Enlarge/ SpaceX's 10th Falcon Heavy rocket climbs into orbit with a new US government weather satellite. (credit: SpaceX)
Welcome to Edition 6.50 of the Rocket Report! SpaceX launched its 10th Falcon Heavy rocket this week with the GOES-U weather satellite for NOAA, and this one was a beauty. The late afternoon timing of the launch and atmospheric conditions made for great photography. Falcon Heavy has become a trusted rocket for the US government, and its next flight in October will deploy NASA's Europa Clipper spacecraft on the way to explore one of Jupiter's enigmatic icy moons.
As always, we welcome reader submissions, and if you don't want to miss an issue, please subscribe using the box below (the form will not appear on AMP-enabled versions of the site). Each report will include information on small-, medium-, and heavy-lift rockets as well as a quick look ahead at the next three launches on the calendar.
Sir Peter Beck dishes on launch business. Ars spoke with the recently knighted Peter Beck, founder and CEO of Rocket Lab, on where his scrappy company fits in a global launch marketplace dominated by SpaceX. Rocket Lab racked up the third-most number of orbital launches by any US launch company (it's headquartered in California but primarily assembles and launches rockets in New Zealand). SpaceX's rideshare launch business with the Falcon 9 rocket is putting immense pressure on small launch companies like Rocket Lab. However, Beck argues his Electron rocket is a bespoke solution for customers desiring to put their satellite in a specific place at a specific time, a luxury they can't count on with a SpaceX rideshare.
Sun
NASA's Solar Dynamics Observatory imaged Sol firing off two strong solar flares. The European Space Agency (ESA) published close-up footage of the Sun taken by the Solar Orbiter.
Venus
Researchers used Magellan spacecraft data from the early 1990s to determine that Venus probably has some ongoing volcanic activity.
On Earth's surface
Construction on the Vera C. Rubin Observatory in Chile is nearly finished. In Texas SpaceX wants to produce one Starship rocket per day in their impending StarFactory.
From Earth to orbit
Successes: after months of delays, Boeing's Starliner finally launched and carried two astronauts to dock with the International Space Station (ISS), albeit with persistent helium leaks and thruster problems (previously). SpaceX launched and for the first time successfully splashed down a Starship. SpaceX reports it now carries 87% of orbital tonnage. A Long March 2C rocket carried a Franco-Chinese satellite, the Space Variable Objects Monitor (SVOM), into orbit to study gamma ray bursts. NASA's first Polar Radiant Energy in the Far-InfraRed Experiment (PREFIRE) cubesat rode a Rocket Lab Electron rocket from Māhia, New Zealand into orbit, followed by another. Rocket Lab also orbited a South Korean Earth observing satellite as well as a solar sail experiment. GOES-U, the fourth and final satellite in the Operational Environmental Satellites (GOES) – R Series, rode a Falcon Heavy into orbit.
South Korea confirmed a North Korean launch failed to reach orbit.
In Earth orbit
"For the first time in history, three different crewed vehicles, Starliner, SpaceX's Dragon, and Russia's Soyuz, were all simultaneously docked" at the ISS. Zebrafish on the Tiangong space station are "showing directional behavior anomalies, such as inverted swimming and rotary movement." (video)
NASA has delayed Starliner's return indefinitely. Leaks on the ISS are a persistent problem. The Hubble space telescope lost another gyroscope. An astronaut wants to help.
Back down to Earth
The Indian Space Research Organisation (ISRO) is working on making its space missions free of debris. A video clip shows a Chinese rocket falling near a village. NASA confirmed that SpaceX debris fell on North Carolina.
Earth's moonChang'e-6 (嫦娥六号) blasted off from Earth, traveled to the moon, then landed in the South Pole–Aitken basin, taking a selfie, and planting a flag made of stone. Two days later its ascender lifted off, carrying two kilograms of lunar material, which it delivered to its orbiter, which then transported the stuff successfully to the Earth's surface. (mix of official video footage and animation)
Lunar plans: Roscosmos and the China National Space Administration (CNSA) announced their intention to build a nuclear power plant on the moon by 2035. A Japanese billionaire canceled his planned lunar trip.
Mars
The ESA and NASA agreed on a shared Martian rover project. NASA awarded nine companies grants to develop feasibility studies for Martian missions.
