Hacked - The iSoon Leaks
Episode Date: April 16, 2024A data leak at a big Chinese security company reveals not just that they're engaged in state sponsored hacking-for-hire, but just how weirdly corporate a job that actually is. Our conversation with Me...i Danowski, security researcher, about her analysis of the iSoon leaks. Check our her excellent Substack Natto thoughts: https://nattothoughts.substack.com/ Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
On February 16th, this email account, registered only a month earlier, starts to upload a trove of files to GitHub.
Some of my friends from the industry and people I know say, oh, just look at this.
This is huge.
It's a big corporate data leak to ring in the new year.
And these files, internal messages, emails, chat logs, product,
marketing presentations, they tell the story of a corporate culture. It's honestly pretty familiar
to anyone that has ever worked in an office. There's the usual stuff, urgent deadlines,
people complaining about low pay or being overworked. There's people talking about whining and dining
clients, about proposals and winning the big contract, about meetings that could have been
emails. All the familiar stuff, it's right there. But if you keep reading, then you get to the
unfamiliar stuff.
You can start to put together a picture of how this company makes money.
The kinds of products and services they provide and who their clients are.
They claim they provide software development network technology services.
Keep going and you're going to read all about how they're responsible for helping breach 14
governments around the world.
You'll read about the custom hardware and snooping devices they sell, the soft
where exploits they develop in house. You're going to find out how much a data leak from this
nation is worth versus this nation, how much they charge to get access to an individual's social
media credentials. You will learn about how this company does contract work for several People's
Republic of China agencies, including the Ministry of Public Security, the Ministry of State Security,
and the People's Liberation Army. You will learn about the agencies they have been paid to hack
within the governments of Rwanda, Indonesia, Malaysia, Thailand, Vietnam, Cambodia, Nigeria, Mongolia,
Myanmar, Taiwan, India, and some shady stuff in Kyrgyzstan.
The company at the heart of this leak is called Aysune.
And with this data leak, we get a pretty unprecedented look at the inner workings of a Chinese
state-sponsored hacking for hire operation.
What I always want to do, you know, from cybersecurity perspective, threat intelligence perspective,
to understand the motivation and intent of a given strike group.
When I imagine state-sponsored hacking, I imagine a big, tall, brutalist structure.
Its name unlisted in any directory into which flows a steady stream of shadowy hacker-mercenary people.
But as with a lot of things,
eventually the state looks to outsource, and things just gradually get corporatized.
They turn to the private sector for consultants and vendors. They write RFPs and they put out
projects to tender and review proposals. Eventually, as we learn from the Aysune leaks,
even state-sponsored hacking and international cyber espionage eventually becomes a very corporate
job. It becomes work. As a researcher, you try to understand the threat landscape
about Chinese cyber operations.
When the Aysoon files first appeared on GitHub,
May Wendowski, a cybersecurity researcher,
was one of the first people to really dive into it.
And she wrote about what she found at length
on her excellent substack, NATO thoughts.
And as the story started to go wide,
her analysis became the foundation
of a lot of the big reporting on it.
I wanted to understand the leak a little bit better,
so I called her up.
From what we understand, from a hiking perspective, is definitely hackers for hire.
This is my conversation with security researcher May Wandowski.
On the Aysoon leaks, the ecosystem of hacking for hire companies in China,
and what it means when shadowy work goes corporate.
Here, on hacked.
May, thank you so much for taking the time to sit down and talk with me about all this.
You're welcome. Glad to be here.
So just to start, tell me a little bit about Aysoon. What does this company do and how do they fit into the cybersecurity landscape in China?
Sure. So Aisone is a Chinese information security company. That's their official category on their website.
They claim they provide software development network technology services, you know, such as blockchain, forensic.
and enterprise security solutions as well as trainings.
So the company was headquartered in Shanghai,
one of the largest city in China,
but also with subsidiaries and offices
like in at least four locations across China.
And the Sichuan Isong, this is one of their subsidiaries
located in Chengdu, city and the Sichuan province,
was one of their considered biggest subsidiaries
focused on research and development.
That's also their pen testing centers.
That's just officially how they describe themselves.
But what do we understand?
Because a lot of their clients,
they do business with all kinds of clients,
you know, enterprise clients, individuals,
and, you know, some of the Chinese government.
