit about that?

Speaker 2: Yeah. That's definitely the most interesting part because, previously, our understandings was the government handed task to the companies to task them to do things. But from the league, what do we understand is that companies like iZone, they literally try to court the government officials to get the contract to work to try to do business with the with the government. So the process was not really easy for them to maneuver because you had to understand, you know, who's in charge for what, you know, different regions, public security offices, you know, who is in charge. Then, you know, who if we bid for a contract, how much we we should bid on? You know, do should we partner with somebody else? Then, you know, five of five companies do we can have a contract with those four companies, saying, you know, we we're gonna be try to do this, you know, bid on this price, then you you can be a bit lower or something than, you know, they call accompanying bidders. Then, you know, we will win it after we win it. You know, maybe you can get a cut. We can cooperate on some other things, together. So they tried so hard to maneuver that process, you know, to do business, and then also, it's already building up this community with the different information companies, to partners and to do this kind of business. It's not an easy process. It just shows you know, that's that's why, you know, a lot of people wrote about it, and they talk about that too. It had to do late night drink drinkings, you know, go to the bars or clubs, you know, try to entertain the clients, try to, you know, get more informations about the contract and stuff. And sometimes, also, we understand they they try to do a, like, educated guess what the client will want. Right? It's not like, oh, maybe, you know, we just saw these policies, the, China while developing road and your belt and road initiatives in this country. You know, maybe the client will be interested in this data. You know, let's see if we can get access for this kind of data. If we get samples, we we can show them, saying, oh, yeah. We have this kind of data. Do you think this is worse for you to look at it? Yeah. So that's, you know, how they do their business. My sense, you know, when I first read this whole thing, I was like, wow. That's so hard. This CEO, basically, from the chat, he he works, like, from morning to late night, early ten. Like, they text each other, say, oh, you have to see what what what we should do? You know? It's not easy.

Speaker 1: No. It's also just so different from what I think of when I imagine China state sponsored hacking. I imagine a big building somewhere full of staff that never leave, that just do these tasks, and it sounds so much more like government contracts and companies bidding on them. It sounds so much more familiar to me than I was ever expecting.

Speaker 2: Yeah. That's that's definitely the the the thing, you know, of I I I felt the same because before we were just understanding, oh, they do state sponsor. If they belong to the state, then they are very organized. And, you know, how they try to hide their tracks and then how they, work on those things is more organized. But, actually, same site is not that case. You know? And just get just from looking into Isoom, and the maker document, but there there

Speaker 1: may Sure.

Speaker 2: Might be, you know, some other more formal forces, you know, under military state security or under Chinese military. That will be may be different. Sure. But in this case, it is is one of the kind for us to understand.

Speaker 1: Right. These leaks don't necessarily mean that there aren't other types of state sponsored hacking going on. It just means that there's probably so much of it that some of it needs to be outsourced to two external vendors. Even the language of it just sounds like business jargon. And it's so interesting to me that it's it's what we're talking about is, you know, exploits that are gonna be deployed around the world.

Speaker 2: Yep. Yes. Definitely.

Speaker 1: Fascinating. K. I wanna understand the ecosystem a little bit better. I know from your reading that there's from your writing, there's a connection between iSun, an operation called Chengdu Four Zero Four. Can you tell me a little bit about that?

Speaker 2: So Chengdu 404, this company was in indicted, three of their employees was indicted in 2020. So they were associated with one of the, advanced persistent threats groups called a p t forty one. Now we understand more about from from the leaks that this company actually all operate as similar as iSoom how iSoom operate it. So they have a lot of connections with each other because they were very close, in the same city in Chengdu. And, very obviously, they know each other. They're buddies. They're drinking partners. They do business together. Then, also, you know, from my first notice, iZone, is because there's a lawsuit between these two companies, in October and software development, lawsuit case. So that that that's the why, you know, make me dig deeper on understanding, ISO. So this company, after the diamond, they're still doing business as normal. They're still working the same thing as they did before, and, also, their company grows as well. So they have registered 17 more, proprietary software. And then they also get the findings from the local, authorities as a small business.

Speaker 1: So

Speaker 2: They they hire people more hire more people, employees, as they needed to, you know, for to expand their business. So, yeah, it's just, the whole thing make us to to understand is this is not just one company. It's many, many company, dealing with similar things.

