Chinese Hackers

[kyonides]

Here's a followup of the previous report.

FTC Considers Investigating Microsoft over Massive Email Breach by Chinese Hackers

The Messenger reports that Microsoft finds itself facing scrutiny from the FTC following the massive cybersecurity leak it suffered this year. A breach that occurred in May, suspected to be the work of Chinese government hackers, exposed the email accounts of Microsoft customers. This breach, however, was only recently brought to light by Microsoft, raising questions about the company’s transparency and cybersecurity robustness.
...
“The Commission will ‘shift resources to order compliance and enforcement, especially against the largest respondents,’” FTC Chair Lina Khan said in a letter, emphasizing a more stringent approach towards major corporations like Microsoft. This statement echoes the FTC’s renewed commitment to enforcing cybersecurity norms and holding corporations accountable for lapses.

Microsoft previously settled with the FTC in 2002; as part of the settlement Microsoft committed to establishing a comprehensive information security program. This commitment aimed to safeguard the security, confidentiality, and integrity of personal information collected from consumers.

Sen. Ron Wyden (D-OR) has been vocal in urging the FTC to take decisive action. “Microsoft’s security failures led to the Chinese government hacking into the emails of senior U.S. government officials,” Wyden said, underscoring the severity of the breach and the potential repercussions.

FTC Chair Lina Khan, while not confirming an official investigation, conveyed a strong stance against “corporate recidivism” and acknowledged the historical 2002 settlement with Microsoft.

For all those non native speakers, let me tell you that recividism means the tendency the person or entity has to commit the same crime.

[kyonides]

Chinese Hackers Penetrated over Two Dozen Critical U.S. Infrastructure Systems

The Washington Post on Monday reported that concerns about China’s growing cyber-warfare assault on U.S. infrastructure systems are justified, as hackers linked to the People’s Liberation Army (PLA) have “burrowed into the computer systems of about two dozen critical entities over the past year.”

Targets included a Hawaiian water utility, a port on the West Coast, an oil and gas pipeline, and the company that operates the power grid for the state of Texas.

None of these assaults, which were part of a campaign named “Volt Typhoon” by U.S. government cybersecurity experts, produced any damage or major disruptions – but that might not have been their purpose. Several sources portrayed Volt Typhoon as a reconnaissance effort, a string of probing attacks to test U.S. responses and set up more serious cyberattacks for the future, perhaps in the event of a major U.S.-China conflict, like a battle for Taiwan.
...
Joe McReynolds of the Jamestown Foundation said the Volt Typhoon hackers were “trying to build tunnels” into U.S. infrastructure they could “later use to attack.” The hackers put a high priority on avoiding detection and hiding from efforts to trace their location.

“Until then you lie in wait, carry out reconnaissance, figure out if you can move into industrial control systems or more critical companies or targets upstream. And one day, if you get the order from on high, you switch from reconnaissance to attack,” McReynolds said.

Cybersecurity experts were disturbed by the intensity of Volt Typhoon activity around Hawaii, where the U.S. Pacific Fleet is based. Another significant Volt Typhoon infiltration occurred in Guam, the nearest U.S. territory to Taiwan. The cunning tactics employed by the hackers to remain undetected suggest they were laying the groundwork for serious future attacks, rather than trying to send a message by getting themselves noticed.

On the bright side, many of the Volt Typhoon targets were smaller companies that were not directly connected to vital infrastructure, which implies the hackers were “opportunistic” – they looked for easy targets, rather than hitting vital systems at will.

According to the Washington Post, President Joe Biden was supposed to bring up China’s hacking campaign during his four-hour meeting with Xi Jinping in San Francisco last month but, for unknown reasons, Biden backed away from raising the subject.

Microsoft Threat Intelligence issued a bulletin about Volt Typhoon in May, describing the culprits as “a state-sponsored actor based in China that typically focuses on espionage and information gathering.”
...
Microsoft went into more detail about the “living off the land” strategy employed by the attackers, which boils down to stealing valid security credentials, depositing malevolent code into a targeted system, and camouflaging that code as normal software performing useful functions for the system. The Volt Typhoon hackers were very adept at making their communications with viral code blend into normal network traffic, so their presence was undetected.