To the asteroids
Beyond the orbit of Mars, heading to its first asteroid, NASA's Psyche spacecraft fired up its electric thrusters. A research team applied AI to Hubble data and found more than 1,000 new asteroids.
Saturn
NASA approved funding for the Dragonfly mission to Titan.
In the Kuiper belt
Voyager 1 restarted sending data all the way back to Earth. (previously)
Way, way beyond the solar system
The James Webb space telescope imaged the farthest known galaxy, JADES-GS-z14-0.
Malwarebytes Premium Security has maintained its long-running, perfect record in protecting users against online threats by blocking 100% of the malware samples deployed in the AV Lab Cybersecurity Foundation’s “Advanced In-The-Wild Malware Test.”
For its performance in the May 2024 evaluation, Malwarebytes Premium Security also received a certificate of “Excellence.”
According to AV Lab, such certificates “are granted to solutions that are characterized by a high level of security, with a rating of at least 99% of blocked threats in the Advanced In-The-Wild Malware Test.”
Every two months, the cybersecurity and information security experts at AV Lab construct a series of tests to compare cybersecurity vendors against the latest malware that is currently being used by adversaries and threat actors.
For the May evaluation, AV Lab tested 521 unique malware samples against 13 cybersecurity products. Malwarebytes Premium Security detected 521/521 malware samples, with a remediation time of 44 seconds—well below the 52-second average determined by AV Lab in its most recent testing.
Three cybersecurity vendors failed to block 100% of malware tested: ESET, F-Secure, and Panda.
To ensure that AV Lab’s evaluations reflect current cyberthreats, each round of testing follows three steps:
Collecting and verifying in-the-wild malware: AVLab regularly collects malware samples from malicious and active URLs, testing the malware samples to understand their impact to networks and endpoints.
Simulating a real-world scenario in testing: To recreate how a real-life cyberattack would occur, AVLab uses the Firefox web browser to engage with the known, malicious URLs collected in the step prior. In the most recent test, AVLab emphasized the potential for these URLs to be sent over instant messaging platforms, including Discord and Telegram.
Incident recovery time assessment: With the various cybersecurity products installed, AVLab measures whether the evaluated product detects a malware sample, when it detects a sample, and how long it took to detect that sample. The last metric is referred to as “Remediation Time.”
Malwarebytes is proud to once again achieve a 100% score with AVLab’s Advanced In-The-Wild Malware Test, a trusted resource that proves our commitment to user safety.
Enlarge/ Rocket Lab CEO Peter Beck speaks during the opening of the new Rocket Lab factory on October 12, 2018, in Auckland, New Zealand. (credit: Phil Walter/Getty Images)
Peter Beck has been having a pretty great June. Earlier this month, he was made a Knight Companion of the New Zealand Order of Merit. Then, Sir Peter Beck presided as Rocket Lab launched its 50th Electron rocket, becoming the fastest company to launch its 50th privately developed booster.
Finally, last week, Rocket Lab revealed that it had signed its largest launch contract ever: 10 flights for the Japanese Earth-observation company Synspective. Ars caught up with Beck while he was in Tokyo for the announcement. What follows is a lightly edited transcript of our conversation, which touches on a variety of launch-related issues.
Ars Technica: Hi Pete. We've talked about competition in small launch for years. But when I tally up the record of some of your US competitors—Firefly, Astra, Relativity Space, Virgin Orbit, and ABL—they're 7-for-21 on launch attempts. And if you remove the now-retired rockets, it's 1-for-6. Some of these competitors have, or did, exist for a decade. What does this say about the launch business?
Researchers have discovered a new phishing campaign in which threat actors distribute the Remcos RAT malware within UUEncoding (UUE) file attachments in emails purporting to be about importing or exporting shipments.
The UUEncoding (UUE) file attachments are compressed with Power Archiver, a proprietary and cross-platform archive utility that supports both Windows and MacOS.
Use of UUEncoding (UUE) Files to Distribute Remcos RAT Malware
Researchers from AhnLab discovered that the threat actors behind the campaign, use UUEncoding files with a .UUE extension, which are designed to encode binary data in plain text format. These file formats are suitable for attachment in e-mail or Usenet messages. The malicious .UUE files encode a VBS script attached in phishing emails. The threat actors seem to have leveraged the file format and encoding technique as an attempt to bypass detection.
