Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
iSoon CEO, COO and Sales Director Among 10 Indicted for Cyberespionage, Wire Fraud
A U.S. federal grand jury in Manhattan indicted the senior leadership of a Chinese private sector hacking contractor for supporting Beijing cyberespionage operations roughly a year after internal documents from the firm leaked online.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
The December indictment in the U.S. District for the Southern District of New York charges 10 individuals with computer hacking for their involvement in campaigns that stretch back to 2016 and seven of the defendants with conspiracy to commit wire fraud. Eight of the defendants are associated with the firm and two are Ministry of Public Security officers.
The firm is iSoon, also known as Anxun Information Technology – part of a private sector hacking scene centered in the Sichuan cultivated by Beijing and with roots in the Chinese patriotic hacking scene of the early 2000s. The FBI said Wednesday that iSoon’s activities are publicly tracked as Aquatic Panda, Red Alpha, Red Hotel, Charcoal Typhoon, Red Scylla, Hassium, Chromium and TAG-22.
Known company targets include the New York State Assembly, where iSoon employees compromised at least one email inbox in July 2022. They also sent in October 2017 phishing emails to the Defense Intelligence Agency designed to mimic the DIA online login webpage. Other victims include ministries of foreign affairs of multiple governments throughout Asia, news organizations, and “a large religious organization in the United States.”
Swept up in the indictment is iSoon CEO Wu Haibo, aka “Boss Wu.” Also named is Chief Operating officer Chen Cheng and Wang Zhe, sales director. The Department of State is offering up to $10 million for information about the company and the defendants.
Prosecutors said the firm each year generated tens of millions of dollars in revenue, with executives estimating that the business would do $75 million worth of business by 2025. Based in Shanghai but with employees located in the Sichuan capital of Chengdu, it at times has had more than 100 employees.
iSoon received hacking targets directly from the Ministry of State Security and Ministry of Public Security. Prosecutor says Wang Liyu, a MPS officer named in the indictment, directed iSoon to hack into a New York-based newspaper opposed to the Chinese Communist Party and the email accounts of a dissident. Another officer, Sheng Jing, also directed iSoon to hack the dissident and trace domestic IP addresses that connected to the New York-based newspaper.
The firm also hacked targets on its own initiative in the hopes of later selling stolen data to Chinese government customers. Ministry of State Security and Ministry of Public Security bureaus often operate independently, creating a field of potential buyers for iSoon. The company worked with at least 43 different bureaus in at least 31 provinces or cities, prosecutors said.
iSoon offerings include the outright sale of hacking tools and training on how to use them. Tools have included a password cracker and a phishing platform dubbed “Automation Penetration Testing Platform” that included the ability to send emails, create malware and clone legitimate login sites.
The firm offered guidance to its own employees on how to conduct successful phishing operations. Among its directives are to never batch together phishing emails, since that makes them easier to detect. It also emphasized the need to cultivate a relationship with victims, instructing employees not to include a malicious link in the first email. “Must chat with the target first before giving the link,” company guidance stated.
An unknown person in February 2024 posted a swath of internal company documents online depicting government clients, rates for penetrating government agencies, hacking tools and employee complaints about low pay and working conditions (see: Chinese Hacking Contractor iSoon Leaks Internal Documents).
Cybersecurity researchers at Natto Thoughts in a Wednesday blog post said iSoon still appears to be in business, albeit much reduced from its peak before the February 2024 leaks. Threat activity traceable to the firm has diminished, and it is embroiled in debt collection litigation and labor disputes, the blog authors wrote. “Contracts from China’s Ministry of Public Security, Ministry of State Security and Ministry of Defense – formerly providing a major part of i-SOON’s revenue – likely dried up.”
The U.S. government, through indictments and sanctions, has identified a handful of similar Chinese hacking contractors, including Sichuan Juxinhe Network Technology, which the Department of Treasury in January said is directly involved in the Chinese state actor tracked as Salt Typhoon, responsible for hacking into U.S. telecom networks. U.S. prosecutors in December 2024 indicted a Chinese hacker allegedly at the center of a zero-day exploit used to hack firewalls made by Sophos, tracing his hacking activity to time spent as an employee of Sichuan Silence Information Technology (see: US Indicts, Sanctions Alleged Chinese Sophos Firewall Hacker).