CISA also published an advisory about Volt Typhoon and its “living off the land” tactics in May, including some helpful tips for detecting the Chinese malware. Many Volt Typhoon intrusions were eventually detected by searching for subtle, abnormal patterns in network activity.

John Hultquist, chief analyst for the Mandiant Intelligence cybersecurity firm, warned in October that Volt Typhoon was larger and more dangerous than originally suspected.
...
Hultquist concurred with National Security Agency (NSA) analysts who believed the Chinese hackers were “digging in for the possibility of creating a disruptive event, in the event of a wartime scenario.”

“This is especially concerning given how hard they’re working on their operational security, using botnets and zero-days to stay below the radar,” he said, classifying Volt Typhoon as an even greater threat than Middle Eastern cyberespionage intended to punish the U.S. for standing behind Israel after the October 7 Hamas atrocities.

[kyonides]

Chinese Spy Balloon Used American Internet Provider to Communicate

A recent assessment reportedly found that the Chinese spy balloon that traversed the United States months ago used an American internet service provider to communicate.

An NBC News report published Thursday regarding the information cited two current and one former U.S. official familiar with the assessment.

The article noted:

The balloon connected to a U.S.-based company, according to the assessment, to send and receive communications from China, primarily related to its navigation. Officials familiar with the assessment said it found that the connection allowed the balloon to send burst transmissions, or high-bandwidth collections of data over short periods of time.

President Joe Biden’s administration reportedly tried to obtain a “highly secretive” court order to gather intelligence about the device as it hovered over the United States, the outlet said, adding that the court’s ruling remained a mystery.

The order “would have allowed U.S. intelligence agencies to conduct electronic surveillance on the balloon as it flew over the U.S. and as it sent and received messages to and from China, the officials said, including communications sent via the American internet service provider,” the NBC report noted.

The company has denied that the Chinese device used its network. The outlet did not reveal the provider’s name to protect its sources’ identities.

It is important to note that the Biden administration had reportedly hoped to keep the Chinese spy balloon incident a secret, according to a recent Breitbart News report.
...
In June, Sen. Bill Hagerty (R-TN) responded to information that the Chinese Communist Party (CCP) made an agreement with Cuba to construct a spy facility on the island by stating that Biden officials had allowed China to get away with spying on the United States, according to Breitbart News.

He “pointed to reporting by Reuters that the FBI’s report on China’s spy balloon was delayed from its anticipated release in April,” the outlet said.
...
According to the NBC article, “Defense and intelligence officials have said the U.S. assessment is that the balloon was not able to transmit intelligence back to China while it was over the U.S.”

Well, knowing that Blinken foolishly believed China's promise not to do it ever again...

[kyonides]

China Says It Cracked Apple’s AirDrop Encryption to Track Senders

Chinese authorities have claimed that they can identify individuals who use Apple’s wireless file-sharing tool to spread content that Beijing considers “inappropriate.”

Experts had managed to identify the phone number and email address of an AirDrop sending device using logs found on the receiving device, the Beijing Municipal Bureau of Justice said in an article published on Jan. 8. That allows local police to find “several suspects” who use the iPhone feature to transmit files containing what authorities have referred to as “inappropriate remarks,” according to the agency.

AirDrop, designed to function over short distances, was created as a program reliant on direct connections between phones. By forming a local network of devices without relying on the internet to communicate, AirDrop makes it hard for authorities to regulate “through conventional network monitoring methods,” according to the article.

The file-sharing feature, which is available on iPhones and other Apple devices, has been a critical tool for protesters in both mainland China and Hong Kong to evade censorship and maintain communication. Users can’t review the transmission history, and the recipient’s device may only show the user-defined name of the sender.

