In an increasingly networked world, cyber espionage is becoming a growing threat. A recently published paper by the German Federal Office for the Protection of the Constitution (BfV) sheds light on the structures and procedures of the APT units of the Chinese company i-Soon. This document, part 1 of the 4-part series “CYBER INSIGHT”, offers first valuable insights into the methods and strategies behind the industrialization of cyber espionage. There are now four parts with in-depth insights.
Introduction: What has been going on at I-Soon?
On February 16, 2024, explosive data was published on GitHub revealing the links between i-Soon and Chinese intelligence services. These leaks contain over 570 files, including presentations, chat histories and screenshots of compromised data. The i-Soon leaks offer a disturbing insight into the industrialization of cyber espionage: the analysis of this data shows how privately organized companies carry out cyber attacks on behalf of the state, a practice known as the industrialization of cyber espionage.
The i-Soon company
i-Soon, founded in 2010, is headquartered in Shanghai and has offices in 32 other provinces in China. As a cyber security company, i-Soon is not only responsible for defending against hacker attacks, but also carries out attacks itself on behalf of the Chinese government. The founder of i-Soon, a former member of the “Green Corps”, has built up an extensive network of cyber security companies that work closely with the Chinese security services.
Structure and procedure of the APT units
The leaks provide a rare insight into the organization and working methods of i-Soon. The company’s APT units consist of over 70 people, divided into three main teams: the “Security Research Team”, the “Penetration Teams” and the “Basic Support Team”. These teams work together to carry out complex and targeted cyber attacks.
Services from i-Soon
i-Soon offers a range of services tailored to the needs of its customers:
- Target Penetration Services: These services target networks of government organizations and agencies to extract sensitive data.
- Battle Support Services: Support during active cyberattacks to maximize effectiveness.
- Intelligence Services: Obtaining and analyzing information to support cyber operations.
i-Soon’s approach to hacking campaigns is well-structured and includes several steps, from the selection of attack targets to the organization of the attacks and the support of customers during and after the attacks.
i-Soon and the Chinese cyber ecosystem
The leaks also reveal i-Soon’s role within the Chinese cyber ecosystem. This network encompasses various sectors that are closely intertwined with state-sponsored cyber espionage. i-Soon not only carries out cyber operations on behalf of clients, but also generates information independently in order to sell it on for profit.
Insight into the Chinese cyber landscape
The data provides a comprehensive insight into the complexity and scale of the Chinese cyber ecosystem. Despite its size, i-Soon is only a medium-sized company within a thriving industry in China, but it is capable of carrying out numerous attack operations simultaneously. This demonstrates the high technical level and efficiency of the Chinese cyber security industry.
Integration into the national vulnerability mining
i-Soon is integrated into the national vulnerability mining of the People’s Republic of China and works together with the “China National Vulnerability Database” (CNNVD). Chinese regulations require companies to report discovered vulnerabilities to central security authorities within 48 hours. This information is then available to the relevant actors for potential offensive cyber operations. i-Soon acts as a technical partner and provides vulnerability analysis on a level 3 partnership that ensures continuous transmission of new vulnerabilities.
Training and certification
The company operates the “Anxun College”, which trains over 3,000 students in cyber operations every year. This institution serves to develop qualified cyber experts who play a crucial role in China’s cyber security strategy. The curriculum includes self-study as well as practical lessons and competitions. In the process, talent is specifically recruited for i-Soon and prepared for government or commercial cyber activities. The company’s numerous certifications qualify it for various security-sensitive tasks and emphasize the position of trust that i-Soon enjoys with the government.
i-Soon: Connections to the Chinese state and cyber ecosystem
i-Soon has close personnel and structural links with the Chinese state and the national hacker scene. A leaked list of so-called “employees for confidential content” provides detailed information about the internal work areas and documents the requirements for personnel. It is striking that membership of the Chinese Communist Party (CCP) is also noted there – an indicator of ideological affiliation and political control within the company. The lack of family contacts abroad also appears to be a tacit exclusion criterion.
i-Soon’s involvement in China’s national vulnerability mining reveals its close institutional ties with the security apparatus: the company is registered as a technical supporter in the “China National Vulnerability Database” (CNNVD) – a state-controlled vulnerability register that also provides targeted information to offensive cyber actors. i-Soon must meet defined requirements every year in order to retain its status as a certified partner – including reporting vulnerabilities and providing technical support services to the Chinese state.
