Lessons From The ISOON Leaks - Will Thomas & Morgan Brazier
Show transcript [en]
guys um thanks very much everyone for coming thanks to B for having me um amazing to have another good bides conference in the South Coast come here today with my friends from bourma 2600 so if you're from bour to go to one of those meetings um yeah it's really good so unfortunately my Coast speaker is not coming today he's uh you know he's ill so it's just me today uh but he you know I want to thank him for his contributions to the talk he did some good research with me on this we stayed up pretty much all night and uh few couple weeks after going through some of these deletes so big big shout out to him sorry you can't
make it um a little bit about me I'm side intelligence researcher been doing it about five years currently work at a company called equinix which is Big Data Center company um and I also created the Sans 4589 cyber crime intelligence course which is uh currently you out out now and available to to take um I also the found co-founder of C curated intelligence which is CTI trust group um and help you know run bour 2600 as well um so today we're going to be talking about is um all sorts of interesting things about the leaks the what actually happened in there from start to finish a bit about the company a bit about their services all this kinds of information
that was basically unavailable to us until these leaks came out and became available um a little bit about I soon they are a Chinese company they're based in chungu in in China they have just been around a while been around 10 15 years uh their main purpose is they have serviced the Chinese Ministry of State security sorry Chinese Ministry of public security um and it's done all sorts of interesting things as well as being part of the offensive cyber operations as well uh the founder of the company has actually has been around for a very long time as well he goes back to the sort of activist early activist days of the early 2000s the green army uh
which was one of the first original Chinese you patriotic activist movements um and a lot of those people who are part of that movement went on to found these startups and actually went on to work with the government and work and and help support their offensive cyber operation um they actually used to have a website so we are able to get some interesting information from their website about them they weren't completely secret they weren't uh you know completely until the Le there was some information about them out there but the funny thing was uh all it was all about things like Public Safety Solutions anti-cyber fraud and they made them seem like you know I
don't know you get these blue team companies that offer seam managed defense or kind of stuff that's what they kind of presented themselves as on on their website but when the when the leaks actually started we actually began to learn a lot more about what they really do uh which is a lot more interesting um the other thing about their website is they have their partners and it's just basically a massive long list of all the different Ministry of public security bureaus around China and the main overall National one as well um so what actually is the Chinese Ministry of security um they're actually different from the ministry of State security which is kind of like their version of the CIA or or
MI6 the ministry of public security is more like MI5 or you know there counterterrorism policing interior surveillance domestic surveillance that kind of stuff that's more their sort of wheelhouse versus the ministry of State security who does a lot more of the sort of s spnr intellectual property theft that kind of stuff they do a lot more domestic uh surveillance and and are responsible for keeping everyone in line and arresting people in so pretty scary guys um about the actual leak itself so when did that happen it happened in mid-February um it actually happened right after Chinese New Year so bit of a bit bad headache for those guys when they woke up after you know a week of
hanging out with their families and things and suddenly their whole business is making headlines around the world uh basically some unknown individual uh don't a huge amount of PDFs and documents and things and chat FS chat Ls up on GitHub and it was just basically a CTI fry all the analysts just started going through these files screenshotting things translating things U me and me and Morgan were up basically all night till like 3:00 a.m. going through these things because it was you know we have gone through leaks and things before like the cony leaks that was a big uh ransomware gang that had all their chat chat stuff uh you know just dumped publicly uh so it's
we kind of once you start to go through some of these things you start to understand the value of it and you start to make some draw some connections and things and then you suddenly realize oh this is actually you know pretty big deal pretty pretty big of a game chain um so the actual leaks themselves you know they contained chat logs from WeChat they contained PDFs of their product manuals they contained all sorts of interesting things in there but the main thing to realize was there wasn't actually any exploit code or malware code or source code or anything in there so it kind of sets it apart from other things there wasn't any real danger of
you know you have to like run everything in a sandbox and you didn't want to infect your own system obviously you do take those precautions but there wasn't really any risk of doing that comp these things because it was just chat logs and PDF files but the contents of those chat logs are very very interesting as you will see so some of their services they had about 70 employees in 2019 19 some of their services had funny names like AP system service or service system which is kind of funny and ironic because you know the Cy security company Mion came up with the phrase or used the phrase Advanced persistance direct groups um and then you have actual AP group using