But we don't really know at this point how big part their business is with Chinese government.
But from the leaked document, we're going to talk about it.
And we have understand a lot of their clients are Chinese government clients.
We are talking about this, as you said, because of this recent round of leaks that you have written about at length.
Can you share the story of how these leaks came to light?
Somebody posts this leaked on GitHub.
I don't have a DigHub account,
so somebody was telling me about this whole thing.
There's just something, you know, data's about an ISO.
Since I wrote Izone at this company in last October,
four months before this leak,
some of my friends from the industry,
and people I know say, oh, just look at this.
This is huge.
So once I start looking at this league, I was like, wow, this is something I would never have the chance to know that much.
So these leaks appear on GitHub.
Someone tells you to go read them and you dive into this giant leak from Issoon.
I think you describe them in some of your writing as providing
kind of a window into the China's Hacker for Higher Industry. What did we learn in these leaks?
We have learned so much. First of all, as a researcher, you try to understand the threat
landscape about Chinese cyber operations. A lot of times we rely on open source information like me.
of main ways that's only source, open source information.
But here we can see from, like from insider to understand how they work day by day.
That's just the overwhelming for me, kind of like peek into somebody's private conversation,
talk about their business, how they operate it.
You know, I would never get the chance to do that.
So, yeah, it definitely, it's just overwhelming just to know some of the stuff that we understand is real.
Mm-hmm.
A big part of it seemed to be the diversity of services that A assume provides that go beyond what's on the website.
It seemed like there was discussions about DDoS attacks, social media monitoring.
Can you tell me a little bit about the services they offer and how?
how that feeds into larger Chinese state-sponsored cyber activities.
What kind of services did we learn about from these leaks?
So there are services on the surface they said,
software development and enterprise security stuff.
So they actually had like patents, preparatory softwares related to DDoS attack
and how to do surveillance services.
And some of the software they develop
can provide a database to search all they call important person,
literally the person the government need to watch for.
So there's a variety of software
at the service they devolved to provide the product and the tools to the government clients
and all the other companies if they needed working for the government.
It's interesting.
You know, so many of these, so much of what's in these leaks are internal communications
between Aisun employees.
And it gives you a sense of almost the work culture.
Can you tell me a little bit about?
how the company operates, you know, how these big government contracts get won.
There's a lot of discussion about how clients get glad-handed and taken out for drinks to try and
win the big contract. Can you tell me a bit about that? Yeah, that's definitely the most
interesting part because previously our understandings was the government handed
tasks to the companies to task them to do things. But from the least,
what do we understand is companies like AISone they literally try to court the government officials to get the contract to work to try to do business with the government.
So the process was not really easy for them to maneuver because you had to understand, you know, who's in charge for what, you know, different regions,
public security offices, you know, who is in charge, then, you know, if we bid for a contract,
how much we should bid on, you know, do we, should we partner with somebody else,
then, you know, five companies do, we can have a contract with those four companies saying,
you know, we're going to be tried to do this, you know, bid on this price, then you can be
but lower or something than, you know, they call accompanying beaters.
Then, you know, we will win it after we went it.
You know, maybe you can get a cut.
We can cooperate on some other things together.
So they tried so hard to maneuver that process, you know, to do business.
And also it's already built an up this community with the different information companies.
to partner with, to do this kind of business,
it's not an easy process.
It just shows, you know, that's why, you know,
a lot of people wrote about it.
And they talk about that too.
We had to do late-night drink, drinking, you know, go to the bars, clubs,
you know, try to entertain the clients,
try to get more information about the contract and stuff.
And sometimes also we understand,
they try to do like educated guests,
what the client will want, right?
It's not like, oh, maybe, you know, we just saw these policies,
the China, while developing road and, your bell and road initiatives in this country,
you know, maybe the client will be interested in this data.
And let's see we can get access for this kind of data.
If we'll get samples, we can show them, saying, oh, yeah, we have this kind of data.
Do you think this is the worst for you to look at it?
Yeah, so that's, you know, how they do their business.
My sense, you know, when we first read this whole thing, it was like, wow, that's so hard.
This CEO, basically from the chat, he works like from morning to lay night.
Every 10, like they text each other saying, oh, we have this.
What would we should do?
You know, it's not easy.
No.