The Beijing judicial agency stated in the article that experts extracted AirDrop’s encrypted records by analyzing the iPhone’s logs. They praised experts from Beijing Wangshendongjian Technology Co. Ltd., a local forensic appraisal institute, for assisting authorities to “break through technical difficulties of tracing anonymous AirDrops.”

AirDrop was used widely as a communication tool during Hong Kong’s pro-democracy protests in 2019. Demonstrators deployed the program to bypass China’s so-called Great Firewall, delivering crucial messages to the public and ensuring ongoing communication among themselves.

In late 2022, after protests against Beijing’s draconian COVID-19 measures erupted in Shanghai and other major Chinese cities, Apple restricted the sharing feature in the mainland following reports that young demonstrators used the AirDrop function to share images and slogans denouncing the Chinese Communist Party (CCP) and its leader, Xi Jinping.

On Nov. 9, 2022, Apple released iOS 16.1.1., a new version of its mobile operating system. The tech firm noted that the “update includes bug fixes and security updates and is recommended for all users.” However, Chinese readers of 9to5Mac, a website covering news about Apple and its products, noticed a modification in the update that was specific to iPhones sold in China.

Following the operating system update, AirDrop on iPhones sold in China can only be configured to receive messages from “everyone” for 10 minutes before switching off. Typically, AirDrop users can choose to receive files from “everyone”—contacts and noncontacts—for an unlimited time. Before the update, the “everyone” setting could be turned on permanently on Chinese iPhones.

Apple has stated that the feature was an effort to cut down on spam content sent in crowded areas such as malls, and it originally planned to roll out the feature globally starting in 2023.

However, Apple hasn’t offered an explanation as to why it chose China to be the first country with AirDrop restrictions.

For years, Apple kept Chinese customers’ data locally on servers run by a state-owned company, adhering to Beijing’s request to keep information within its borders.

Experts have pointed out that this method gives the CCP unfettered access to consumer data. Apple, in response, stated that it holds encryption keys to the data stored in those server facilities and has “never compromised the security” of its users and their data.
This local storage means that although the United States has laws against companies sharing data with Chinese authorities, Beijing can demand the data from the server storage company rather than from Apple.

Apple has already been subjected to restrictions in China, one of the company’s biggest markets and responsible for nearly 20 percent of the Cupertino, California-based firm’s revenue.

Multiple media outlets reported in September 2023 that Beijing instructed state employees and officials at some government agencies to not use iPhones and other foreign cell phones for work ... These officials, who spoke on the condition of anonymity for fear of reprisal, said there were no formal documents regarding that order.

When asked about the reported iPhone ban at a briefing at the time, a Chinese Foreign Ministry official didn’t directly comment on the issue but said phone companies operating in China must adhere to its laws and regulations.

[kyonides]

FBI Finds Chinese State Hacker Malware on Hundreds of U.S. Infrastructure-Related Routers

The Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) on Wednesday announced they were able to disrupt a massive Chinese cyber-espionage campaign called Volt Typhoon that penetrated critical American infrastructure systems.

Volt Typhoon was detected and made public by Microsoft’s cybersecurity team in May 2023. Microsoft described the perpetrators as state-sponsored hackers from China who were developing “capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”

Microsoft’s conclusions were backed by the intelligence agencies of the “Five Eyes” alliance: the U.S., UK, Canada, Australia, and New Zealand. China denied the allegations and accused the Five Eyes nations of pushing “disinformation.”

Volt Typhoon’s activities were originally thought to be centered on Guam, with the goal of disrupting American network communications across the Pacific in the event of a conflict with China, such as China might cause by invading Taiwan. Further investigation showed the scope of the operation was much greater, with targets including West Coast ports, oil pipelines, and the power grid of Texas.

The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) said in December that China was clearly “pre-positioning” cyber warfare assets to “disrupt or destroy that critical infrastructure in the event of a conflict, to either prevent the United States from being able to project power into Asia or to cause societal chaos inside the United States.”

