A trove of documents leaked to GitHub last week has revealed that I-Soon, a Shanghai-based cybersecurity training company, is in fact a hacking group.

Cybersecurity journalist Brian Krebs reported the leak today. The data trove posted to GitHub, which appear to have originated from I-Soon’s network, includes thousands of internal chat messages, marketing materials, screenshots and other files. Krebs cited multiple cybersecurity analysts as saying the records may have been published by a disgruntled employee.

On its website, I-Soon claims that its areas of focus include fields such as enterprise cybersecurity, fraud prevention and blockchain forensics. In reality, the company is reportedly a hacking group that carries out cyberattacks on behalf of multiple government agencies in China. One presentation in the leaked data trove reveals I-Soon has an “APT research team,” or a team dedicated to advanced persistent threat activities. 

Cybersecurity provider SentinelOne Inc. published an analysis of the leaked documents on Wednesday. According to the company, I-Soon’s targets over the years included at least 14 governments, NATO and a variety of other organizations. Furthermore, SentinelOne’s analysis suggests that the hacking group was behind a string of cyberattacks previously attributed to several different threat actors.

“Initial observations point to activities spanning a variety of targeted industry sectors and organizations as well as APT groups and intrusion sets, which the threat intelligence community tracks, or has been tracking, as distinct clusters,” SentinelOne’s researchers wrote.

The data leak also sheds light on I-Soon’s hacking tactics. According to SentinelOne, the documents included information about the company’s malware as well as the command and control infrastructure it uses to coordinate cyberattacks. Some of the leaked records revealed that I-Soon has developed custom hardware devices for stealing data from victims’ networks. 

“Listed in the documentation were pictures of custom hardware snooping devices, including a tool meant to look like a powerbank that actually passed data from the victim’s network back to the hackers,” SentinelOne’s researchers detailed.

Many of the documents in the dataset posted to GitHub focused on the business side of I-Soon’s operations. Researchers found records that list the organizations the company has targeted and the fee it charged for each cyberattack. Meanwhile, leaked internal correspondence appears to suggest employee morale is low. 

“The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem,” SentinelOne’s researchers wrote. “It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.”

Photo: Unsplash