The Register on the leak of Chinese infosec vendor’s hacking activities

The I-Soon office building in Chengdu, China, on Tuesday.Credit…Dake Kang/Associated Press

A cache of stolen document posted to GitHub appears to reveal how a Chinese infosec vendor named I-Soon offers rent-a-hacker services for Beijing. The trove appeared on GitHub last week and contains hundreds of documents documenting I-Soon’s activities. Analysis of the docs by infosec vendor SentinelOne characterizes I-Soon as “a company who competes for low-value hacking contracts from many government agencies.” SentinelOne and Malwarebytes found I-Soon claims to have developed tools capable of compromising devices running Linux, Windows, macOS, iOS, and Android. The Android attack code can apparently retrieve and send a user’s entire messaging history from Chinese chat apps, plus Telegram.

The Chinese crew claimed to have cracked government departments in India, Thailand, Vietnam, South Korea, and of having accessed a NATO system. Other material appears to see I-Soon bid for work in Xinjiang – a province in which Beijing persecutes the Muslim Uyghur population – by claiming to have run anti-terrorist ops in Pakistan and Afghanistan. Some of the leaked docs describe hardware hacking devices I-Soon employs – including a poisoned power bank that uploads data into victims’ machines.

According to, some of the leaked docs detail an exchange between I-Soon staff as they ponder whether it is possible to get details of exploits found during the Tianfu Cup – a Chinese hacking contest modeled on Pwn2Own.

Infosec luminary Brian Krebs’s take on another document is that it describes how I-Soon has “various ‘clients’ that appear to be different Chinese government agencies seeking access to foreign government systems.” Those clients “supply a list of targets they’re interested in, and there appears to be something of a competitive industry that has sprung up to gain the access requested.” That industry pays out when attackers achieve access to a site on a client’s target list, with one document mentioning a bounty for cracking the FBI.

So what? The trove is remarkable as it appears to be the first known instance of a leak from a Chinese hacker-for-hire. Documents detailing how I-Soon tries to win work from Chinese government agencies do therefore offer insight into how Beijing outsources its infosec offensives. But the doc dump is also a little dull. Early analysis doesn’t suggest I-Soon possessed capabilities not already observed among Chinese attackers. Consider, too, that contractors with cyber capabilities flourish around the world. Wherever you reside, your government probably has dealings with them. That China has a similar ecosystem should surprise nobody.

The Register expects further revelations may flow from the trove, as it contains hundreds of screenshots of documents in Chinese. Machine translations of the trove are starting to appear here, but The Register knows from bitter experience that using optical character recognition to extract text from images before subjecting the results to web translation engines produces funky results. We’ll keep an eye out for proper translations and bring you more news if they reveal juicier fare.

Comment: Found this last night. The role of Chinese patriotic hackers was long suspected before the connection was proven. I was involved in obtaining that proof a long, long time ago. I wish I could tell you how we did this. It’s a hell of a story. Many of us in the cyber community at the time were jealous of the way both China and Russia were able to use private sector hackers in their operations. I tried to sell the idea by likening it to an SF team advising and directing an indigenous force. Unfortunately, few in cyber were also SF so it ended up like a bunch of pigs looking at a wristwatch… a lot of curiosity, but precious little understanding.

Coincidentally, or maybe not coincidentally, there was a major AT&T cellular network outage. That was all over the news. I didn’t even have my cell phone on, so without the news I would have missed it. My first thought was that it was a Chinese hack, but it reportedly was caused by a badly implemented software update in the AT&T system. That could be just a wild guess on someone’s part. We’ll probably have a better idea what happened in a few days.

Another major cyber event occurred today. Healthcare technology giant Change Healthcare confirmed they were the victim of a cyberattack. It caused massive consequential problems for a lot of patients, but I heard nothing about this on the news. Only a tip from Eric Newhill alerted me to this news. I would not be surprised if someone was trying to keep this quiet. I would also not be surprised if the Chinese had something to do with this one.


This entry was posted in China, Cyber, TTG. Bookmark the permalink.

26 Responses to The Register on the leak of Chinese infosec vendor’s hacking activities

  1. jld says:

    “like a bunch of pigs looking at a wristwatch… “

    😀 Thanks for the laugh.

  2. Eric Newhill says:

    United, the parent company of Change Healthcare is now saying the attack came from a state actor, though they don’t mention which state actor they suspect.

    The simultaneous ATT goof-up seems too coincidental, but I guess coincidences do happen.

  3. babelthuap says:

    Yes. UnitedHealth Group. Major attack and all the companies they gobbled up. Presumed state sponsored cyber terrorism. Absolutely being hushed up.

    • Eric Newhill says:

      The impact on filling prescriptions is what is being emphasized in what few media stories are available. However, the impact goes well beyond that. A vast and diverse array of critical services provided by CHC to insurance companies as well as healthcare providers are now offline/down. Moreover, CHC databases have the full range of protected personal information on many millions of Americans, names, addresses, DOB, diagnoses, procedures, healthcare encounters, doctors, prescriptions, credit card info and more.

