The operational arm of the Chinese cybersecurity firm I-Soon compromised government organizations, NGOs, and think tanks in a 2022 campaign, ESET reports.
I-Soon (Anxun Information Technology) is a private contractor linked to the Ministry of Public Security, China’s top policing agency, and its operational arm, tracked as FishMonger, Earth Lusca, TAG‑22, Aquatic Panda, and Red Dev 10, reportedly carries out cyber operations in line with Beijing’s interests.
Following a dump of documents from the Chinese company last year, the US in early March indicted ten I-Soon employees for acting as “hackers-for-hire”, responsible for breaching emails, databases, and corporate systems.
Their victims, the US said, included US federal and state agencies, such as the Department of the Treasury, human rights activists, journalists, and Chinese pro-democracy dissidents abroad.
Now, ESET reveals that I-Soon’s employees hacked seven organizations in Taiwan, Hungary, Turkey, Thailand, the US, and France in 2022, as part of a campaign dubbed Operation FishMedley.
The cybersecurity firm attributes the attacks to FishMonger, an espionage team within I-Soon, which falls under the Winnti Group umbrella and likely operates out of Chengdu, China.
ESET’s analysis of the intrusions revealed that the attackers had privileged access inside the victims’ local networks, performed manual reconnaissance, used Impacket to deliver implants and move laterally, and dumped the LSASS process for credential extraction.
Tools employed in these attacks include the ShadowPad, Spyder, and SodaMaster backdoors, the RPipeCommander implant, and various tools for network scanning, password extraction, and data exfiltration.
While ShadowPad, Spyder, and SodaMaster have been detailed in previous reports, RPipeCommander is a newly identified reverse shell that uses multiple threads and which accepts three commands via the named pipe.
Based on these, it can create a command prompt process and bind pipes to it to send commands, write a command in the existing CMD process, and exit the CMD process. It can also read the output of the commands written in CMD.
According to ESET, however, the analyzed RPipeCommander sample is only the server component, and a second component acting as a client is likely used to send commands from another system on the local network.
“During 2022, we investigated several compromises where implants such as ShadowPad and SodaMaster, which are commonly employed by China-aligned threat actors, were used. We were able to cluster seven independent incidents for this blogpost and have named that campaign Operation FishMedley,” ESET notes.
Related: China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days
Related: China Hackers Behind US Treasury Breach Caught Targeting IT Supply Chain
Related: How China Pinned University Cyberattacks on NSA Hackers
Related: China Targeted Foreign Investment, Sanctions Offices in Treasury Hack: Reports
