#### By Insikt Group® # Attributing i-SOON: ## Private Contractor Linked to Multiple Chinese State-sponsored Groups ----- ### Executive Summary On February 18, 2024, an anonymous GitHub user posted a trove of leaked documents and material from Anxun Information Technology Co., Ltd. (安洵信息技术有限公司; also known as i-SOON), a China-based cybersecurity and information technology company that almost certainly conducts offensive cyber-espionage operations for Chinese government clients. The leak offers an unprecedented glimpse inside the inner workings of China’s cyber-espionage ecosystem and represents the most significant leak of data linked to a company suspected of providing targeted intrusion services for Chinese security services. By correlating historical tracking of Chinese state-sponsored threat activity groups and the leaked material, Insikt Group identified strong infrastructure, tooling, victimology, and personnel overlap between i-SOON and multiple tracked Chinese state-sponsored threat activity groups that likely operate as subgroups under i-SOON: RedAlpha, RedHotel, and POISON CARP. The leaked material1 2 corroborates our previous [assessment](https://www.recordedfuture.com/redhotel-a-prolific-chinese-state-sponsored-group-operating-at-a-global-scale) that RedHotel is one of the most prominent, active, Chinese state-sponsored threat activity groups based on the group’s consistently high operational tempo and [global targeting remit. The leak also further supports hypotheses](https://www.recordedfuture.com/charting-chinas-climb-leading-global-cyber-power) that Chinese state-sponsored groups are supported by “digital quartermasters” that enable the sharing of custom capabilities under commercial arrangements. In addition to gaining an understanding of the inner workings of cyber-espionage operations, network defenders can apply victimology intelligence gained from the leak to improve internal threat models. This information, often obscured from public view, can allow for a more thorough understanding as to why specific commercial, communication, or other data may be targeted and how it can be used for intelligence purposes. One such example of this from the i-SOON leak is the apparent exfiltration of call data records (CDR) and other material from multiple telecommunications companies, likely to enable tracking of individuals’ locations and communications within specific countries. Despite i-SOON's global impact and extensive targeting, it is a relatively small company operating alongside numerous other similar entities within China's complex private contractor landscape, again underscoring the broad scope and scale of Chinese state-sponsored cyber operations. In the aftermath of substantial media attention following the leak, we anticipate i-SOON-linked threat activity groups will attempt to continue operations unabated beyond tactical operational security adjustments. We have already observed signs of renewed infrastructure developments attributed to RedAlpha and RedHotel. Future tracking of the company’s targeting may provide insight as to whether they will continue to be favored for use by Chinese security services against specific targets or if they will be relegated to lower-priority tasking in the aftermath of the leak. In addition to potential internal changes, the leak is 1 RedAlpha activity overlaps with public reporting under the aliases Deepcliff and Red Dev 3. 2 RedHotel activity overlaps with public reporting under the aliases Aquatic Panda, Bronze University, Charcoal Typhoon, Earth Lusca, Fishmonger, and Red Scylla. 1 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 2 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- - The public security system, which generally refers to police forces under the Ministry of Public Security (MPS) - The state security system, which generally refers to intelligence forces under the Ministry of State Security (MSS) - The military system, primarily meaning the People’s Liberation Army (PLA) i-SOON’s activities on behalf of public security clients included targeting foreign government and telecommunications organizations that analysts may have previously assumed were more likely to be associated with state security priorities, highlighting overlapping areas of responsibility between public and state security organizations, and broad use of offensive cyber operations across both systems. Countries in which government and corporate entities have almost certainly been targeted by i-SOON include India, Pakistan, Kazakhstan, Kyrgyzstan, Thailand, Malaysia, Mongolia, Myanmar, Nepal, Rwanda, Vietnam, Indonesia, Cambodia, Nigeria, Egypt, South Korea, Türkiye, and others, as well as entities in Hong Kong and Taiwan. We also note more ambiguous references to organizations within the leak, where it is unclear as to whether these organizations were victims, targets, or otherwise. Countries in which entities may have been targeted include the United Kingdom (UK) and the United States (US), as well as organizations such as the North Atlantic Treaty Organization (NATO). 3 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 4 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 5 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 6 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 7 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 8 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- [3 While POISON CARP is often equated to the EvilEye/Earth Empusa cluster, industry reporting notes that these are likely distinct groups with](https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/) access to the same vendor-developed tooling. 