[caption id="attachment_76665" align="alignnone" width="1024"] Source: asec.ahnlab.com[/caption]
When decoded, the VBS script is obfuscated, making it difficult for researchers to analyze. The script saves a PowerShell script into the %Temp% directory and executes it. The running script then downloads the Haartoppens.Eft file, which executes an additional PowerShell script. This script is also obfuscated and is designed to load a shellcode to the wab.exe process.
[caption id="attachment_76666" align="alignnone" width="638"] Source: asec.ahnlab.com[/caption]
The shellcode maintains its persistence by adding a registry key to the infected system, and then accesses a remote C&C server to load additional instructions. The instructions ultimately download the Remcos RAT malware for execution on infected systems.
Remcos RAT malware
The Remcos RAT collects system information from infected systems and stores keylogging data in the %AppData% directory. The malware then sends this data to the remote command-and-control (C&C) server, which is hosted through a DuckDNS domain.
[caption id="attachment_76667" align="alignnone" width="894"] Source: asec.ahnlab.com[/caption]
Remcos is a commercial remote access tool (RAT) that is advertised as a legitimate tool, but has been observed in numerous threat actor campaigns. Successful loading of Remcos opens a backdoor on targeted systems, allowing for complete control.
The researchers have shared the following indicators to help detect and stop this campaign:
IOCs (Indicators of Compromise)
The researchers also shared the following general recommendations to avoid similar phishing campaigns:
Refrain from accessing emails from unknown sources.
Refrain from running or enabling macro commands when accessing downloaded attachment files. Users can set programs to highest levels of security, as lower levels may automatically execute macro commands without displaying any notification.
Update anti-malware engines to their latest versions.
The UUE file format has previously been used in several malicious campaigns due to its ability to easily evade detection from security tools, with a researcher previously discovering a UUEncode vulnerability in the main Python program.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
TL;DR:Using Ludus as the backend, and with the help of Erik at Bad Sector Labs, I present a fully customizable SCCM deployment you can integrate into your home lab. https://github.com/Synzack/ludus_sccm
Intro
The past couple of years have been an exciting time in Microsoft Endpoint Configuration Manager (formerly System Center Configuration Manager [SCCM]) tradecraft. I’ve read too many SCCM blogs to mention here and I have had the personal privilege to be coworkers with researchers such as Garrett Foster, Duane Michael, Chris Thompson, and Ryan Cobb and see their work firsthand.
As exciting as SCCM is, it was always a little intimidating to try to recreate the research being published. The first time I made an SCCM lab, it took hours of creating virtual machines (VMs) by hand, configuring the domain, reading SCCM configuration blogs, and several long calls with Garrett to understand why my pre-reqs were still failing.
Due to this barrier of entry, most of my SCCM hands-on training came on the job in actual production environments, with one of our researchers guiding the steps and testing scenarios in their research lab; assuming it had the same configuration. Speaking with other colleagues in the industry, they faced similar challenges. They would see SCCM on a real world engagement, but lacked the experience to confidently probe for vulnerabilities without fear of breaking something. In comes the need for a testing lab…but where?
During this time, there were limited resources for pre-built labs. There was a Snap Labs template by @an0n (https://twitter.com/an0n_r0/status/1687230842601451522) that was great, but I desired something that could be used in my local bare-metal lab.
I began looking into ways to create my own lab. I tried migrating to Proxmox from ESXi (for the free API) and using tools like Packer, Ansible, and Terraform. This proved very time consuming and hard to scale as I am not a DevOps engineer. I had put the project on the back-burner until I came across a tweet that changed everything (https://twitter.com/badsectorlabs/status/1754909113090269474).
Erik Hunstad, the founder of Bad Sector Labs, created Ludus and shared the same sentiments I did when it came to labs: advanced and easily deployable cyber ranges designed for testers and researchers alike. Ludus is built on top of Proxmox, has built-in networking, does all of the backend VM configuration for me, and uses easy to install templates for all the configuration. No longer did I need to worry about trying to create back end infrastructure; all I needed to do was focus on creating Ansible roles on my new pre-configured hosts.
