Hdb Approved Hacking Contractor

0 views

Skip to first unread message

Kennedy Tadder

unread,

Aug 3, 2024, 6:13:49 PM8/3/24

to itconpiocor

An apparent leak of internal documents from a Chinese hacking contractor paints a picture of a disaffected, poorly paid workforce that nonetheless penetrated multiple regional governments and possibly NATO.

An unknown person on Sunday posted on GitHub documents including spreadsheets, chat logs and marketing materials that evidently belong to Shanghai-based iSoon, a private company that supports government-led hacking operations.

Multiple experts told Information Security Media Group the documents appear to be legitimate and track with already-public information about Chinese state hacking, including technical details about command-and-control infrastructure and malware.

The company, also known as Anxun Information Technology, is "part of an ecosystem of contractors that has links to the Chinese patriotic hacking scene which developed two decades ago. They have since gone legit," said John Hultquist, chief analyst at Mandiant.

Concerns about Chinese hacking are long-standing. Western countries as well as neighboring countries including Taiwan, Nepal, India, Central Asian nations and the Tibetan diaspora have been targets of continuing cyberespionage operations directed by Beijing. Washington, D.C., has recently amplified warnings about Chinese cyberspace activities, telling critical infrastructure operators that hackers have remained undetected for years in compromised systems.

The leaked documents indicate that iSoon's main customer is the Ministry of Public Security, said Dakota Cary, a consultant and nonresident fellow at think tank Atlantic Council's Global China Hub. That means iSoon mostly receives contracts pegged to domestic security interests that require hacking into Asian organizations rather than high-profile international hacking assignments, which tend to be conducted by military or intelligence personnel.

One record shows the company charging approximately $55,000 to hack the Vietnamese Ministry of Economy, Cary said.That sum isn't a lot - especially for the amount of time iSoon likely needed to break into the ministry's servers, Cary said. The low dollar amount is of a piece with leaked chat logs showing employees complaining "about how little they're paid, how they would like to go work at a different company," Cary said. A section of the GitHub documents is titled "employee complaints." One leaked exchange consists of banter between employees and a manager about playing the gambling game mahjong in the office.

Technical information contained in the records shows the company relies on the Winnti backdoor, said Tom Hegel, a senior threat researcher with SentinelOne. It also used the PlugX remote access Trojan. Neither tool is exclusive to iSoon, which points to the wide extent of shared capabilities among Chinese hackers, Hegel said.

The anonymous writers behind the Intrusion Truth blog - which exposes the real identities of Chinese hackers - in 2022 described Sichuan province - where iSoon conducts research and development - as "becoming a known hot spot for hacking." The writers said the proximity of operations between various threat groups in the region has resulted in overlaps in their malware infrastructure. Many of the leaked documents appear to be from iSoon's Sichuan office and reference Chengdu, the province's largest city, where the iSoon R&D center is located.

"It's like any startup environment," said Hegel. "There are a lot of shared resources," and employees hop from company to company and bring with them knowledge and tactics gleaned from their previous companies.

Among the services that iSoon advertised are "APT service system," "target penetration services," and "battle support services" capable of targeting government intranet file servers as well as specific networks such as communications and transportation servers, said Will Thomas, cyber threat researcher at Equinix, in online analysis. The company also touts advanced spyware for mobile devices.

Included in the records is an assertion that iSoon hacked NATO, but Cary said he is skeptical about that. There is a screenshot of a "computer terminal, it does say the word 'NATO' - but I didn't see any specific victim data besides that one screenshot," he said.

It's possible iSoon is exaggerating, or the leaker - whoever it is - decided to be circumspect about that one particular hack. The Chinese government, Cary said, isn't likely incredibly upset over the leak, and it probably doesn't spell the end of the company. The leak may even be the result of an intellectual property dispute with a rival company that could have engineered the record dump. Spilling about hacking Myanmar isn't that offensive to Beijing, but "the Chinese government would be very, very, very upset" with the leaker if they disclosed details about breaking into NATO computers.

Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 - the bible of risk assessment and management - will share his unique insights on how to:

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.

The Justice Department unsealed an indictment charging an Iranian national with involvement in a cyber-enabled campaign to compromise U.S. governmental and private entities, including the U.S. Departments of the Treasury and State, defense contractors, and two New York-based companies.

According to court documents, from at least in or about 2016 through in or about April 2021, Alireza Shafie Nasab, 39, of Iran, and other co-conspirators were members of a hacking organization that participated in a coordinated multi-year campaign to conduct and attempt to conduct computer intrusions. These intrusions targeted more than a dozen U.S. companies and the U.S. Departments of the Treasury and State. Nasab remains at large.

In the course of these spear phishing attacks, the conspirators compromised an administrator email account belonging to a defense contractor (Defense Contractor-1). Access to this administrator account empowered the conspirators to create unauthorized Defense Contractor-1 accounts, which the conspirators then used to send spear phishing campaigns to employees of a different defense contractor and a consulting firm.

In addition to spearphishing, the conspirators utilized social engineering, which involved impersonating others, generally women, in order to obtain the confidence of victims. These social engineering contacts were another means the conspiracy used to deploy malware onto victim computers and compromise those devices and accounts.

Nasab is charged with one count of conspiracy to commit computer fraud, which carries a maximum penalty of five years in prison; one count of conspiracy to commit wire fraud, which carries a maximum penalty of 20 years in prison; one count of wire fraud, which carries a maximum penalty of 20 years in prison and one count of aggravated identity theft, which carries a mandatory consecutive term of two years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Three individuals have been sentenced for participating in an international scheme involving the sale of tens of thousands of pirated business telephone system software licenses with a retail value of...

The problem is, at the bottom of each email he says he "expects a bounty to be paid". Is this black mail? Is this his way of saying you'd better pay me or I'm going to wreak havoc? Or is this a typical and legitimate method for people to make a living without any nefarious intentions?

EDIT: For more clarification: He gave me two examples of vulnerabilities with screenshots and clear instructions on how to fix those vulnerabilities. One was to change the "?all" part of my SPF record to "-all" to block all other domains from sending emails for my domain. In the other email he explained how my site was able to be shown inside an iframe (enabling a technique called "clickjacking") and he also included an example of the code and instructions on how to prevent it.

A true "ethical hacker" would tell you what issue (s)he found in your system, not ask money for that; (s)he could offer to fix it as a contractor, but that would be after telling you what the actual problem is; and in any case, it's a completely different thing from just trying to scare you into paying.

While this might be blackmail, there are many possibilities for genuine good intents, too. Therefore, here's some more comprehensive thoughts on how one might handle unsolicited vulnerability reports. In short: you have every reason to be cautious, but you do not have to be rude.

Ethical hackers perform their analysis based on a contract typically with predefined targets and limitations. These might be ordered assignments or more loosely defined bug bounty programs, either directly or through a platform like HackerOne. In any case, an ethical hacker (or a white hat hacker) always has an explicit permission.

I have found several vulnerabilities by accident, without an intention to poke the system in any way. These cases are usually rather harsh, and I do hesitate whether not to report it at all, report it anonymously, or report it with my name, which would give me the possibility to help them with further questions. The reality is that because I did not have a permission, the receiver may interpret or handle my report with unexpected ways, possibly causing me legal charges or other problems. So far, they have been sympathetic towards me.

You are asked to pay for the findings, but without knowing the details you cannot be sure whether they are worth paying at all. Vulnerabilities comes in all shapes and sizes. Some of them are critical, and some are minor. Some may also seem problematic from outside, but are completely irrelevant to you, or within your accepted risk. One simply cannot sell vulnerabilities in pieces, bundles, kilograms, or liters.