Speaker 1: Sure. It's this ecosystem of companies bidding on projects together, suing each other, doing what businesses do existing in a marketplace, but the service they provide is hacking for hire, essentially.

Speaker 2: Yes. From what we understand, from a hacking hacking perspective is definitely

Speaker 1: Mhmm.

Speaker 2: They are hackers for hire.

Speaker 1: Starting some new isn't just hard. It can be downright terrifying. You put a lot of work into a thing. You're not entirely sure it's gonna work out. You're taking a huge leap of faith. I've started a few things. Now I know I was right for believing in, you know, the idea, the product, despite all of those fears and hesitations. But boy, does it sure help when you have a partner like Shopify on your side. Shopify is the commerce platform behind millions of businesses around the world and 10% of all e commerce in The US. From household names like, well, hacked podcasts merch, to brands just getting started, you can get started with your own design studio with hundreds of ready to use templates. Shopify helps you build a beautiful online store that matches your brand style. Did I mention that that iconic purple shop pay button is used by millions of businesses around the world? I don't know why I wouldn't. I should. It's why Shopify has the best converting checkout on the planet. It also helps boost conversions, meaning less carts sort of getting abandoned in the parking lot, and more sales for you. It's time to turn those what ifs into sign up for your $1 per month trial at shopify.com/hacked. Go to shopify.com/hacked. One more time, That's shopify.com/hacked.

Speaker 3: Study and play. Come together on a Windows 11 PC. And for a limited time, college students get the best of both worlds. Get the Unreal College deal, everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft three sixty five premium and a year of Xbox Game Pass Ultimate with a custom color Xbox wireless controller. Learn more at windows.com/studentoffer. Law supplies last. Ends June 30. Terms at aka.ms/collegepc.

Speaker 4: When you need to build up your team to handle the growing chaos at work, use Indeed sponsor jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications, and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit at indeed.com/podcast.podcast. That's indeed.com/podcast. Terms and conditions apply. Need a hiring hero? This is a job for Indeed sponsored jobs.

Speaker 5: From athletic stuff like a full court pickup game, swish to athletic stuff

Speaker 2: like a half mile stroll.

Speaker 5: Get those steps in. Head to Sierra or sierra.com for the brands you want at the prices that let you do it all. From athletic to athletic ish, Sierra's got it.

Speaker 1: You made reference to Advanced Persistent Threat forty one, this this this hacking group. Can you tell me a little bit about what they are and what the connection is between a p t forty one and these companies you've been describing?

Speaker 2: So a p t forty one, now we know if what attributed to this Chengdu four zero four company. And the three actors, three person, three employees, operated the company. So because a lot of times when we give a APT number, that's from industry understanding is try to do a technical analysis about us through our group. How do we understand, you know, who's behind the real person behind one APD group? That's sometimes, we don't really get it that far. So this is the, you know, the time, you know, when through the indictment, we understand APD forty one is also behind two hundred forty two hundred four zero four was behind APT forty one.

Speaker 1: So this this APT forty one, this identified threat actor Yes. We learned is actually Chengdu four zero four, who we have learned from these leaks is in business with ISUN. It's quite it's quite the ecosystem.

Speaker 2: Yes. Yes. Mhmm.

Speaker 1: Inside of China, how do these companies navigate this legal system? Is any of this illegal if it's coming from the state? How does the legal side of this all work?

Speaker 2: That's very interesting question. From my last writing about this question try to answer this question.

Speaker 1: Sure.

Speaker 2: I don't think anybody in China is thinking about especially these companies think about what they do is illegal because their order, their task, their business is from the government.

Speaker 1: Sure.

Speaker 2: If the government asks them to do anything, that's legit.

Speaker 1: Sure.

Speaker 2: So

Speaker 1: Yeah.

Speaker 2: There's no consequences. So even two four zero four is put down in in indictment from the US depart Department of Justice, there's nothing to do with their everyday life as long as they don't come to The US. Oh, that's their fault.

Speaker 1: To, to us, your contractors, to a state sponsored hacking campaign, to you, you're a military subcontractor. Yeah. You're you're just doing you're just bidding on a contract from the government.

Speaker 2: Yeah. Yeah.