And the best part? Ludus is FULLY customizable. I could recreate my home lab using my domain name, my usernames, and install any features I wanted à la carte. This is something I found wanting in other publicly available labs. They contained amazing content, but I always felt like I was using someone else’s lab and had to learn their naming conventions and structures.
The Lab
As soon as I found Ludus, I hit the ground running to build a fully customizable SCCM lab I could use for practice and research purposes. I had the pleasure of working with Erik directly as a resource to bounce ideas off of and improve my Ansible tradecraft. While there is still work to do and features to add, I wanted to provide this lab as a template for everyone in the field who is looking for the same features I was.
I would give you a network diagram, but since the network is whatever you want it to be, it’s up to your imagination!
Domain Controller
Workstation
Distribution Point
Management Point
Site Database
Site Server
Installation
I won’t be covering the actual Ludus installation, as Erik already created fantastic documentation on https://ludus.cloud/. Installation is easy and only requires a few commands. After you have successfully installed Ludus and its server templates, you are ready to deploy your very own SCCM lab.
The actual roles and features can be installed directly from Ansible Galaxy with one command:
ludus ansible collection add synzack.ludus_sccm
That’s it!
After that, the entire configuration is handled in a single YAML file included in sccm-range-config.yml. Nearly everything in this file is configurable. Below is an example of a host configuration:
Once you have your lab configured to your liking, it is just two more commands to kick off the installation:
ludus range config set -f sccm-range-config.yml ludus range deploy
Role Configuration Details
This lab, and Ludus in general, are built on top of Ansible roles, which are a way to organize tasks, variables, files, and other resources. They can be thought of as a specific set of instructions to configure each individual server role. This SCCM lab contains seven roles:
1) disable_firewall
Disable firewall is simply used to disable the Windows firewall on any host configured with the role. By default, all SCCM hosts will disable the firewall within their individual roles. In the default configuration, this role is only needed to be applied to the domain controller and workstation role.
Role variables: none
2) install_adcs
Install AD CS is for installing Active Directory Certificate Services (AD CS) and a Certificate Authority (CA) on the DC. Specifically, this is used to enable LDAPS on the DC.
Required Role variables: none
Misconfiguration Manager Prereq For:
Takeover 8 — Hierarchy takeover via NTLM coercion and relay HTTP to LDAP on domain controller
3) enable_webdav
Enable WebDAV is for installing the WebClient service on the specified host. It also configured the installed service to run automatically.
Required Role variables: none
Misconfiguration Manager Prereq For:
Takeover 8 — Hierarchy takeover via NTLM coercion and relay HTTP to LDAP on domain controller
4 ) ludus_sccm_distro
This role is for configuring the SCCM Distribution Point Role. It will automatically install all Windows features needed for its role in SCCM, disable the firewall, and add the Site Server machine account as a local admin.
Required Role variables:
ludus_sccm_site_server_hostname
5) ludus_sccm_mgmt
This role is for configuring the SCCM Management Point Role. It will automatically install all Windows features needed for its role in SCCM, disable the firewall, and add the Site Server machine account as a local admin.
Required Role variables:
ludus_sccm_site_server_hostname
6 ) ludus_sccm_sql
This role is for configuring the SCCM Site Database Role. It will automatically install all Windows features needed for its role in SCCM, disable the firewall, and add the Site Server machine account as a local admin. Additionally, it will create your designated SQL service account within Active Directory, configure it as an SQL administrator account, and install SQL Server 2022.
Role variables:
ludus_sccm_site_server_hostname
ludus_sccm_sql_server_hostname
ludus_sccm_sql_svc_account_username
ludus_sccm_sql_svc_account_password
7) ludus_sccm_siteserver
This is the most important and complicated role within this lab. This role installs the SCCM Site Server. It will automatically install all Windows features needed for its role in SCCM, disable the firewall, and configure the actual SCCM service.
Required Role Variables:
ludus_sccm_sitecode
ludus_sccm_sitename
ludus_sccm_site_server_hostname
ludus_sccm_distro_server_hostname
ludus_sccm_mgmt_server_hostname
ludus_sccm_sql_server_hostname
In addition to the required variables, there are also optional variables that can be configured to enable features within SCCM. Please see the next section for more details.