The company also has a remarkable training infrastructure: i-Soon trains thousands of people in offensive cyber skills every year at its own “Anxun College”, including members of state institutions. Targeted recruitment through competitions and the integration of students from the public sector indicate a systematic promotion of young talent in the interests of the state.
In addition, there are links to well-known APT (Advanced Persistent Threats) groups and former members of China’s patriotic hacker scene via founders and employees. Many of these actors now run their own companies and work for state clients – evidence of the blurring of the boundaries between private sector activity and state-controlled cyber espionage.
i-Soon thus exemplifies a growing model of Chinese cyber companies that operate with state connivance and support – economically motivated, but politically embedded. The company operates in a market in which professional cyber service providers offer highly specialized hacking tools, personnel training and attack operations as a package solution – and the Chinese state is increasingly taking advantage of these services.
Economic dynamics and effects
The activities of i-Soon illustrate the extensive opportunities that the Chinese state can tap into by working with the flourishing cybersecurity industry. The services offered by i-Soon and similar companies make it easier for the state to access professional cyber services without having to make intensive use of its own resources. This outsourcing leads to an increased professionalization of cyber campaigns and makes it more difficult to identify the players. The slogan “Security is borderless” on the company website reflects the global ambition and broad range of services that make this collaboration possible in the first place.
These findings show that the Chinese cybersecurity landscape is not only structured by the state, but also characterized by strategic partnerships with private companies, resulting in a complex, professional and difficult-to-trace system. These industrial structures have a direct impact on the security situation of other nations and raise questions about compliance with international cyber norms.
Geopolitical relevance
In its third report on the i-Soon leaks, the Federal Office for the Protection of the Constitution (BfV) also sheds light on detailed findings about the cyber attacks by the Chinese company i-Soon and their geopolitical relevance. The comprehensive data in the leak allows conclusions to be drawn about specific targets, target regions and the strategic direction of the attacks in line with Chinese interests.
Target regions and countries affected
i-Soon’s activities are conspicuously concentrated in geopolitically sensitive regions. The focus is particularly on West and Southeast Asia, with attacks against Hong Kong, Taiwan, India, Nepal and Tibet. Numerous other countries are also affected, including Kazakhstan, Malaysia, Mongolia, Kyrgyzstan, Turkey, Pakistan, Egypt, Uganda, Vietnam, South Korea and Afghanistan. This selection clearly reflects the strategic interests of the People’s Republic of China.
The documented expansion of operations to European target regions is also noteworthy. In addition to France, the leak also contains references to compromised systems with an EU connection, including documents marked with the “ZED!” (ZED! For European Union Security) encryption system – a security standard procedure used by NATO and EU institutions. Other screenshots indicate possible attacks against North Macedonia (in the context of EU accession negotiations), the Czech Republic (EU Council of Ministers 2022) and targets in the UK. All of this demonstrates a considerable interest in gathering information relevant to foreign and security policy in Europe.
Specific targets of the attacks
The leak shows that i-Soon primarily targets networks of government agencies (over 43%) and telecommunications providers (around 25%). Other sectors affected include medical facilities, energy suppliers, research institutions, religious organizations and educational institutions. The wide range of targets suggests strategically motivated information siphoning across various sectors of society.
The attack data provides a detailed insight into i-Soon’s approach: each entry contains information on the target country, file type, file size, type of captured data, description of the access and comments from the processing unit. It is clear that i-Soon offers its customers the option of selecting whether a further operation should be carried out on the basis of preliminary data records. This “on-demand” model underlines the industrialization and service logic behind cyber espionage.
The case of a Kazakh telecommunications service provider provides a particularly impressive example: i-Soon provides an 820 GB data extract that enables full access to the internal intranet, file servers and anti-virus systems as well as real-time queries of call logs, among other things. Such in-depth access not only demonstrates technical expertise, but also a willingness to take comprehensive control of critical infrastructures.
China’s geopolitical orientation and interests
The targets reflect China’s geopolitical interests. The focus is on countries such as Hong Kong, Thailand, Taiwan, Kazakhstan and Malaysia, which underlines the importance of these countries for information gathering. The compromises are difficult to track as the actors operate professionally and inconspicuously. This indicates that such operations are of high strategic importance and probably pursue long-term goals.
