“China opposes, and punishes, any form of cyberattack, in accordance with its laws” : a spokesperson for the Chinese Ministry of Foreign Affairs deniedThursday February 22, any link with hacking allegedly committed by the company i-Soon, hundreds of internal documents of which were published online a week earlier.
The files, the authenticity of which no longer appears to be in doubt, describe multiple computer hacking tools as well as a large number of victims of data theft. Among the latter, Thai, Taiwanese and Vietnamese public institutions, but also staff from Sciences Po in France and mobile operators in Kazakhstan.
In recent days, major IT security companies as well as independent researchers have been sifting through the documents. A consensus is emerging to link i-Soon to the APT 41 group, which refers to a network of hackers and subcontracting companies, supported by the Chinese state, which also engages in villainous hacking.
Direct links with the State
In the files, researchers found multiple links to previously identified hacker groups, which have in the past attacked Tibetan officials or academics working on China.
“These documents are still being analyzed”explains to World Cédric Pernet, from the cybersecurity company Trend Micro, co-author of a report on Earth Lusca, a very active group of Chinese pirates. “Nevertheless, several indicators such as targeted entities, or the use of certain families of malware and tools, lead us to believe that the modus operandi of part of the operations of the Earth Lusca cyberespionage group and the information discovered in the i-Soon data leak are similar. » In recent years, Earth Lusca has targeted universities and media in Europe, political organizations in Hong Kong, and even administrations in several Asian countries.
The Chinese government’s denials appear unconvincing, given the numerous links between i-Soon and Chinese public operators. The company thus worked as a subcontractor for Chengdu 404, a company identified by the American FBI as a central component of APT 41. Several employees of this company were also indicted in 2020 for their alleged role in computer hacking. American companies. As reminds cybersecurity specialist Brian Krebsi-Soon CEO Wu Haibo – known under the pseudonym “Shutdown” – was also part of the first generation of patriotic Chinese hackers and belonged to the pro-government group “Green Army”, created at the end from the 1990s.
The i-Soon company has closed its website and refused press requests for interviews, but assured that it would soon publish a detailed press release. On Wednesday, a journalist from the Associated Press agency was able to see that its Chengdu branch was still open. Inside the premises, the journalist was able to see posters displaying the flag of the Chinese Communist Party, accompanied by the slogan: “Safeguarding the party and the secrets of the country is the duty of every citizen. »