The “I-Soon” story that put a spotlight on China’s private for-profit hacking firms has been fleshed out somewhat by a new Trend Micro report, in which researchers find that a Chinese APT group that has been targeting government organizations since early 2022 is likely run by the company.
The group has a primary focus on compromising government organizations in Southeast Asia but has struck all over the world and occasionally does attack private businesses and NGOs. It is thought to be a more focused spin-off of another I-Soon team that took more of a “jack of all trades” approach and even hacked for profit at times.
Government organizations make up over half of hacking group’s victims
The researchers have been tracking the Chinese APT group’s activity for about two years, and in that time have confirmed at least 70 victims in 23 countries. 48 of these have been government organizations.
The group has made attempts on targets in at least 33 countries, but most of its action is in Southeast Asia. The hackers have a variety of victims but seem to be most interested in Foreign Affairs ministries and departments.
The researchers have a high level of confidence that the Chinese APT group is part of I-Soon, a shady cyber services firm that was exposed last month by a document leak to Github. An apparently disgruntled insider not only exposed that the Chinese government regularly contracts the outfit for foreign espionage campaigns, but also that there are apparently many such other private firms that compete for this sort of work.
Another element exposed by the leak is that while groups like this are competent, they are not at the level of the Chinese APT groups more directly tied to the country’s military. Cost-cutting appears to be a rampant issue, translating in some cases to underwhelming results for clients. While this particular group appears to have a high success rate and uses its own custom malware, its methods of approach are fairly simple and it also depends on a lot of common open source software to do its work.
Murky world of Chinese APT groups becoming more exposed
Much of the information on these private for-profit Chinese APT groups was exposed by the I-Soon leak, and now more information is available thanks to the Trend Micro researchers managing to breach a server belonging to these hackers. This yielded a trove of internal documents, providing very useful information on its custom malware and usual attack patterns.
The group has two main approaches: scanning the public-facing servers of government organizations for exposed documents and files that it might leverage for access, and finding employees to target with spearphishing emails. Phishing is also heavily deployed as a means of privilege escalation after an initial breach has taken place, with the group sending dozens or in some cases even hundreds of attack emails to other employees.
In some cases the Chinese APT group also uses brute force attacks on Exchange servers, simply probing for email accounts that might be secured by weak and easily guessed passwords. Any accounts compromised in this way are immediately put to use in spearphishing government organizations to expand access.
Trend Micro advises that the group’s primary backdoor tool is called “XDealer” and is capable of targeting both Windows and Linux systems, and has advanced capabilities to evade detection once it is installed. It can exfiltrate data by taking screenshots, copying the clipboard and logging keystrokes in addition to stealth transfer of files, and is particularly hard to keep at bay as it makes use of stolen valid signing certificates.