it to sell their services it's kind of like a weird fishous cycle in a way um but yeah this is basically some of the documents and PowerPoint slides and things that they would use to sell to their uh various different you know public security clients um had a wide wide extensive product catalog which we get into um and they had a lot of you know interesting things to go through to actually fully understand what sort of services they provide to the to the different Min of public security bureaus um one of the really interesting things while we were going through it was the fact that you could actually see there was like a spreadsheet or a screenshot
of a spreadsheet which had all their V victims listed uh so you had all sorts of uh recognizable government names you know Ministry of Finance or Thailand or the uh telecoms for Vietnam or some airline in Pakistan or you know all these kinds of bigname companies that and government organizations and it's just a massive list of them and it had how much data they had stolen from them uh and when did they actually attack it and things and you could actually use this spreadsheet and line it up with open source reports of when a certain AP campaign took place and you can be like oh so this is actually part of the ni campaign of when the you know these
victims were targeted so really that was probably one of the most valuable things that came out of the leag is actually knowing where they were targeting um various researchers online like um recorded future and halfang lab and a few others uh put together like a table of contents and things of all the victims they extracted at all and and did it all so definitely recommend if you want to really drill to see who was who was exactly big guys but basically what I did was I you put those victims into an Excel spreadsheet and then accounted like which countries they are in and the most targeted ones was actually number one was Thailand from that spreadsheet and then it went
to um Taiwan India and the UK as well which is quite interesting because that's where a lot of dissidents go to right when they want to escape China A lot of them will go to these countries and things as well so definitely highlights one of the main types of motivations and main types of tting that was a part of as well so when we were looking at I's victims and we were looking at some of the things they were saying in their products and and their Powerpoints and things it all ties back to this thing that the the MPS calls the five poisons which is what the Chinese Communist Party basically deems as threats to the
party itself and and and the country so includes weas and Province you've got the Tibetan supporters you've got the de Pro democracy movements Fong which is kind of like a religious movement as well um a lot of these religious movements are kind of uh definitely discouraged and banned in China and things so actually starting a religious movement is uh definitely going to get on get the MPS on your case uh and you've got the taian independence movement as well so a lot of the targeting by was all Dr TI back to this the five of of China What You Know The NPS deems as a threat to the country um one of the spreadsheet one of the
product cataloges actually mentioned specifically about uh we like weager terrorism activity in shinchan Province um so it's definitely the evidence was absolutely there and and you know we've seen investigated journalism we've seen reports and things about kind of activities going on very sensitive uh topic especially if you're in China and talking about that these types of topics are definitely going to get you know the MPS in case for that so don't recommend going to China if you uh you know if you are talking about this kind of stuff as well um the other interesting thing is how is's campaigns and surveillance of individuals and distant and like I was saying the five poisons it kind of ties
back to some other public reporting by or just public announcements by the US Department of Justice they they arrested they were uh arrested about 40 Chinese police police officers who were working overseas in New York um and other parts of the US as well and what they were doing they were basically harassing people who were sort of dissidents and people trying to contact people in in China and try and you know get these movements going and try and you know support people help people leave the country whatever they actually had deployed officers overseas to go and harass those people and they were doing it all sorts of um malicious way they created basically social media bot Nets
they had kind of social engineering teams that were trying to befriend people um kind of ties back to some of the stuff that I was doing as well as you will see um so some of their platforms they had uh the main kind of six that I thought was the most notable coming out of those leaks as well kind of understanding what sort of services they offered they had a Twitter public opinion and guidance and control system so you know I'll talk about that a bit more but basically lot of it was to do with monitoring people interacting with targets trying to gain information about them um and then they did kind of some unexpected stuff so they had uh they had
a lot of Hardware related attack like attack and hacking tools so imagine a hack five for a kind of Chinese version that's used to you know surveil people and monit them and uh you know track them down and find out who they are and arrest them probably right um they also had a lot of custom malware so it's probably a lot of things that everyone here finds probably some of the most interesting findings from it but as I say none of the source code or anything was was available unfortunately for for analysis um we also did a lot of other things like the automated penetration testing platform a lot of like point to click hacking stuff you know you have