Volt Typhoon was cited by cybersecurity experts as one of the biggest, most dangerous examples of “living off the land,” a technique in which hackers infiltrate a system without causing any damage or revealing their presence, using tools that mimic normal network activity. As DHS put it, the Chinese operation was all about scouting ahead and preparing for destructive attacks that could be triggered if the U.S. and China came into conflict.

DOJ said on Wednesday that the U.S. and its allies have stepped up their efforts against threats like Volt Typhoon, and that particular threat has been “disrupted” by purging its malicious software from hundreds of routers. U.S. officials remained certain that Chinese state-sponsored hackers were responsible for the intrusions.

Sean Newell, deputy chief of the Justice Department’s National Security Division, explained that Volt Typhoon’s hackers created a “botnet” hidden inside network routers that concealed their other hacking activities. The compromised routers, which were mostly older Cisco and Netgear models nearing the end of their operational lifespans, allowed the hackers to work in secret, without security programs detecting their unusual network traffic.

FBI Director Christopher Wray told the House Select Committee on the Chinese Communist Party that the nearly-obsolete routers were “easy targets” for the hackers, whose activities targeted water, power, oil, and transportation systems.

Wray said the FBI also believes China will try to interfere in the 2024 elections, as it did in Taiwan’s recent presidential race. He pointed to the tremendous amount of information Chinese applications like TikTok collect about their users as potential espionage weapons since the Chinese military apparatus is legally guaranteed at-will access to all data compiled by Chinese corporations.

“Today, and literally every day, they’re actively attacking our economic security, engaging in wholesale theft of our innovation, and our personal and corporate data,” said Wray.

CISA Director Jen Easterly warned that China’s hackers have grown very adept at lurking undetected inside computer systems.
...
Security Week reported some concerns in the cybersecurity community that Volt Typhoon might not be completely “disrupted,” because it was able to penetrate “thousands of organizations,” but the FBI’s court orders covered only hundreds of infected routers.

The FBI essentially managed to find a way to order the malware in the infected routers to delete itself, without damaging the routers or the systems that relied upon them. The owners of those routers do not appear to have been warned in advance, but the FBI said it is attempting to notify all of them now and provide some security advice.

[kyonides]

Japan Confirms Major Chinese Hack of Classified Documents

A source in the Japanese government said on Monday that classified Japanese diplomatic telegrams were leaked in 2020 after Chinese hackers attacked the Japanese Foreign Ministry.

The source told Kyodo News that the cyberattack occurred under the late Abe Shinzo’s final term as prime minister. The incident badly rattled the Abe government, which realized Japan’s cyber defenses needed improvement and sought advice from the U.S. government.

Chief Cabinet Secretary Hayashi Yoshimasa responded to inquiries about the story by refusing to confirm if the hackers exposed any secret information. Both the original source and Hayashi were extremely reluctant to discuss exactly what information was exposed or what became of the leaked documents.

The diplomatic cables were reportedly sent using an encrypted Internet Protocol Virtual Private Network (IP-VPN). The ability of hackers to penetrate such a secure communications system is deeply troubling.

Kyodo News noted that several Japanese agencies have suffered embarrassing cyberattacks in recent years, including the Aerospace Exploration Agency and even the National Center of Incident Readiness and Strategy for Cybersecurity, which evidently had Chinese military hackers lurking undetected in its systems for almost nine months, beginning in the fall of 2022. Japan pledged to increase its cybersecurity budget by 1,000 percent over five years after the penetration of the security agency was made public.

These data breaches made lawmakers concerned about the poor state of Japan’s cyber defenses, but the government’s reluctance to do anything that might be seen as violating the right to privacy has thwarted attempts to make large-scale security improvements. For this reason, the Japanese were hesitant to give U.S. cybersecurity experts access to sensitive systems so they could help investigate the Chinese hack.

Another problem, delicately broached by Japan News on Monday while discussing the Foreign Ministry hack, is that Japan’s cybersecurity is in such rough shape that the U.S. is “hesitant to share defense-related information with Japan” — including information that could help Japan tighten its Internet security.