Site Server Configuration Details
NAA Accounts
To configure network access accounts (NAAs), there are three role variables under the synzack.ludus_sccm.ludus_sccm_siteserver role.
Variables:
ludus_sccm_configure_naa
ludus_sccm_naa_username
ludus_sccm_naa_password
To enable an NAA account within your lab, simply set “ludus_sccm_configure_nna” to “true” and provide a username and password for your account. This account will automatically be created within the Active Directory domain and added to your SCCM installation as a user with the NAA role.
Misconfiguration Manager features enabled by this configuration:
Cred 2 — Request computer policy and deobfuscate secrets
To enable client push accounts within your lab, set “ludus_sccm_configure_client_push” to “true” and define your client push account username and password. Similar to the NAA implementation, the account will automatically be created within Active Directory and added to your SCCM installation. The latter variables will allow you granular control over the client push installation settings themselves. This role will automatically install SCCM on your domain hosts if you configure it to.
If set to “true”, SCCM will discover security groups, including local, global, and universal groups from specified locations in Active Directory Domain Services (AD DS)
If set to “true”, SCCM will discover additional information, including the computer organizational unit (OU) and group membership, about previously discovered computers from specified locations in AD DS
There are more features to SCCM than are represented in this current lab, but I hope that it can be a starting point for those looking for a lab solution type like I was. I plan on adding more features as it progresses (such as standalone SMS roles and other Misconfiguration Manager attack techniques) and I invite anyone to make updates and add additional features if you feel inclined. I believe that home labs are one of the best tools we can use as researchers and testers alike.
Be sure to check out Ludus and give a follow to Bad Sector Labs on X. Erik is truly passionate about this project and he has many more roles on GitHub you can integrate into your lab.
At a time when the U.S. government is concerned about its reliance on a mercurial billionaire for access to space, new competitors say Elon Musk’s SpaceX is using tactics intended to squash them.
After blocking 100% of “in-the-wild” malware samples that were deployed in multiple, consecutive third-party tests conducted by the AVLab Cybersecurity Foundation, Malwarebytes Premium Security has earned “Product of the Year.”
The recognition cements Malwarebytes Premium Security’s perfectrecord of repeatable, trusted, and provenprotection for users. It also comes alongside an additional AVLab certification for “Top Remediation Time.”
The latest results are part of AVLab’s regular “Advanced In-The-Wild Malware Test.”
For the March 2024 evaluation, AVLab tested 459 unique malware samples against 13 cybersecurity products. Malwarebytes Premium Security detected 459/459 malware samples, with a remediation time of 20 seconds—a full 13 seconds faster than the industry average.
ThreatDown, powered by Malwarebytes, also participated in AVLab’s March evaluation, where it similarly blocked 100% of malware samples with a remediation time of 17 seconds.
Three cybersecurity vendors failed to block 100% of the malware samples deployed: Bitdefender, ESET, and Panda.
AVLab’s evaluations, which are performed every other month by a team of cybersecurity and information security experts, are constructed to test and compare cybersecurity vendors against the latest malware that is currently being used by adversaries and threat actors. To ensure that the organization’s evaluations reflect current cyberthreats, each round of testing follows three steps:
Collecting and verifying in-the-wild malware: AVLab regularly collects malware samples from malicious and active URLs, testing the malware samples to understand their impact to networks and endpoints.
Simulating a real-world scenario in testing: To recreate how a real-life cyberattack would occur, AVLab uses the Firefox web browser to engage with the known, malicious URLs collected in the step prior. In the most recent test, AVLab emphasized the potential for these URLs to be sent over instant messaging platforms, including Discord and Telegram.
Incident recovery time assessment: With the various cybersecurity products installed, AVLab measures whether the evaluated product detects a malware sample, when it detects a sample, and how long it took to detect that sample. The last metric is referred to as “Remediation Time.”
Malwarebytes is proud to receive “Product of the Year” and “Top Remediation Time” from AVLab, and is thankful to the third-party tester for its important work in the industry.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
Malwarebytes Premium earned a perfect score in the latest AVLab Cybersecurity Foundation “Advanced In-The-Wild Malware Test,” catching and stopping 100% of malware samples, outperforming multiple competitors in the field, and continuing a longstandingtradition of proven, perfectprotection for users.
