Full Report
The DoJ has charged Chinese government and i-Soon employees for a series of for-profit data theft campaigns
Analysis Summary
# Threat Actor: i-Soon (Hacker-for-Hire Group)
## Attribution & Identity
**Primary Attribution:** Chinese Hacker-for-Hire Group associated with the Chinese Ministry of Public Security (MPS) and potentially the Ministry of State Security (MSS).
**Known Aliases and Associated Groups:** The charging documents link i-Soon activities to **APT27**. Key figures charged include CEO Wu Haibo and COO Chen Cheng. The operation involved collaboration with **MPS officers.**
## Activity Summary
i-Soon employees conducted long-running arms-length hacking campaigns between 2016 and 2023. They operated as hackers-for-hire, conducting intrusions either at the request of the MPS/MSS or on their own initiative, subsequently selling compromised data to the Chinese government (Beijing). They also trained MPS employees. Separately, **APT27 actors** were charged for a parallel, for-profit campaign dating back to 2013, selling data to various buyers, including the Chinese government.
## Tactics, Techniques & Procedures
The primary TTP described is widespread computer intrusion targeting sensitive digital assets:
- Hacking of email accounts.
- Hacking of mobile phones.
- Hacking of servers.
- Hacking of websites.
- Data exfiltration and subsequent sale of compromised data.
- *Note: Specific MITRE ATT&CK IDs were not mentioned in the provided context.*
## Targeting
**Sectors:**
- Religious organizations (unnamed large organization critical of Beijing).
- News organizations (multiple, critical of Beijing).
- US technology companies.
- Think tanks.
- Law firms.
- Defense contractors.
- Local governments.
- Health care systems.
- Universities.
**Geography:** Implied focus on targets critical of the Chinese Communist Party (CCP), including organizations within the US.
**Victims:** Specific organizations were not named, though the criteria for targeting large religious organizations and news organizations were mentioned. Two APT27 actors (Yin Kecheng and Zhou Shuai) were specifically linked to hacking a US Treasury agency between September and December 2024. **Rewards were offered** for information on these four individuals.
## Tools & Infrastructure
**Malware families used:** Not explicitly detailed in the summary provided.
**Infrastructure (C2, domains, IPs - defang URLs):** No specific infrastructure details (IPs or domains) were listed in the provided article summary.
## Implications
The charges reveal a sophisticated structure utilizing a commercial entity (i-Soon) to conduct espionage and data theft, sometimes directly for state entities (MPS/MSS) and sometimes for profit, serving Chinese state interests. This highlights the opaque, leveraged nature of the Chinese cyber espionage ecosystem, involving both state employees and external contractors. The FBI's involvement and the significant Treasury rewards signal high priority in prosecuting individuals linked to CCP-directed cyber operations.
## Mitigations
- **Enhanced Account Security:** Given the focus on email and mobile phone intrusions, implementing robust Multi-Factor Authentication (MFA) is crucial across all affected sectors.
- **Network Monitoring:** Increased scrutiny of internal network traffic for data exfiltration patterns, especially targeting sensitive corporate data, health systems, and research institutions.
- **Supply Chain Vigilance:** Awareness that commercial entities (like i-Soon) are being used as intermediaries for state-sponsored activity.