A recent leak of internal documents from a Chinese hacking contractor has shed light on the operations and challenges faced by Shanghai-based iSoon, a company allegedly supporting government-led hacking endeavors. The leaked documents, including spreadsheets and chat logs, were posted on GitHub by an unknown individual, providing insights into the disaffected and poorly paid workforce behind these activities.
Experts analyzing the leaked documents have deemed them legitimate, correlating with existing knowledge about Chinese state-sponsored hacking. John Hultquist, chief analyst at Mandiant, notes that iSoon is part of a contractor ecosystem linked to China’s patriotic hacking scene, which has evolved over two decades.
The leaked records indicate that iSoon’s primary client is the Ministry of Public Security, primarily undertaking contracts related to domestic security interests. These contracts often involve hacking into Asian organizations, with one document revealing a charge of approximately $55,000 for hacking into the Vietnamese Ministry of Economy.
Despite the significant technical capabilities showcased in the leaked documents, employees at iSoon reportedly express dissatisfaction with their pay and working conditions. The leaked chat logs feature complaints about low salaries and discussions about playing mahjong in the office, highlighting discontent within the workforce.
Technical details within the records reveal iSoon’s reliance on tools like the Winnti backdoor and the PlugX remote access Trojan, which are not exclusive to the company. Tom Hegel, a senior threat researcher with SentinelOne, suggests that such shared capabilities underscore the interconnected nature of Chinese hacking groups.
The leaked documents also hint at iSoon’s alleged involvement in targeting NATO, although skepticism remains regarding the extent of this claim. While a screenshot mentions “NATO,” specifics about the alleged hack are limited, prompting speculation about potential exaggeration or discretion on the part of the leaker.
Dakota Cary, a consultant and nonresident fellow at the Atlantic Council’s Global China Hub, suggests that the leak may not significantly impact iSoon or provoke strong reactions from the Chinese government. However, the incident raises questions about the company’s operations and the broader landscape of state-sponsored hacking in China.