      It seems the attack occurred as CHC was implementing a patch on some new front-end user-interface type software that is used at pharmacies to interface between the pharmacies, doctors and insurance companies. The hackers were aware of the new software implementation and the need for a patch by following tech communications. They seized the opportunity as the patch was being applied. I don’t how all of that works, but I am told that is the best way for hackers to get in. Once in, they may have been able to able to penetrate other aspects of CHC’s business. The scope and scale of the penetration is being assessed now.

      CHC says they noticed the penetration occurring and took their systems off-line immediately, with the implied suggestion that they thwarted the attack from completing. No one is taking that for granted.

      • TTG says:

        Eric Newhill,

        Thanks for the info. Heard earlier that the military prescription system was affected. Don’t know if that included the VA system. Yes, a system is particularly vulnerable when a patch or update is applied. That means the hackers were watching the system and waiting for the opportunity. It’s good the attack was spotted fairly quickly. At least we’re learning something.

        • Eric Newhill says:

          What is the purpose of such an attack? I can imagine a few, but most of my imagines don’t completely add up. I am out of my range of experience and knowledge when it comes to all of this cyber stuff.

          Any ideas beyond pure information theft and possible ransom of what was stolen? My question assumes that the state actor source is true. Do state actors really want to hold data for ransom? I’m thinking that $50 million (a guess on my part) in ransom is chicken feed to China, Russia, NoKo or even Iran. Is it to test methods? Is it a threat of something bigger to come?

          • TTG says:

            Eric Newhill,

            With the information we have, it’s difficult to fathom the purpose. Usually for a state sponsored hack, the goal is information. The best way to do that is to not disrupt the hacked system and never be discovered. In this case, it may have been a failed hack. They were discovered. Maybe a system disruption led to the discovery or maybe the intrusion detection system noted the hack and the company shut don all or part of the system to stop the hack.

            There’s a hell of a lot of useful personal information in a health care technology company. Think of the information obtained in the OPM hack about a massive number of government employees and appointees. China has pushed hard on AI for decades. Years ago I envisioned that China could be developing a complete, detailed simulation of the entire US government. Such a model would be a boon to dealing with any competitor. A hack like this recent one could have netted a lot of medical data to add to that AI model.

            Beyond intelligence, a state will hack to do what we call intelligence preparation of the battlefield, to gain a knowledge of an enemy’s systems, to gain access and install back doors to those systems and even to install destructive malware in those systems.

            North Korea does hack for money. I know of no other states that do that. Criminal hacker groups most often hack for money through outright theft or ransom, but those activities are not part of any government tasking that I know of.

          • Eric Newhill says:

            Thank you for the detailed well-informed response. I completely understand the data that would be captured and the modeling inputs objective.

            The battlefield preparation possibility is one those that I imagined, more or less; a recon by fire sort of thing was what came to mind, but based on your answer I see it is more than that. That one scares me because it makes me think that something much bigger could on the way when they’re ready. That Obama net flicks film (can’t recall the name), which I haven’t seen, appears to be a warning about the much bigger “thing”.

          • mcohen says:

            Eric.probably after covid 19 data.

          • LeaNder says:

            The best way to do that is to not disrupt the hacked system and never be discovered.

            Learned that from Bill Blundon’s Rootkit, a book that mostly turned me into one of those pigs mentioned above. But my problem seemed to be related to the kernel.

            Once upon a time, I found myself struggling verbally with PL about hackers. All of them bad, was his position. My challenge went something like there are White, Black and Gray Hats. Not that a SF man may not be very, very aware of people who consider his work or respective tasks more black then, gray or white.

            Blundon argued in his originally published book in 1984 that the US education system avoided studying the black hatters tools, which was terribly wrong. …

            But yes, I appreciate EN’s question about the difference between purely criminal and state actors. I kept wondering about what may be the criteria.

            Blundon apparently seemed to be no friend of Cyberwar, neither was I, at the time I stumbled across him.

            Presentation at Black Hat, 2009:



  4. leith says:

    Xi knows that Putin got away with it with no consequences. He probably figures that his hacking of US entities will be written of a hoax like Putin’s was.

    • TTG says:


      China has been hacking the bejeezus out of us long before the rise of Xi. Back in the day, they were known for not being especially elegant. Their attacks were loud and brazen. At time they would attempt to extract so much data that an installation’s entire IT system overloaded and shut down. They DDOSed their own hack.

  5. leith says:

    Off topic.

    Commander of the Ukrainian Air Force claims that another of Russia’s version of AWACS, the Beriev A-50, has been destroyed. This one was downed over Krasnodar, much further back from where the previous one was shot down. Russia says it was friendly fire, because the range (220km) was too far from possible Ukrainian launch sites. However Ukraine did have old long-range S-200 SAMs that have a range of 300km. So perhaps they upgraded them and matched them up with Patriot radars for another of their FrankenSAMs? Or perhaps IFF for Russian air defense units is terrible? Or perhaps the GUR and Budanov . . . ?