all these you know 20 30 different Ministry of public security bureaus not all of them know how to perform you know penetration testing or red team or whatever um so they actually developed a point and clicked a hack kind of tool for them which is probably why we see so many different AP groups like because a lot of these platforms that enable the hacking is just rolled out and they just run their own campaigns with them um yeah let's get on to actually deep deep diving deeper into some of those things right so we have the tritter control system again if you think back how China Works they have the great firewall they have uh systems in place so you can't
interact can't really easily create a social media account um for you know a Twitter account and log in and start criticizing Chinese government that's kind of banned that but there are ways to do it you know if you use VPN if you use soft properties and things you use different ways to get through the the great firewall and things or as they call it the Golden Shield um but that's this is where the Chinese NPS will come in and basically try and monitor these accounts figure out who runs those accounts so they will you know look for keywords in Twitter they'll log into this platform it's like a full sa platform where they can create an
account and then interact with people right and they can send them messages and they can send them try and befriend them basically trying to figure out who they are to arting it's a pretty Sinister platform um and it's all to do with bypassing the firew world and doing it remotely as well from inside China it's pretty interesting Tech uh this was actually a really interesting one as well it's the email collection analysis tool uh this was imagine you're some sort of AP group and you go into a Target environment you download everything from the Microsoft Exchange Server you don't really have time to go through each individual email right so what this does it takes all of
those emails and gests them and makes them searchable makes it's kind of like an eisc Discovery tool for apts so you've got uh exactly who's talking to who you've got different statistics and dashboards or who sent the most emails or who's mentioned this keyword the most um and the other interesting thing about it is you can download the inboxes of people's Gmail accounts and people's email personal email accounts download all of those inboxes and then Port them into this and you can see their conversations between each other again a very another very Sinister surveillance tool as well um this is what I was mentioning earlier the automated penetration PL testing platform um interesting thing about this is the fact there were so
many open source tools basically combined into together into this SAS platform you just basically click and plug and play and and whatever and just run your own campaign that way you don't even have to really understand how these tools work but you know like they know as an organization they want to be able to exploit something and the other interesting thing is you have uh again there scales of attack right so all you have to do is build a platform like this hire a load of you know people who've never done it before and you can run attacks and things within a week or so so it's kind of a another interesting platform you may see
some sort of various different Western cyber security companies trying to build these kind of platforms as well uh for sort of legitimate penetration testing and defense and things cyber defense but they're using it to hack into companies and you know actual real bad guys so um custom rats as I was mentioning earlier you have Windows stuff you have Mac OS stuff Android iOS whatever um again it all Bo down to being able to control the system take information away from it uh and basically use that to uncover some kind of different plots and things or whatever the targets they're going after so um a lot of the time there's kind of two main types of
targets they're going after it was for foreign organizations so like I was mentioning in the UK and taiw Thailand Thailand and Taiwan and India um you know 20 other different countries as well uh but once they are into that system they can then gather the data build up and and then Chuck it into their one of their analysis butons as well um to to support their campaigns so it's definitely interesting how it all feeds in together right um this is actually a really interesting product as well was the hardware hacking stuff um the Wi-Fi sort of a kind of a Wi-Fi brute forcing and cracking tool inside of a about xiaomi battery pack so they
can just deploy it somewhere maybe I don't know if you imagine in in Shing Jang Province or some sort of Temple or whatever you know you can imagine what these things are potentially use for right pretty Sinister products used for surveillance and and getting into people's devices um this is actually could be a whole Thorp in itself is how the Chinese government has kind of turned around they used to be come to these bug Bounty competitions they used to come to Pon to own which is a globally you know recognized conference where security researchers and vulner vulner researchers go to them um and actually and actually they find the zero days they disclose them at the conference