It's also just so different from what I think of when I imagine China state-sponsored hacking.
I imagine a big building somewhere full of staff that never leave, that they just do these tasks.
And it sounds so much more like government contracts and companies bidding on them.
It sounds so much more familiar to me than I was ever expecting.
Yeah, that's definitely the thing, you know, I felt the same because before we were just understanding, oh, they do states about.
If they belong to the state, then they are very organized, you know, how they try to hide their tracks and then how they work on those things is more organized.
But actually, same state is not that case.
You know, just from looking into AISO and the media document, but there might be, you know, some other more formal forces, you know, under military states that can.
or under Chinese military, that will be maybe different.
Sure.
But in this case, it's one of the kind for us to understand.
Right.
These leaks don't necessarily mean that there aren't other types of state-sponsored hacking going on.
It just means that there's probably so much of it that some of it needs to be outsourced to
external vendors.
Even the language of it just sounds like business jargon.
And it's so interesting to me that it's what we're talking about is, you know,
exploits that are going to be deployed around the world.
Yes.
Yes, definitely.
Fascinating.
Okay, I want to understand the ecosystem a little bit better.
I know from your reading that there's, from your writing, there's a connection between
Aisun, an operation called Chengdu 404.
Can you tell me a little bit about that?
So Chowulfo Four, this company was indicted, three of their employees was indicted in 2020.
So they were associated with one of the advanced persistent threats groups called APT-401.
Now we understand more about it from the leaks that this company actually operated as similar as how ICEO operated.
So they have a lot of connections with each other because they were very close in the same city in Chengdu.
and very obviously they know each other,
their buddies, they're drinking partners.
They do business together.
Then also, you know, from my first notice I zone,
it's because there's a lawsuit between these two companies in October
and software development lawsuit case.
So that's why, you know, make me,
dig deeper on understanding on ISO.
So this company, after the endowment,
they're still doing business as normal.
They're still working the same thing as they did before.
And also their company grows as well.
So they have registered 17 more proprietary software.
And they also get the findings from the local,
authorities as a small business.
They hire people,
hire more employees
as they needed to, you know,
to expand their business.
So, yeah, it's just
the whole thing
makes us to understand is
this is not just one company
is many, many companies
and do a similar thing.
Sure. It's this ecosystem of companies bidding on projects together, suing each other, doing what
businesses do existing in a marketplace. But the service they provide is hacking for hire, essentially.
Yes. From what we understand, from a hacking perspective, it's definitely, they are hackers for hire.
Think about the last time you heard a breach story on this show. It always starts the same way.
Someone somewhere saw something too late, an alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora superintelligence platform, a fully agented system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy.
And all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora agent SOC.
It's the first SCC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine,
speed and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions. The automation frees your
concierge security team to focus on higher value strategy and proactive risk reductions.
while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like,
go to arcticwolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turned defenses on their head.
Organizations around the world saw headlines they never expected,
than cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving to the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving,
how defenders are responding,
and what strategies can help you stay ahead of the next big breach.
It's not fear mongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
You made reference to advanced persistent threat 41, this hacking group.
Can you tell me a little bit about what they are
and what the connection is between APT-41 and these companies you've been describing?
So APT 41, now we know what attributed to this Chengdu 4 company.
And the three actors, three persons, three employees operated the company.
So because a lot of times when we gave an APT number, that's from industry understanding
is try to do a technical analysis about a threat group.
How do we understand who's behind the real person behind one APD group?
That's sometimes we don't really get it that far.
So this is the time, you know, when sort of the indictment,
we understand APD 41 is also behind it.
Chengdu 404 was behind APT 41.
So this APT 41, this identified threat actor, we learned is actually Chengdu 404,
who we have learned from these leaks is in business with Aisun.
It's quite the ecosystem.
Yes, yes.
Inside of China, how do these companies navigate this legal system?
Is any of this illegal?
If it's coming from the state, how does the legal side of this all work?
That's very interesting question.
From my last writing about this question, you try to answer this question.
Sure.
I don't think anybody in China is thinking about, especially this company, think about what they do is illegal.
Sure.
Because their order, their task, their business is from the government.
Sure.
If the government asks them to do anything, that's legit.
So there's no consequences.