In the January evaluation, Malwarebytes Premium for Windows detected and blocked 380 out of 380 malware samples, with 69% (263 samples) detected “pre-launch” and 31% (117 samples) detected “post-launch.” The time to remediation was just 41 seconds—quicker than nearly every single competitor that also blocked all malware samples in the test.
For its performance and results, Malwarebytes obtained an “Excellent” award badge from AVLab.
Comprised of a small team of cybersecurity and information security experts, AVLab Cybersecurity Foundation regularly evaluations cybersecurity vendors on the performance of their products.
To ensure that the organization’s evaluations reflect current cyberthreats, each round of testing follows three steps:
Collecting and verifying in-the-wild malware: AVLab regularly collects malware samples from malicious and active URLs, testing the malware samples to understand their impact to networks and endpoints.
Simulating a real-world scenario in testing: To recreate how a real-life cyberattack would occur, AVLab uses the Firefox web browser to engage with the known, malicious URLs collected in the step prior. In the most recent test, AVLab emphasized the potential for these URLs to be sent over instant messaging platforms, including Discord and Telegram.
Incident recovery time assessment: With the various cybersecurity products installed, AVLab measures whether the evaluated product detects a malware sample, when it detects a sample, and how long it took to detect that sample. The last metric is referred to as “Remediation Time.”
In the January evaluation, AVLab tested 12 cybersecurity products (one of which included ThreatDown, powered by Malwarebytes). Just more than half of the products blocked 100% of the malware samples tested, and of those products, only one had a quicker Remeditation Time than Malwarebytes Premium for Windows.
Notably, the default cybersecurity program that many users rely on—Microsoft Defender—failed to detect and block two malware samples.
The work conducted by AVLav and other independent, third-party testers is vital to a transparent cybersecurity market. Users should not have to rely solely on the words of cybersecurity vendors, and vendors should be willing to submit their products to external reviews.
Malwarebytes is proud to once again achieve a 100% score with AVLab’s Advanced In-The-Wild Malware Test, a trusted resource that proves our commitment to user safety.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
A new data leak that appears to have come from one of China’s top private cybersecurity firms provides a rare glimpse into the commercial side of China’s many state-sponsored hacking groups. Experts say the leak illustrates how Chinese government agencies increasingly are contracting out foreign espionage campaigns to the nation’s burgeoning and highly competitive cybersecurity industry.
A large cache of more than 500 documents published to GitHub last week indicate the records come from i-SOON, a technology company headquartered in Shanghai that is perhaps best known for providing cybersecurity training courses throughout China. But the leaked documents, which include candid employee chat conversations and images, show a less public side of i-SOON, one that frequently initiates and sustains cyberespionage campaigns commissioned by various Chinese government agencies.
The leaked documents suggest i-SOON employees were responsible for a raft of cyber intrusions over many years, infiltrating government systems in the United Kingdom and countries throughout Asia. Although the cache does not include raw data stolen from cyber espionage targets, it features numerous documents listing the level of access gained and the types of data exposed in each intrusion.
Security experts who reviewed the leaked data say they believe the information is legitimate, and that i-SOON works closely with China’s Ministry of Public Security and the military. In 2021, the Sichuan provincial government named i-SOON as one of “the top 30 information security companies.”
“The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem,” saidDakota Cary, a China-focused consultant at the security firm SentinelOne. “It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.”
Mei Danowski is a former intelligence analyst and China expert who now writes about her research in a Substack publication called Natto Thoughts. Danowski said i-SOON has achieved the highest secrecy classification that a non-state-owned company can receive, which qualifies the company to conduct classified research and development related to state security.
i-SOON’s “business services” webpage states that the company’s offerings include public security, anti-fraud, blockchain forensics, enterprise security solutions, and training. Danowski said that in 2013, i-SOON established a department for research on developing new APT network penetration methods.
APT stands for Advanced Persistent Threat, a term that generally refers to state-sponsored hacking groups. Indeed, among the documents apparently leaked from i-SOON is a sales pitch slide boldly highlighting the hacking prowess of the company’s “APT research team” (see screenshot above).
i-SOON CEO Wu Haibo, in 2011. Image: nattothoughts.substack.com.