they actually go there have a little demonstration around the zero day they get massive payout in those times like or if you hack a Tesla you get free Tesla it's pretty cool competition if you guys see a bit vulnerability research the Chinese teams always won it they were the best at this kind of vulnerability research of things and the funny thing was the funny thing was they actually stopped coming the government banned them from being able to go to these competitions and now they have their own ones so they have the tianu cup in I think it's in Chan Ching or chongu every year um and again it's the same premise but instead of disclosing
to the companies at the end of the day they disclose it to the government and services so it's again it's another difficult situation where you have these really Elite vulnerability researchers that are finding these you know critical bugs instead of Microsoft or apple or whoever patching them is just going to an AP group to launch tax against us right so yeah that could that could be a whole to and it's on itself but it's definitely an interesting topic to look into um so the different overlaps of AP group so from the leak we had this is this is kind of one of the interesting things we had to do when we were going through the
leak you had about I don't know 900 different PDFs and in there you had screenshots of tools inside those PDFs and inside the tool inside screenshot you had an IP address and a lot of it was like pixelated and blurred out and things and you could kind of unblur that research that IP address and you were finding connections to all sorts of different AP groups you had Red Alpha red hotel and poison car which your groups recorded future tracks um and you basically being able to link these open sourcely open reported previously reported AP campaigns back to IUN just because they were so lazy to remove ioc's from their product catalog pretty bad op but I guess they never imagined
these things to to go public I guess um but at the end of the day there for a long time for the last maybe 15 15 or so years there's been this kind of theory of a digital Quarter Master of one sort of organization that is supplying the tools and malware and exploits to the various AP groups this China has by far the highest number of AP groups going launching attacks pretty much every single day um but the interesting thing was like how are they why is it that they all a lot of them reuse the same malare families like plug X and Shadow pad and Poison Ivy and things and why why is it you've
got three four five six 10 groups all using the same Mal well the interesting thing was it's potentially related to this one organization such as isun or other contractors developing it and selling it to them as well so it's kind of an interesting uh a pretty concrete evidence to to highlight how their digital ecosystem works and how these offensive cyber operations are vastly supported by the Private Industry as well and all those Private Industry companies come from you know OG activists from you know the early 2000s so so it's kind of an interesting chain of events to where we are today um a lot of people may have heard of ap41 probably one of one of the most
or more famous apt groups particularly because they were sanctioned and added to the FDI FBI wanted list uh they've been running running attacks for you know 10 10 plus years probably by now um before the actually isun leaks happened we were we one of the first times we actually became aware of isun was the fact that a company called chongu 404 actually sued isoon over intellectual property rights and source code theft um so that was sort of that what the first time I ever came onto sort of research Radars was through these Chinese court documents um but then as the documents from isun leaked uh we actually saw some of the malware that they were offering there was one called
I think it's on here there's one called treadstone and it actually was it's kind of a a rename for uh I believe the wiy Mal which is a pretty famous Chinese AP malware used in various campaigns by multiple groups um chungu 404 which is one of the sort of offense cyber offensive cyber operation uh contract actors launching their attacks as ap41 right um they in the icing leaks you had a screenshot of treadstone and then you had chungu 404 suing is for using T so it really interesting seeing it all collected and coming together and it's not so much uh it's not so much again like pivoting off of ioc's and indicators of compromise to link
campaigns together this is a more bit more investiga journalism bit more research oriented uh connection between the two groups um fishmonger is the name of an AP group that EET tracks who in 2019 was responsible for various campaigns against uh demonstrators and protesters in Hong Kong so back in 2019 there was a massive demonstration um of protesters in Hong Kong because back then China had basically uh there if you're not if you weren't aware there was an agreement of a slow transition period from Hong Kong to theing uh you know part of China from from the UK back in 1997 I believe um China basically rened on that agreement and they've they've started to basically
introduce all sorts of Chinese Mainland laws into into the Hong Kong semi ofous region um and from that the Hong Kong the Hong kongers didn't like that they like being a part more part of the International Community and they didn't want these sort of Draconian laws being introduced so they started to protest massive protests on the news weeks weeks and weeks on end um and the Chinese government as you can probably imagine started to try and Target these protesters individually and harass them and things as well trying to you know stop the stop the organizing basically and one of the ways they did that was going after the universities um iset actually found that the shadow pad the