Conclusions and global effects
The report highlights how intensively private companies such as i-Soon are involved in state-motivated cyber operations, offering highly professional services that serve Chinese interests. The targeting of government agencies, telecommunications providers and other critical sectors suggests that China is using private actors to systematically weaken the cyber security of other countries and collect strategically relevant information. The i-Soon leak thus exemplifies how cyber espionage is used not only as a means of gathering information, but also as a geopolitical tool.
Image of the product portfolio
The BfV’s fourth and final analysis of the i-Soon leaks provides a detailed picture of i-Soon’s product portfolio and customers. This investigation shows how well developed i-Soon’s product range is and how important it is for Chinese government and security agencies. i-Soon’s products and services are aimed at government clients, private companies and military users. This arsenal of tools demonstrates the enormous technical possibilities that the Chinese security apparatus can use for offensive and defensive cyber operations via private providers such as i-Soon.
Product overview and technical potential
i-Soon’s product range includes a variety of specialized tools, including the “Integrated Combat Platform” for managing large-scale cyber operations, an “Automated Penetration Testing Platform” for automated security testing, and a “Microsoft E-Mail Encryption Platform” for compromising Microsoft mailboxes and bypassing two-factor authentication. In addition, i-Soon offers anonymization tools such as the “Anonymous Anti-Tracing Wall”, which is specifically designed to conceal cyber operations, and the “Individual (Soldier) Toolbox” – a mobile penetration testing set with extensive functions for manipulating and attacking target networks.
Customers and contract structures
i-Soon’s target audience is primarily made up of Chinese security authorities and intelligence services – above all the Ministry of Public Security (MPS), the Ministry of State Security (MSS) and the People’s Liberation Army (PLA). In addition, the company also addresses private sector players, in particular other cybersecurity companies with a similar focus. The internal division into four customer groups (“Public Security”, “Safety”, “Military”, “Enterprise”) clearly shows that i-Soon not only supplies government agencies, but also commercial partners in the cyber sector.
The contract books reveal specific insights into the forms of cooperation: contract titles such as “Network Technology Service Contract”, “Technical Cooperation Agreement” or “Overseas Data Inquiry” refer to technical support services, including access to email accounts, network structures and sensitive personal data. The targeted purchase of target data (“Data Purchase Contract”) and the provision of anonymization infrastructure (“Anti-Tracing Sales Contract”) are also part of the service portfolio. According to documents, the MSS in particular also uses so-called “contract hackers” and anonymization networks for cyber operations abroad.
The i-Soon product range is tailored to government needs. The tools on offer include an “Integrated Combat Platform” for comprehensive cyber operations, automated penetration tests, a platform for compromising Microsoft email accounts, systems for email analysis and anonymized navigation in the clear and darknet as well as a mobile “Soldier Toolbox” with offensive attack functions such as webshell use and package manipulation. The modular structure of many tools allows flexible deployment scenarios – even for less technically experienced users.
Overall, the leak confirms a largely industrialized business model: i-Soon offers tailor-made cyber services with a high degree of professionalization for government clients – including product maintenance, user training, anonymization and data acquisition. It is clear that this is not just isolated contract work, but a firmly established supplier structure in the Chinese cyber ecosystem.
Conclusions and global effects
The extensive offerings and modular design of many tools show that i-Soon provides a broad arsenal of easy-to-use but powerful cyber tools that are particularly optimized for Chinese security agencies. The market for cyber security services in China, whose expansion is driven by private companies such as i-Soon, shows a clear industrialization of cyber espionage. This dynamic is leading to constant innovation and professionalization, providing Chinese government agencies with access to tailored cyber capabilities without the need for in-house development expenditure.
Overall, the i-Soon leaks illustrate the danger posed by a cyber industry that is run by the private sector and yet controlled by the state. Chinese security authorities benefit from a system that enables them to gain information and influence worldwide in an efficient and targeted manner – and German companies must align their cyber security policy accordingly!
The i-Soon leaks are an example of how Chinese companies are pursuing national interests in the field of cyber espionage. The regional and sectoral focuses coincide with Beijing’s foreign and security policy objectives. At the same time, the extension to European institutions and member states highlights the global nature of the resources deployed – and the need to understand cyber security as a geopolitical issue.
Our law firm specialises in criminal defence, white-collar crime and IT law / technology law. Note our activity in digital evidence in IT security and software law.
- Liability of Companies in Phishing and CEO Fraud Incidents - 13. May 2025
- Domain Law in Germany - 10. May 2025
- Art Law in Germany - 10. May 2025