“China opposes, and punishes, any form of cyberattack, in accordance with its laws”: a spokesperson for the Chinese Ministry of Foreign Affairs denied, Thursday February 22, any link with hacking allegedly committed by the i-Soon company, hundreds of internal documents of which were published online a week earlier.
The files, the authenticity of which no longer seems to be in doubt, describe multiple computer hacking tools as well as a large number of victims of data theft. Among the latter, Thai, Taiwanese and Vietnamese public institutions, but also staff from Sciences Po in France and mobile operators in Kazakhstan.
In recent days, major IT security companies as well as independent researchers have been sifting through the documents. A consensus is emerging to link i-Soon to the APT 41 group, which refers to a network of hackers and subcontracting companies, supported by the Chinese state, which also engages in villainous hacking.
Direct links with the State
In the files, researchers found multiple links to previously identified hacker groups, which have in the past attacked Tibetan officials or academics working on China.
“These documents are still being analyzed,” explains to Le Monde Cédric Pernet, of the cybersecurity company Trend Micro, co-author of a report on Earth Lusca, a very active group of Chinese hackers. “Nevertheless, several indicators such as targeted entities, or the use of certain families of malware and tools, lead us to believe that the modus operandi of part of the operations of the Earth Lusca cyberespionage group and the information discovered in the i-Soon data leak are similar. » In recent years, Earth Lusca has targeted universities and media in Europe, political organizations in Hong Kong, and even administrations in several Asian countries.
The Chinese government's denials appear unconvincing, given the numerous links between i-Soon and Chinese public operators. The company thus worked as a subcontractor for Chengdu 404, a company identified by the American FBI as a central component of APT 41. Several employees of this company were also indicted in 2020 for their alleged role in hacking of American companies. As cybersecurity specialist Brian Krebs recalls, i-Soon CEO Wu Haibo – known under the pseudonym “Shutdown” – was also part of the first generation of Chinese patriotic hackers and belonged to the pro-China group. “Green Army” government, established in the late 1990s.
The i-Soon company has closed its website and is refusing press requests for interviews, but has assured that it will soon publish a detailed press release. On Wednesday, a journalist from the Associated Press agency was able to see that its Chengdu branch was still open. Inside the premises, the journalist was able to see posters displaying the flag of the Chinese Communist Party, accompanied by the slogan: “Safeguarding the party and the country's secrets is the duty of every citizen. »