wiy malware and Shadow pad malware was being deployed at five different Hong Kong universities um so there's kind of an interesting Dynamic there where you have the mainlands targeting Hong Kong and going after the protesters using traditional sort of cyberage nation state capabilities right um and again isun is connected to that because if you go through the victims spreadsheet of you can see all these doedu Hong Kong domains you could see how much data was being stol from them and you can see when they were stol so you got 2019 here some in 2021 even as well they're still protesting as well about these things so again another way to in another way we were able to connect the
leaks to actual previously reported o campaigns who actually so this is probably one of the questions that some of you may have or or were waiting to ask me was who do I think is actually the is soon leaker um it's a difficult question we don't we don't really know who exactly it was but it was most likely a revenge for employee U because if you think about the level of access they had the type of information they knew the the way they spoke on GitHub basically criticizing isun and saying they didn't pay their employees enough all this kind of stuff um it kind of comes back to this must have been some sort of Insider
threat inside of leap basically um there are some other theories you know it could be a a rival Chinese contractor remember when chongu 44 was suing is a little bit of friction between these things even some of this friction even dates back to grud grudges from when they were in the green army together right so maybe it's company trying to you know knock I off the map and take over as the new digital Quarter Master for all the at groups right um definitely an interesting thing to think about but I think at the end of the day the most likely uh the most likely answer is probably it was an ex employee right or a current current
employee who decided to take down the company um just some funny stuff when when when we were going through this we just saw like people in Chinese commenting on the GitHub that like where the leak was um and we're like well is this like an employee of is soon maybe I don't know it's pretty funny though um other isun bloopers my friend Morgan whilst he was going through a lot of the documents as well I was kind of doing more of the connecting things to known AP campaigns and he was just kind of going through all of it and mapping it all as well translating it did a massive machine translation of it all um and he
actually found this hilarious thing where it was an AP team offsite where they went to Disneyland Shanghai so if you ever go to Disneyland you might be bumping shoulders of AP groups was pretty funny um so the other interesting thing was the fact that the guy who was in charge of is soon the actual CEO of the company uh he's his handle is known as shutdown and he's actually again like I was saying he's he's was one of these original red hackers also known as a honka which is just some Chinese internet slang for one of these you OG hackers basically um the chats a lot of uh I think the assoc the Associated Press did a good deep di sort of Chinese
speaking researchers were able to go through put things into context they had names of restaurants and bars where I would meet with the ministry of public security clients and have parties and things a lot of kind of corruption a lot of building up contacts and as you can imagine that's just how business is done in China lot the ways it's just it's not how good you are it's who you know um so you had a lot of uh you know does anyone know what this is Malai it's one of the most one of the actually side not it's actually one of the most uh richest companies in the world just because the sheer amount of B Joo Chinese rice F
they make because it's super buet over there um and then you also have you know the hot pop parties that going to as well um and the other funny thing was during the leaks there was actually so many times that the executives the CEO and C were saying like this message that they drank too much pretty pretty wild times I seen it sounds pretty crazy times that happen together hacking people and surveillance and whatever um so how does the isun leak actually stack up against other known known leaks and things so you've got you've got the Snowden files I put as an S here because it was just so crazy and how so so calamitous failure
for for the NSA and CIA um for them and then you also have you know Shadow Brokers and Vault s and hacking team um basically interesting things about those leaks is that actually contain zero days an exploit code a maare code and a lot of the things from those a lot of the exploits that came from those leaks were actually weaponized in other very very notable high-profile campaigns you have from the shadow Brokers was leaked to tal blue which is you know probably a lot of you had to deal if worked in cyber security for long enough you have to deal with W to cry and not pet your attacks in 2017 uh but then some of you
may have heard of you know when the hacking team leak took place and that uh shared sort of firmware UEFI boot kits which then ap28 from Russia the gru AP groups actually started using those on their victims as well which are basically you can't remove that Mal without getting rid of the system um so I soon kind of stacks up kind of a beta leak because again it was no uh it wasn't all basically it wasn't really the identities of their employees are pretty safe actually it wasn't really it again it was just the product catalogs a few leak chats and PowerPoint presentations and things um but you know it kind of lines up with NTC Vulcan and
scitec which were Russian contractors so these contractors are based in you know Moscow or St Petersburg they were working with the fsv and the gru again developing tools for them to do their own hacking campaigns as well so if you if you're kind of interested in researching these I definitely recommend checking out these two as well there's no real risk to really going to affect your system if you go through these things but definitely interesting to understand and improve your understanding of how these kind of AP ecosystems work um Cold River was kind of another interesting one kind of a minor situation but that was where uh the former head of the UK's MI6 was
