The i-Soon Leaks: Germany’s BfV Exposes the Industrialization of Chinese Cyber Espionage
A newly released report from Germany’s Federal Office for the Protection of the Constitution (BfV) unveils insights into the operations of the Chinese cybersecurity firm i-Soon. The second installment of the BfV’s “CYBER INSIGHT” series, titled “Connections of i-Soon to the Chinese security apparatus,” delves into the company’s deep connections with the Chinese security apparatus, shedding light on the industrialization of cyber espionage by private firms in China.
The BfV’s report is part of a broader investigation into a significant data leak that occurred on February 16, 2024, when over 570 files, images, and chat messages were leaked on the GitHub platform. These documents provide a rare glimpse into China’s methods of conducting cyber espionage globally, revealing how companies like i-Soon collaborate closely with state entities to carry out sophisticated cyber operations.
The leaked documents expose i-Soon’s involvement in “vulnerability mining,” a practice institutionalized by the Chinese government to systematically collect and exploit software vulnerabilities. These vulnerabilities are reported within 48 hours to state databases such as the China National Vulnerability Database (CNNVD), which are then accessible to various cyber actors within the Chinese security apparatus. i-Soon’s role as a Level 3 technical partner of CNNVD underscores its importance in China’s cyber ecosystem.
One of the most striking revelations from the report is the existence of i-Soon’s Anxun College, a training institute that educates over 3,000 specialists annually. These trainees include not only i-Soon employees but also individuals from other companies and state institutions. The college’s curriculum covers a wide range of topics, from self-study to participation in cyber competitions, which serve as a crucial talent pipeline for the company and other state-linked entities.
Moreover, i-Soon holds numerous national certifications that allow it to undertake classified assignments and work with sensitive information. These certifications, which include a Level-2 certificate for classified information related to weapons and equipment, further entrench the company’s role as a strategic partner of the Chinese state.
The BfV report also highlights the close personal ties between i-Soon employees and the Chinese government. A leaked list of “confidential personnel” reveals that employees working with sensitive information have no reported overseas contacts, a likely indication of stringent security protocols. Additionally, many employees are members of the Chinese Communist Party (CCP), further emphasizing the company’s alignment with national interests.
The analysis of chat logs and other documents also uncovers connections between i-Soon’s founder, known by the alias “shutd0wn,” and well-known APT (Advanced Persistent Threat) groups as well as former members of the patriotic hacking community. These connections suggest a broader network of cybersecurity companies in China, many of which, like i-Soon, provide services directly to the government.
The BfV report concludes by discussing the competitive landscape of China’s cybersecurity industry. Companies like i-Soon are thriving in a market-driven environment, where state agencies can choose from a wide array of service providers offering diverse capabilities. This professionalization of cyber services complicates efforts by foreign intelligence agencies to track and attribute specific cyber operations.
As the BfV continues to publish its findings from the i-Soon leaks, the global cybersecurity community will be watching closely. The next reports are expected to reveal specific targets of i-Soon’s APT-like units and provide further details on the company’s clients and product offerings.