Japan News noted the Japanese are especially far behind the curve in “active cyber defense,” meaning aggressive efforts to monitor cyberspace for imminent threats and even launch preemptive action against potential hackers.

[kyonides]

Chinese Hackers Penetrated Dutch Defense Network

Chinese state-backed attackers hacked into a Dutch defense network last year and gained persistent access, the Netherlands has acknowledged.

“It is important to ensure that espionage activities of this nature committed by China become public knowledge since this will help to increase international resilience to this type of cyber espionage,” Dutch Defense Minister Kajsa Ollongren said on Feb. 6.

The report, jointly published by the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD), didn’t clarify what information the hackers were trying to obtain.

The report states that damage from the breach was limited because of “network segmentation,” which separated it from the ministry’s wider network.

The affected network “had fewer than 50 users” and was used for unclassified research, they said.
...
“MIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the People’s Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies,” the report reads.

The report acknowledges that Chinese hacking attempts occurred “with a high operational tempo.”

The Chinese Communist Party (CCP), which rules China as a single-party state, hasn’t yet responded to the incident; it routinely denies any involvement in overseas hacking campaigns.
...
Similarly, the malware uncovered by Dutch intelligence—named “COATHANGER”—was used to grant China persistent access to the network after entry, effectively granting the regime the ability to exploit the network as opportunities presented themselves.

[kyonides]

China Plays Victim After Getting Caught Hacking into U.S. Infrastructure for Years

China’s state-run Global Times studiously avoided mentioning the bombshell reports about Volt Typhoon, the Chinese state hacking group disrupted by Microsoft security experts and the FBI last week.

Volt Typhoon’s hackers penetrated critical infrastructure systems, including ports, oil pipelines, and power grids, then lurked in waiting without stealing data or causing damage – presumably waiting for an order from Beijing to cause havoc if the U.S. was drawn into a confrontation with China. The likely theater for such a confrontation would be Taiwan, whose infrastructure was also compromised by the Volt Typhoon operation.

Leaving all of that unsaid, the Global Times used a Wednesday editorial to rail against “American advanced persistent threat (APT) organizations” supposedly working indiscriminately around the globe.

Humorously citing “Chinese experts” who suddenly discovered American hackers everywhere the day after the FBI took Beijing’s big cyber-espionage operation down, the Global Times huffed into its editorial paper bag about the “uncontrolled development of the U.S. in terms of cybersecurity threats,” none of which its “Chinese experts” could actually describe.

Instead, the Global Times quoted Chinese Foreign Ministry spokesman Wang Wenbin muttering that America is the “source of all evils” in terms of cyber-threats, then pumped out ten paragraphs of dark speculation about all the things the United States could do if it chose to unleash the dark wizards sitting restlessly at their keyboards in the CIA’s basement and NSA’s attic.
...
Another frequent target of Chinese cyber-espionage is the Philippines, which is pushing back against Chinese aggression in the South China Sea. Last week, Chinese hackers tried to break into Philippine government websites and email accounts, including those of President Ferdinand Marcos Jr. and a maritime security agency.

The Philippines provided evidence the attack came from China, then very tactfully said it was “appealing to the Chinese government to help us prevent further attacks.”

The Global Times responded on Wednesday with another howling screed accusing Philippine hackers of victimizing poor, helpless China.

This time, the Chinese Communist paper briefly acknowledged the allegations of wrongdoing against China but dismissed them with a wave of its hand and insisted “China is the biggest victim of cyberattacks”...

[kyonides]

Microsoft, OpenAI Claim State-Sponsored Hackers Are Using AI to Boost Cyberattacks

Microsoft (MSFT) and OpenAI released a report on Wednesday saying that hacking groups from China, Iran, North Korea, and Russia are increasingly probing the use of AI large language models (LLMs) to improve their chances of successfully launching cyberattacks.

