Full Report
Targets included the U.S. Treasury Department, journalists, and religious organisations, and the attacks intended to steal data and suppress free speech.
Analysis Summary
# Threat Actor: Unnamed Chinese State-Sponsored Hacking Group (Associated with i-Soon and APT27)
## Attribution & Identity
The actors charged include 12 Chinese nationals:
* Two officers of China’s Ministry of Public Security (MPS).
* Eight employees of a private company known as **Anxun Information Technology** or **i-Soon**.
* Two members of the hacking group **Advanced Persistent Threat 27 (APT27)** (Named as Yin "YKC" Kecheng and Zhou "Coldface" Shuai).
The overall operation is described as "hacker-for-hire activities" directing and fostering attacks against global networks, often leveraging i-Soon as a cyber mercenary firm working for government officials.
## Activity Summary
The activities spanned from 2016 to 2023, involving both state-directed theft and profit-driven cyber mercenary operations. MPS officers allegedly hired i-Soon freelancers to steal data and obscure their involvement, targeting entities critical of the Chinese government or those communicating with the U.S. APT27 members also sold stolen data to government-linked organizations, including i-Soon. Specific operations included stealing data from email accounts, cellphones, servers, and websites, often aiming to suppress free speech and profit from data sales.
## Tactics, Techniques & Procedures
- **Data Theft:** Stealing data from email accounts, cellphones, servers, and websites.
- **Account Hijacking:** Using a specialized tool to hijack Twitter (now X) accounts to manipulate public opinion (sending, deleting, liking, and forwarding Tweets).
- **Social Engineering/Delivery:** Sending victims phishing links to gain initial access.
- **Persistent Access:** Installing **web shells** to maintain access to victim networks.
- **Vulnerability Exploitation:** Scanning for **zero-day vulnerabilities**.
- **Data Exfiltration:** Utilizing **hop-point servers** for data exfiltration.
- **Evasion:** Employing **encrypted VPNs** and **VPS accounts** to conceal activities.
- **Training/Sales:** i-Soon trained MPS employees and sold cyber tools, including phishing, password-cracking, and system infiltration software.
## Targeting
- **Sectors:** U.S. Government (Treasury Department), State research universities, News organizations, Law firms, Healthcare systems, Defense contractors, Technology firms.
- **Geography:** U.S. and abroad (including Taiwan, India, South Korea, Indonesia, Hong Kong).
- **Victims:** Specific targets included the U.S. Treasury Department, a New York State Assembly representative, a religious group critical of the Chinese government, a China-focused human rights group, foreign ministries in Asia, and journalists critical of the CCP.
## Tools & Infrastructure
- **Malware Families Used:** Web shells, general cyber tools (phishing, password-cracking, system infiltration software).
- **Infrastructure (C2, domains, IPs):**
* Advertising/Business Domains Seized: `ecoatmosphere[.]org`, `newyorker[.]cloud`, `heidrickjobs[.]com`, `maddmail[.]site`.
* Infrastructure seizure included a Virtual Private Server (VPS) account.
## Implications
This activity highlights a sophisticated, multi-layered ecosystem of cyber mercenaries operating under the direction of Chinese state actors (MPS) to achieve both intelligence collection and political repression goals globally. The blending of state intelligence work with profit-driven mercenary activities shows a significant security threat vector, monetized through the sale of exploited data.
## Mitigations
- Enhance defenses against sophisticated phishing campaigns, specifically those leading to credential compromise or account takeover (e.g., multi-factor authentication, user training).
- Monitor networks for the installation of web shells and unauthorized persistent access methods.
- Review security postures against known zero-day exploitation techniques.
- Implement strict controls over email and social media account security given the specific focus on hijacking Twitter/X and email inboxes.