  6. jim.. says:

    Its a Combination of United health and Its Other Medical/Pharmacy Company
    Optum,Inc…The Cyber Attack has cut off Most Prescription Processors for Military Clinics and Hospitals.. We Could not get My Wifes Life Supporting Maintance Medicines Filled at Our Pharmecy Yesterday..

    Sir Andrew Witty..of The CEO of Both United Health and Optum Inc…and Has Done Extensive Medical Services Work in Singapore..and Was Honored as an
    Honoray Citizen of Singapore…

    It Seems Likely The Extensive CCP Hacker System Knew How to Hack Both Companys United Health and Optum,Inc..From Its Systems Access Chinese
    Programmers at Some Point.. Hope The Systems Get Online Soon..

    • Barbara Ann says:


      Singapore ≠ China. Never go full Tom Cotton.

    • babelthuap says:

      Stand up and get your bingo prize. There is a major problem right now. Handing over the boat and the steering wheel to private companies. It wasn’t like that not too long ago.

      The government had full control. It wasn’t perfect by a long shot but it was more secure, mainly due to it being all over the place. Impossible to hit it and get this outcome. The IT realm however wants insane efficiency. With that comes congregation of data. It did not take into account countries targeting it for full effect.

      The solution is redundant feeder roads for the interstate. The feeders will now be built. Unfortunately it took an epic malfunction to understand why we need the slow Model T feeder roads. Basically the American way. Massive fail, adapt and defeat the enemy.

      • TTG says:


        Most of what makes this country run is in the private sector including the IT realm. Those private entities do not have to answer to our government for the most part. A major problem for IT security is that most of that private sector does not even want to cooperate with the government to secure those systems. Surely you don’t want the government taking over all those IT systems and the data on those systems.

        • Eric Newhill says:

          Trust me on this, you don’t want the government controlling private companies’ data in any way and you do want private companies. This is not only a philosophical position on my part. It is practical experience talking.

          Private companies are highly motivated to not be hacked. The financial consequences – including law suits – are potentially formidable and enterprise terminating; as is the reflex to move to more government control as a solution. Private companies want to avoid both negative outcomes – “want” does mean just what I think they should try for. Rather it is what the private companies are actually actively trying to avoid. The problem is they may not always know how to achieve security and maintain independence.

          Seems to me the government, as a public service, should share the most current intelligence and best practice information with private companies in a regularly scheduled, perhaps quarterly, forum.

          Invitees from the private companies would have to be well screened so as to avoid enemy moles/paid informants from attending. Perhaps even occasional seemingly dangerous, but in reality harmless, blue dye misinformation could be provided by the government to see if it is acted on by moles within the invite list.

          • TTG says:

            Eric Newhill,

            I am with you on this. Not only do I not support the government controlling private companies’ data, but I know our government can in no way accomplish such a massive task. The private IT realm dwarfs anything the government has. Even the NSA’s collection efforts are dwarfed by what private companies collect on us. Besides, as you said, private companies are not only motivated to keep their own networks secure for financial reasons, but they know their networks best. And, as you also said, they religiously seek to avoid any further government regulation. But they do take shortcuts in IT hygiene in order to increase efficiency and profits.

            A couple of decades ago, there was one FBI unit that sought the type of cooperation between government and private entities in the cyber realm. It was the National Cyber Forensics Training Alliance (NCFTA) in Pittsburgh. “The NCFTA is a non-profit information sharing alliance funded by financial firms, internet companies and the federal government.” It works much as you describe except it was a constant personal connection, not just quarterly meetings. The SSA who started this initiative understood the primacy of private enterprises in the cyber realm and the futility of trying to force those companies into compliance with cyber best practices. He established a true cooperative arrangement that worked. I’m pretty sure that effort and philosophy is being pursued at some of the new cyber agencies. He worked hard at building the trusted relationships needed to make it all work. The NCFTA was also home to another FBI cyber effort that was similar to my own. You might enjoy the story of Master Splynter and DarkMarket.



      • LeaNder says:

        There is a major problem right now. Handing over the boat and the steering wheel to private companies.

        Now you definitively perplexed me, babelthuap.

        Would you care to explain to this nitwit?
        we need the slow Model T feeder roads

  7. jim.. says:

    Barbera Ann…Is Tom Cotton a character From Huckelberry Finn..?

    Singapore Has Very Good Relations with One China ..Bamboo Road Policy’s
    And The Chinese in Singapore Like The Trade..Dont Understand Your Point..
    kind of…I just Reported what I Read about Sir Singapore.

  8. mcohen says:

    Strange times indeed.Back in the day in Africa getting hacked involved either a machete or an axe.Some people I know never put important stuff on computers or phones.They use water molecules that can be transmit information by drinking them.Gives new meaning to the concept “information stream”

  9. JimmyWeate says:

    Good luck 🙂

Comments are closed.