According to the report, the state-affiliated groups are using AI to understand everything from satellite technology to how to develop malicious code that can evade detection by cybersecurity software.
...
Microsoft and OpenAI listed four different groups as using large language models in conjunction with their hacking efforts: Russia's Forest Blizzard, also known as Strontium; North Korea's Emerald Sheet, also known as Thallium; Iran's Crimson Sandstorm, also known as Curium; and China's Charcoal Typhoon, known as Chromium, and Salmon Typhoon, known as Sodium.

In the case of the Russian hackers, Microsoft and OpenAI say the group is using LLMs to understand satellite capabilities as well as radar technologies and getting assistance in scripting tasks and file manipulation.

North Korea's Emerald Sheet has used the technology to better understand public software vulnerabilities, for scripting tasks, improving social engineering for phishing and spear-phishing email campaigns, and learning more about groups such as think tanks that deal with North Korea's nuclear weapons program. Crimson Sandstorm also used the technology for spear-phishing campaigns, developing code, and trying to get past antivirus programs.

As for China's Charcoal Typhoon and Salmon Typhoon, Microsoft says the groups have used LLMs for an array of reasons ranging from translations and streamlining cyber tasks to detecting coding errors and developing potentially malicious code.

The company said they disabled the accounts and assets of each of the groups and added that they haven't identified any "significant attacks" employing the LLMs they monitor.

[kyonides]

Senator Marco Rubio Issues Warning on Chinese Cyberattack Targeting Critical Infrastructure

Sen. Marco Rubio (R-Fla.) warned on social media that the outage that affected AT&T on Feb. 22 could be significantly smaller than what a Chinese cyberattack could do.

For much of the morning on Feb. 22, tens of thousands of people on Downdetector and elsewhere complained their AT&T or Cricket service was out, while AT&T, which owns Cricket, confirmed the outage. By the afternoon, the company stated that about 75 percent of its service was restored.

The outage drew a response from Mr. Rubio, vice chairman of the Senate Intelligence Committee, who said that while he doesn’t know what caused the outage, he does know that “it will be 100 times worse when China launches a cyber attack on America on the eve of a Taiwan invasion.”

“And it won’t be just cell service they hit, it will be your power, your water, and your bank,” he said.

A number of federal officials over the years have increasingly issued warnings about the Chinese Communist Party’s (CCP’s) abilities to carry out cyberattacks targeting American infrastructure. According to a recent statement from FBI Director Christopher Wray, the CCP is currently carrying out cyberattacks against the United States and its allies.

“You might find your companies harassed and hacked, targeted by a web of corporate CCP proxies,” he said earlier this month in Germany.

CCP hackers and proxies may be “lurking in your power stations, your phone companies and other infrastructure, poised to take them down when they decide you stepped too far out of line, and that hurting your civilian population suits the CCP,” he said, according to an FBI transcript.

“China-sponsored hackers pre-positioned for potential cyberattacks against U.S. oil and natural gas companies way back in 2011, but these days, it’s reached something closer to a fever pitch,” he said. “What we’re seeing now is China’s increasing build-out of offensive weapons within our critical infrastructure, poised to attack whenever Beijing decides the time is right.”

Amid the AT&T outage, Florida Gov. Ron DeSantis commented that U.S. infrastructure is vulnerable.

“Imagine if we had an EMP [electromagnetic pulse] attack. What would end up happening to this country?” he asked. “You’re so naturally reliant on having cell service. It’s a little bit jarring to think about.

“If you’re in the car, you need to figure out where you’re going to go. All this other stuff. So it’s a little bit jarring to think about the implications of something like that [if that] happened on a much grander scale.”

Leaked Documents Expose China’s Hacking Capabilities, Targets

A massive cache of leaked documents from a Chinese hacking contractor further underscores the global cybersecurity threats posed by China’s communist regime, experts say.

The documents, which were posted on GitHub by unknown individuals on Feb. 16, include product manuals, marketing materials, employee lists, chat records, financial information, and details about foreign infiltration.

The Associated Press confirmed in a Feb. 21 report that the documents originated from China-based cybersecurity vendor I-Soon, known as Anxun in Mandarin, after speaking to two of the company’s employees.