compromised he had his proton mail account hacked and then now was dumped on Elite side as well well um and then you have also intrusion truth and that Duan um the interesting things about those they kind of sort of like activist groups where they actually research AP group members and then basically write a blog about how they figured out who that AP group member is again another interesting uh way to help your understanding of these AP ecosystems as well so definitely if you've not come across any of these before definitely recommend checking them out because it would just vastly improve your understanding of NT St sponsor campaigns work so in conclusion what did we actually learn about the leak why was
this leak so interesting for us well it basically cemented a lot of the theories we had over the last 10 years it proved that there are digital port ARS working for AP groups it proved that um it's just how it's just how the the interesting Dynamic of we kind of knew this already for the ministry of State security but it also proved it's being done on a domestic level in in in Mis public security as well which is kind of interesting because again it's kind of a kind of a capitalist approach to solving their AP problems uh considering they're a communist country they love Outsourcing their hacking stuff um again at the end of the DAT it
potentially provides you know plausible deniability you know oh we didn't have control over it it's this company that was doing it that kind of stuff um and a lot of interesting uh tools and techniques and and things that was generated from what I was doing and why they would why they were doing it as well just kind of tied together a lot of our understanding and Theory based on responding to intrusions and companies sharing those intrusions but with these leaks we actually tied it all together and helps answer all these questions um so if you're kind of interested of where got a lot of this stuff and my own research as well um Nat FS has done a lot of good blogs on these
things they actually wrote this log in October 2023 which is quite a few months before the ice India even came out so definitely those guys are staying at those people are uh definitely ahead of the curve there's a great book called The Dark visitor which was written in like 2005 or something like that so it's all about the you know the honka Union and the green army and the Patriotic hacking and activism things back then when it was you know all Windows XP or whatever definitely interesting Mandan AP1 report you like say more um and then a lot of the intrusion truth blocks as well and how they use Chinese social media and Company registration records
and all that kind of stuff to tie back to and Doc various AP group members and who then end up on the FBI Wanted list um so thank you very much I appreciate everyone
um does anyone have any questions uh front since the leak are you aware whether I is still operationally active or they disappeared um yeah that's a great question um I think the malware they've developed is still definitely being used but whether they're actually launching their own operations themselves is still still yet to be seen an intrusions directly link back to them so that's that's best I know there's a question at the back yeah yeah um the on GitHub much done curation uh yeah so the G so the question was um how curated was the gump on GitHub and it was kind of interesting because the read me page was separated into categories so it was pretty well
organized like the Leer had gone through it seemingly gone through it themselves or helped create it and they put it together um it was quite a well planned leak I think because how they got the leaks chat messages between the executives is a pretty big giveaway of potentially who like I assum probably know who was responsible um but it was pretty well organized into uh different by different you got product product cataly C product catalog category and then you have the PowerPoint presentation category and then you have the leaks as well well the Le chat logs as well so it was pretty well organized and whoever did it did it intentionally to damage and ruin the
reputation the company as well y so um is there anything that ties ium to the recent Vol typhoon campaign that showed that Chinese uh capable of building exploits for net gear routers TP link and stuff like that is there another piece you think that might be lurking out there that does that type of specific work yeah so from the ice leaks there was no direct link to Vault typhoon as far as I'm aware so the interesting thing about Vault typhoon for those of you not aware is there a Chinese AP group who is kind of like China's sandworm they're the kind of the AP group that's hitting critical infrastructure potentially prepositioning to launch destructive attacks against industrial Control
Systems things as well right or telecommunication systems um they are quite interesting because they do a lot of Hands-On keyboard no malware kind of stuff they do a lot of living off the land and zero days so there's definitely a potential link between like I was saying with the T Fu cup and those researchers developing zero days and things for roters and firewall devices network security devices and giving that off to whoever top typhoon is whether it's contractor whether it's MSS um yeah it's kind of a it's probably some sort of relation like that but as far as I'm aware there's no direct tie between I and typhoon but definitely worth investigating as well I think that's it then awesome
thank you
Related talks
40:17
39:22
15:43
27:34
42:38
35:44