9 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 10 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 11 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 12 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 13 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 14 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 15 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- email addresses, girder1992@hotmail[.]com, resolved to the IPTELECOM ASIA IP address 43.239.156[.]63 throughout 2017 and 2018. This IP address also concurrently hosted one additional domain, news.1ds[.]me. Notably, other subdomains of 1ds[.]me have direct links to RedHotel activity: |SHA256|C2 Domain| |---|---| |ae9d6848f33644795a0cc3928a76ea194b99da3c10f802db22034d9f695a0c23|ip.1ds[.]me| |4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a|ip.1ds[.]me| **Table 1: Associated RedHotel Winnti Linux samples (Source: Recorded Future)** ##### RedHotel Is a Prolific ShadowPad and Winnti (Linux) User The previously established use of ShadowPad and Winnti (Linux) by i-SOON, both privately held custom [malware families, aligns with tracked RedHotel activity as one of the most prolific users of both of these](https://www.recordedfuture.com/redhotel-a-prolific-chinese-state-sponsored-group-operating-at-a-global-scale) 16 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- |Organization|Overlap Between i-SOON and RedHotel Victims| |---|---| |Nepal Telecom|The leaked i-SOON material references data exfiltrated from Nepal Telecom from May 2021 (see Figure 16). Insikt Group observed likely data exfiltration from Nepal Telecom corporate infrastructure to a RedHotel Spyder C2 IP address this same month, as previously reported.| |Ministry of Economy and Finance (MEF) of Cambodia|The leaked material references exfiltrated data from fmis.mef[.]gov[.]kh, the Financial Management Information System (FMIS) of the Ministry of Economy and Finance of Cambodia. Insikt Group previously observed and reported on an FMIS mail server communicating to RedHotel ShadowPad C2 infrastructure in June 2022.| |Thai Government Departments|The leaked i-SOON material also references multiple Thai government departments as victims with no time frames provided. Many of these overlap with known RedHotel victims historically reported by Insikt Group.| |Scientific and Technological Research Council of Türkiye|Using Recorded Future Network Intelligence, Insikt Group observed Scientific and Technological Research Council of Türkiye (Tübitak) SSL VPN and mail server infrastructure regularly communicating to a RedHotel actor-controlled server. This organization is also referenced in the i-SOON leak as being compromised in 2020.| |Various Telecommunications Organizations|The i-SOON leak refers to the compromise of multiple Asian telecommunications firms including Myanmar Posts and Telecommunications (Myanmar), Digi (Malaysia), and Bayan Telecommunications (Philippines). While we have not observed RedHotel compromising these organizations directly, we have observed historical typosquat domains spoofing these organizations, which we attribute to RedHotel. For example:| 17 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- |Col1|● Myanmar Posts and Telecommunications (MPT): mpt[.]buzz and mptcdn[.]com ● Bayan Telecommunications: bayantele[.]xyz ● Digi: mydigi[.]site| |---|---| |Hong Kong Universities|The leaked i-SOON documents reference multiple compromised Hong Kong universities from 2019 to 2021 (see Figure 17). This directly aligns with RedHotel activity reported publicly by ESET during this time frame. Notably, the ESET report references the use of subdomains containing specific victim identities within subdomains as follows: ● b[org_name].dnslookup[.]services:443 ● w[org_name].livehost[.]live:443 ● w[org_name].dnslookup[.]services:443 Based on passive DNS data, we observed that two of these overlapped with Hong Kong universities identified as victims of the i-SOON leak during this time period: ● Hong Kong University of Education: whkedu.dnslookup[.]services ● Chinese University of Hong Kong: wcuhk.livehost[.]live| 18 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 19 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 20 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ### Appendix A — Indicators of Compromise 21 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 22 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- About Insikt Group[®] Recorded Future’s Insikt Group, the company’s threat research division, comprises analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Their mission is to produce intelligence that reduces risk for clients, enables tangible outcomes, and prevents business disruption. About Recorded Future[®] Recorded Future is the world’s largest threat intelligence company. Recorded Future’s Intelligence Cloud provides end-to-end intelligence across adversaries, infrastructure, and targets. Indexing the internet across the open web, dark web, and technical sources, Recorded Future provides real-time visibility into an expanding attack surface and threat landscape, empowering clients to act with speed and confidence to reduce risk and securely drive business forward. Headquartered in Boston with offices and employees around the world, Recorded Future works with over 1,700 businesses and government organizations across more than 75 countries to provide real-time, unbiased, and actionable intelligence. Learn more at recordedfuture.com and threat landscape, empowering clients to act with speed and confidence to reduce risk and securely drive business forward. Headquartered in Boston with offices and employees around the world, Recorded Future works with over 1,700 businesses and government organizations across more than 75 countries to provide real-time, unbiased, and actionable intelligence. Learn more at recordedfuture.com 23 CTA-CN-2024-0320 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) -----