Based on the documents, I-Soon boasts a product line that includes offensive cyber tools and spyware systems. Also included in the documents is a list of contracts that the company signed from July 2016 to June 2022, showing that most of its clients are China’s regional security bureaus. The revelation adds to what is known from the company’s website, which touts the CCP’s Ministry of Public Security as one of its partners.
“The I-Soon incident should once again remind everyone that network security is national security. There is a war without gunpowder, and it is happening in cyberspace,” tech expert Chiang Ya-chi told The Epoch Times on Feb. 21.

Ms. Chiang is the president of the Taiwan Law and Technology Association and a professor who specializes in internet technology and intellectual property law at National Taiwan Ocean University.

The leaked documents show that I-Soon is funded by the Chinese Communist Party (CCP), Ms. Chiang said, noting that Bejing uses tools developed by firms such as I-Soon to infiltrate foreign governments and entities.

A victim list is included in the leaked documents, showing that I-Soon has targeted telecommunications companies, hospitals, universities, organizations, and government entities from many countries. These nations include France, Egypt, India, Indonesia, Kazakhstan, Malaysia, Mongolia, Nepal, South Korea, Taiwan, Thailand, the Philippines, and Vietnam.

One document reveals that I-Soon charged more money for hacking into Vietnam’s Ministry of Economy than for hacking into two other Vietnamese government ministries.

Since the online dump last week, many researchers and experts have published their analysis of the documents written in simplified Chinese.

Malwarebytes, a California company that provides real-time cyber protection, published an analysis of the leaked data on Feb. 21, saying the documents “provide an inside look in the operations that go on in a leading spyware vendor and APT-for-hire.” APT refers to advanced persistent threat.

The analysis highlights some of the I-Soon products revealed by the documents, including what it calls a “Twitter stealer.”

“Features [of the Twitter stealer] include obtaining the user’s Twitter email and phone number, real-time monitoring, reading personal messages, and publishing tweets on the user’s behalf,” the analysis reads.

In one document page, I-Soon boasts that it had studied Twitter’s safety mechanism for years; thus, its product can allegedly bypass security features to target a Twitter user’s account.

The leaked documents also reveal the cost of the “Twitter stealer” product. A one-year usage of the product costs 700,000 yuan (about $97,000), and a three-year usage costs 1.5 million yuan (about $208,000).

The Malwarebytes analysis shows the following product description: “Custom Remote Access Trojans (RATs) for Windows x64/x86: Features include process/service/registry management, remote shell, keylogging, file access logging, obtaining system information, disconnecting remotely, and uninstallation.”

There are iOS and Android versions of the RATs. The iOS model claims to support all iOS device versions without jailbreaking, with features ranging from hardware information to GPS data, contacts, media files, and real-time audio records as an extension, according to the analysis.

I-Soon also has portable devices for “attacking networks from the inside,” it states.

According to the leaked documents, the portable devices come in two different sizes—a standard version that can be disguised as a cellphone battery, power strip, or power adapter and a mini version that can be disguised as a printed circuit board.

The user lookup databases, which include users’ phone numbers, names, and email addresses, can be correlated with social media accounts, according to the Malwarebytes analysis.

The CCP can potentially use the user lookup databases to track and locate dissidents in China. According to the leaked documents, databases have been built for different Chinese platforms, including Weibo, Baidu, and WeChat.

Later on, the article also mentions a dangerous and mind-breaking reality...

Last year, Mr. Wray warned that Chinese hackers outnumber U.S. cyber specialists by at least 50 to one.

Some researchers have suggested that I-Soon could have ties to APT41, a Chinese state-sponsored hacking group, based on their analysis of the leaked documents.

In 2020, five Chinese nationals from APT41 were indicted on charges relating to hacking campaigns to steal trade secrets and sensitive information from more than 100 companies and entities worldwide. The five individuals are currently on the FBI’s wanted list.

Cybersecurity firm Mandiant stated in a 2022 report that APT41 had exploited vulnerabilities in the online systems of at least six U.S. state governments to gain access to those networks.