Speaker 1: A couple weeks ago, officials in The States and The United Kingdom expanded this big list of hacking allegations claiming that China is responsible for breaching, I think, The UK election watchdog, accessing 40,000,000 people's worth of data. They filed criminal charges against, a different, Chinese hacking group for this multiyear hacking campaign. How do these leaks and this larger ecosystem of hacking groups feed into those unfolding stories of state sponsored hacking abroad?

Speaker 2: I think that just means, there's so many.

Speaker 1: Sure.

Speaker 2: And, also, like, the the reason why you just talk about it, the APT thirty one, then the actor was associated actually was identified by one of the anonymous group, Intrusion Truth. So they identified some of the actors, in the indictment. So what we were what we were knowing now is just this is sounds like unstoppable. Right? You identify those that you try to stop, in one group and then the other groups are coming up. And, also, maybe this group probably existed long before the other group. We haven't really found out who they are. Right? But we definitely, you know, knows, you know, from technical points, we know they are active actors. They were doing, threat campaigns. They're doing the targeting, different entities around the world, try to achieve the Chinese state strategic goals. So the a lot of people are talking about this naming, shaming, strategies as a work or not. You know, so far, we just felt like it's not that effective in a way. But what else we can do? We're still thinking.

Speaker 1: Yeah. Naming and shaving might not be effective, but it's not really clear what would be effective given what we understand about how this this marketplace works.

Speaker 2: Yeah. This marketplace and this the scale of the threat campaign

Speaker 1: There's no

Speaker 2: and how many companies working on this.

Speaker 1: You've gone on this whole investigative journey. You've dove into these leaks. What areas of it do you think warrant more investigation, more awareness regarding their impact on global cybersecurity? What should we be looking at next?

Speaker 2: That's really a good question. What I was always want to do, you know, from cybersecurity perspective, threat intelligence perspective, to understand the motivation and intent of a given threat group actors. Because from my understanding is if you can understand why they do what they do, you can be more proactively to prevent what gonna happen next. So sometimes we companies and entities of government, if you don't know why they target you, you stop this one, then the other one will come up again. So if you know as this is the reason, they they target us, oh, maybe I can avoid to let them know I'll just do something else, then they might not target me on not doing what they do. So I I think the most important things for us is understand their motivations, their objectives.

Speaker 1: Sure.

Speaker 2: Then we probably can not stop them, but will be less frequent in the way, you know, to to prevent them to to target us. But I I don't I I think in the in the bigger scale about the the power nation competition, that kinda, like, hard, you know, to to stop. Yeah. Because some of the, threat, the campaigns they're they're targeting is more political, cyberassenage. So as we know, a lot of countries do that. Right? Mhmm. So what do we wanna stop a lot of before we talk about of emphasis is the economic cyber espionage. So not still still, intellectual properties. So that's, you know, for a lot of company, you should know what's your crown jewel, then you can protect the better.

Speaker 1: Right. By knowing who is hiring these companies, we can make better assumptions about what they might be looking for. Sometimes it's intellectual property. Sometimes it's political dissidents. But without knowing who's where the money is coming from, we can't really figure out what their, to use your phrase, motivations and intentions really are.

Speaker 2: Yep. Definitely.

Speaker 1: I have one last question. It's a it's a silly one. You've spent all this time reading through messages, emails, like business communications. Do these seem like good places to work?

Speaker 2: Oh, you mean ISM? Yeah. This company? It's oh, yeah. I no.

Speaker 6: No. No. Definitely not. It's not really like

Speaker 2: a place to work because everybody sounds like a little stressed, and the employees complained, their pay is low and a lot of work. Yeah. And, also, the CEO just from the the CEO, so much struggle and just working day and night.

Speaker 1: Interesting.

Speaker 2: Then some of the project, they don't even make money. And, also, the company kinda struggle too. They're they're they're saying there's, at least three of their subsidiaries actually didn't make money for several years. So, yeah, I I don't think it's a it's a, like, good place to work.

Speaker 1: I find that surprising. I would have thought that the reason you get into this stressful, like, politically contentious business is because the money must just be so good. And to hear that it's it's hard work, it doesn't pay that well, that's surprising to me.

Speaker 2: Yeah. Yeah. I'm not surprised. You're surprised.

Speaker 1: May, thank you so much for taking the time to talk with me about this. Your your research into this is was fascinating and, I think, really important, and everyone should check it out. So thank you so much.

Speaker 2: You're welcome. Thank you for having me talking to you.

Speaker 1: Appreciate it.