The leaked documents included a lengthy chat conversation between the company’s founders, who repeatedly discuss flagging sales and the need to secure more employees and government contracts. Danowski said the CEO of i-SOON, Wu Haibo (“Shutdown” in the leaked chats) is a well-known first-generation red hacker or “Honker,” and an early member of Green Army — the very first Chinese hacktivist group founded in 1997. Mr. Haibo has not yet responded to a request for comment.
In October 2023, Danowski detailed how i-SOON became embroiled in a software development contract dispute when it was sued by a competing Chinese cybersecurity company called Chengdu 404. In September 2020, the U.S. Department of Justiceunsealed indictments against multiple Chengdu 404 employees, charging that the company was a facade that hid more than a decade’s worth of cyber intrusions attributed to a threat actor group known as “APT 41.”
Danowski said the existence of this legal dispute suggests that Chengdu 404 and i-SOON have or at one time had a business relationship, and that one company likely served as a subcontractor to the other.
“From what they chat about we can see this is a very competitive industry, where companies in this space are constantly poaching each others’ employees and tools,” Danowski said. “The infosec industry is always trying to distinguish [the work] of one APT group from another. But that’s getting harder to do.”
It remains unclear if i-SOON’s work has earned it a unique APT designation. But Will Thomas, a cyber threat intelligence researcher at Equinix, found an Internet address in the leaked data that corresponds to a domain flagged in a 2019 Citizen Lab report about one-click mobile phone exploits that were being used to target groups in Tibet. The 2019 report referred to the threat actor behind those attacks as an APT group called Poison Carp.
Several images and chat records in the data leak suggest i-SOON’s clients periodically gave the company a list of targets they wanted to infiltrate, but sometimes employees confused the instructions. One screenshot shows a conversation in which an employee tells his boss they’ve just hacked one of the universities on their latest list, only to be told that the victim in question was not actually listed as a desired target.
The leaked chats show i-SOON continuously tried to recruit new talent by hosting a series of hacking competitions across China. It also performed charity work, and sought to engage employees and sustain morale with various team-building events.
However, the chats include multiple conversations between employees commiserating over long hours and low pay. The overall tone of the discussions indicates employee morale was quite low and that the workplace environment was fairly toxic. In several of the conversations, i-SOON employees openly discuss with their bosses how much money they just lost gambling online with their mobile phones while at work.
Danowski believes the i-SOON data was probably leaked by one of those disgruntled employees.
“This was released the first working day after the Chinese New Year,” Danowski said. “Definitely whoever did this planned it, because you can’t get all this information all at once.”
SentinelOne’s Cary said he came to the same conclusion, noting that the Protonmail account tied to the GitHub profile that published the records was registered a month before the leak, on January 15, 2024.
China’s much vaunted Great Firewall not only lets the government control and limit what citizens can access online, but this distributed spying apparatus allows authorities to block data on Chinese citizens and companies from ever leaving the country.
As a result, China enjoys a remarkable information asymmetry vis-a-vis virtually all other industrialized nations. Which is why this apparent data leak from i-SOON is such a rare find for Western security researchers.
“I was so excited to see this,” Cary said. “Every day I hope for data leaks coming out of China.”
That information asymmetry is at the heart of the Chinese government’s cyberwarfare goals, according to a 2023 analysis by Margin Research performed on behalf of the Defense Advanced Research Projects Agency (DARPA).
“In the area of cyberwarfare, the western governments see cyberspace as a ‘fifth domain’ of warfare,” the Margin study observed. “The Chinese, however, look at cyberspace in the broader context of information space. The ultimate objective is, not ‘control’ of cyberspace, but control of information, a vision that dominates China’s cyber operations.”
The National Cybersecurity Strategy issued by the White House last year singles out China as the biggest cyber threat to U.S. interests. While the United States government does contract certain aspects of its cyber operations to companies in the private sector, it does not follow China’s example in promoting the wholesale theft of state and corporate secrets for the commercial benefit of its own private industries.
Dave Aitel, a co-author of the Margin Research report and former computer scientist at the U.S. National Security Agency, said it’s nice to see that Chinese cybersecurity firms have to deal with all of the same contracting headaches facing U.S. companies seeking work with the federal government.
“This leak just shows there’s layers of contractors all the way down,” Aitel said. “It’s pretty fun to see the Chinese version of it.”
Login
