ISOON

The iSoon campaign refers to a series of related activities centered around Shanghai Anxun Information Technology (Anxun; aka iSOON), a key Chinese InfoSec vendor. The compromise of iSoon led to a rare leak of information, which revealed its connection to the KEYPLUG malware campaign. This incident further supported the "quartermaster" theory, suggesting that Chinese-state hacking groups draw from centralized pools of tools and techniques. Moreover, it was hypothesized that there could be a connection between Advanced Persistent Threat 41 (APT41) and the iSoon Leak incident. Further investigation into this leak, particularly regarding the used tools and methods, could provide insights into APT41's involvement or that of related entities. iSoon, despite being a relatively small player in the Chinese cybersecurity community, claimed to have breached organizations in over 30 countries using sophisticated tools. According to threat research firm Natto, Chengdu-headquartered iSoon operated out of six locations in China and had about 160 employees at the time of the leak. However, only about 26 of these employees held four-year university degrees and handled sensitive operations. iSoon's struggle with employee retention highlighted the competitive atmosphere within China's cybersecurity industry. The leaked documents linked iSoon to Chinese state hacking groups tracked as RedHotel, RedAlpha, and Poison Carp. These groups were likely sub-teams within iSoon, each focusing on specific missions. Furthermore, an analysis of the iSoon documents found that the company spied on government and private organizations in at least 22 countries on behalf of the Chinese government. This suggests that iSoon and similar companies develop valuable cyber tools for state and local authorities, reflecting the significant role of private sector companies in China's pool of skilled cyber experts.