So even Chengdu, 404 is putting on an indictment from the U.S. Department of Justice,
there's nothing to do with their everyday life.
As long as they don't come to the U.S. out, that's their fun.
To us, your contractors to a state-sponsored hacking campaign, to you, you're a military subcontractor.
Yeah.
You're just doing, you're just bidding on a contract from the government.
Yeah, yeah.
A couple weeks ago, officials in the States and the United Kingdom expanded this big list of hacking allegations,
claiming that China is responsible for breaching, I think, the UK election watchdog,
accessing 40 million people's worth of data.
They filed criminal charges against a different Chinese hacking group for this multi-year
hacking campaign.
How do these leaks and this larger ecosystem of hacking groups feed into those unfolding
stories of state-sponsored hacking abroad?
I think that just means there are so many.
Sure.
And also, like, the reason why you just talk about it, the APT-31, then the actor was associated actually was identified by one of the anomalous group in Trusion and truth.
So they identify some of the actors in the indictment.
So what we were knowing now is just this sounds like unstoppable, right?
you identify this, you try to stop in one group and then the other groups coming up.
And also, maybe this group probably exists long before the other group.
We haven't really found out who they are, right?
But we definitely know, you know, from technical points we know they are active actors.
They were doing threat campaigns.
doing, the targeting different entities around the world, try to achieve the Chinese state
strategic goals. So a lot of people are talking about this naming, shaming strategies as a
work or not, you know, so far we just felt like it's not that expected in the way.
but what else we can do?
We're still thinking.
Yeah, naming and shaving might not be effective,
but it's not really clear what would be effective,
given what we understand about how this marketplace works.
Yeah, this marketplace and the scale of the threat campaign
and how many companies working on this.
You've gone on this whole investigative journey.
you've dove into these leaks.
What areas of it do you think warrant more investigation,
more awareness regarding their impact on global cybersecurity?
What should we be looking at next?
That's really a good question.
What I was always wanted to do, you know,
from cybersecurity perspective, threat intelligence perspective,
to understand the motivation and intent of a given threat group.
actors because from my understanding is if you can understand why they do what they do, you can
be more proactively to prevent what going to happen next. So sometimes we companies and
entities are government, if you don't know why they target, why they're talking.
you, you stop this one, then the other one will come up again. So if you know, this is the
reason they target us, or maybe I can avoid to let them know or just do something else,
then they might not target me or not doing what they do. So I think the most important
things for us is understand their motivations, their objectives.
Then we probably can not stop them, but will be less frequent in the way to prevent them,
to target us.
But I think in the bigger scale about the power nation competition,
that kind of like a hard, you know, to stop.
Because some of the campaigns, the targeting,
is more political cyber-assonage.
So as we know, a lot of countries do that, right?
So what do we want to stop a lot
before we talk about emphasis
is the economic cyber-astrooge.
So not still intellectual property.
So that's, you know, for a lot of companies, you should know what's your crown jewel.
Then you can protect the better.
Right.
By knowing who is hiring these companies, we can make better assumptions about what they might be looking for.
Sometimes it's intellectual property, sometimes it's political dissidents.
But without knowing where the money is coming from, we can't really figure out what there, to use your phrase,
motivations and intentions really are.
Yeah, definitely.
I have one last question. It's a silly one. You've spent all this time reading through messages,
emails, like business communications. Did these seem like good places to work?
Oh, you mean ISM? Yeah.
This company? Yeah. No, no, definitely not. It's not like a place to work because
everybody sounds like a little stressed and the employees complained.
their pays low and a lot of work.
Yeah, and also the CEO, just from the CEO,
so much struggle and just working day at night.
Interesting.
Then some of the projects, they don't even make money.
And also the company kind of struggled, too.
They were saying there's at least three of their subsidiaries
actually didn't make money for some.
several years.
So, yeah, I don't think it's a good place to work.
I find that surprising.
I would have thought that the reason you get into this stressful, like, politically contentious
business is because the money must just be so good.
And to hear that it's hard work, it doesn't pay that well, that's surprising to me.
Yeah.
I'm not surprised.
You're surprised.
May, thank you so much for taking the time to talk with me about this.
Your research into this was fascinating and I think really important, and everyone should check it out.
So thank you so much.
You're all welcome.
Thank you for having me talking to you.
Appreciate it.