Last week, someone posted something like 570 files, images and chat logs from a Chinese company called I-Soon. I-Soon sells hacking and espionage services to Chinese national and local government.
Lots of details in the news articles.
These aren’t details about the tools or techniques, more the inner workings of the company. And they seem to primarily be hacking regionally.
Clive Robinson • February 27, 2024 8:34 AM
@ Bruce,
“These aren’t details about the tools or techniques, more the inner workings of the company.”
Still it is funny in an ironic way, they appear to have been as Shakespeare put it[1],
“Hoist by their own petard”
Shame there is a lack of technical info on either the tools or the way the attackers got in and data out.
But the thought that arises, due to the nature of what’s been released, have you considered it might be a business rival?
[1] It’s in his “Hamlet” play and has become quite proverbial,
https://en.m.wikipedia.org/wiki/Hoist_with_his_own_petard
A petard is not an ordinary explosive device, it was custom engineered by what we would now call a “demolition expert” to be exploit a found vulnerability in the defenses of a bastion or similar. So quite fitting all around.
Clive Robinson • February 27, 2024 10:16 AM
@ Bruce,
Don’t say you were not warned about actions and consequences.
As once noted,
“Vetulae mulieres pro ultimo verbo improbe.”
Cybershow • February 28, 2024 6:56 AM
A lot of security issues are really “security” issues.
Indeed. Here’s our take:
lurker • February 28, 2024 5:18 PM
@Cybershow
“Security is love”
Confucius said “It is only the truly virtuous man, who can love, or who can hate, others.”[1]
Mozi said “When those trusted are not loyal and the loyal are not trusted, this is the sixth worry;”[2]
Chinese life has been guided for the past two and a bit millenia by these and similar philosophers. In the Meiji restoration the Japanese followed the hint of Commodore Perry and experienced in one human generation an industrial revolution that had taken Europe two centuries. The Chinese waited another hundred years before they too rapidly modernised. But note that in 1980 the business of information security had only just begun even in the West so a Chinese infosec firm cannot be expected to have the family traditions and loyalty underpinning firms in other sectors.
This particular leak verifies our suspicions about Chinese activities, but there is some speculation on whodunnit? The five duties of universal obligation[3] might seem to rule out an insider, but it could be possible given current youth unemployment, a struggling post-covid economy, and the ongoing campaign against corruption in high levels. If it was an outsider then it reflects badly on I-Soon’s opsec, not guarding against the very flaws they exploit in others.
It is also ironic given the company’s name means “Information Security”. In the anglicised version, “soon” is the southern chinese pronounciation of the character in the comany’s name 洵 (pinyin xún) which means true, indeed. Curiously, given the Chinese predilection for puns, the character 询 (also xún) means to ask, consult, gather information; the character 恂 (also xún) means honest, sincere; and the character 郇 (also xún) is a surname. Using an uppercase “I” rather than the common “i”-thing, suggests an attempt at english punning by a possible Mr Xun involved with the company.
[1] Analects 4.3
[2] Mozi 5.1 (The Seven Causes of Anxiety)
[3] Confucius, Doctrine of the Mean 20.8
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
echo • February 27, 2024 8:33 AM
A lot of security issues are really “security” issues. The gadgets and maths are a distraction because it’s really a governance and social problem. Pervasive surveillance can also work both ways. I get the feeling people miss that. The articles themselves are an exercise in pointing a bigger telescope at a dust cloud and discovering more… dust, or knowing more and more about less and less. Hold that thought.
I’ve commented on organisations and systemic discrimination issues this week along with a view on the psychology and limits of mindsets. Not a ripple off anyone although I did get shouted at by one person. I think my thesis that people (in the electronic and information security industry) can’t context switch context is close enough. And people wonder why they can’t attract women into STEM jobs or the security industry. I have read articles by men advocating for more women in STEM and security and the poor dears don’t get that they can actually be offputting. It’s why organisations or fields need prominent women to attract other women. Why? Men and women psychologically work to different security models which you’d think science and security would get but they don’t. Hey, ho.
A high profile lobbyist for US/Russian/Etcetera dark money just compromised themself. A bit like S.P.E.C.T.R.E. in the Bond movie there was an operative in the room. Encryption didn’t save them as the operative had indirect access to the plaintext. The information has been exfiltrated. A report will be made public soon. And yes all perfectly legal before I get shouted at again.
Chatham House is noted in one article. I linked to one Chatham House online panel discussion on security and gender. Not a peep out of anyone because nobody gets the subject nor do they realise its significance.
Authoritarian states are 99% male dominated and male designed and male policed from top to bottom. By mostly legacy organisations continuing to engage with them you give them legitimacy so they’re just going to do this more and more. It seems especially prevalent with dogmas or cultures where life is cheap or at least indirectly commoditised. You will also note they tend to be from an intelligence point of view more “dark”.
Listening to Judith Butler’s essays she has a fairly consistent bio-social-security model underpinning her talks. Men go “Huh” (because men…). It’s indicative that linking human rights and development to economic and social interaction can work and that has implications for a purely “security” and “sanctions” response as well as the self-serving business orientated con job called “lend lease”.
Case in point: Afghanistan. The war was lost before it began because top leadership thought bombs and electronic surveillance was it. The Taliban just OODA looped their way under the bar at a local and pervasive level. Everyone pulled out of a country which wasn’t very confident in itself and betrayed the people who fought for them and women. So now we have a gang of men running around with guns to the point where they’re paranoid about women daring to wear (gasp) jeans. Women are now scared to go out and because nobody is shopping the economy is collapsing further and the intelligence picture is darker than a dark thing. No techno thrill and no go through the motions intelligence gathering. No leaks. Nothing.
The post war international security model has failed. That makes me think more effort should be put into (hold onto your hats) something new like, oh I don’t know, gender not just as a technology or social tool as Judith Butler advocates but gender as a security technology.
At least that’s my theory… I know nobody listens but we’ll be here in ten years time with everyone making out like they invented it. In twenty years time it will be policy. Fifty years time commonly accepted practice.