A Chinese company engaged in cyberintelligence operations in a number of countries has also operated in Kazakhstan, according to the Center for Analysis and Investigation of Cyberattacks (TSARKA).
Secret data from the company iSoon (also known as Anxun) were published by unknown persons. The company is a contractor of China’s Ministry of Public Security. There are also rumors that iSoon is linked to Chengdu 404, China’s notorious cyberintelligence structure also known as APT41.
“The leak sheds light on the forms and methods of Chinese intelligence, which include infiltrating and obtaining information. The attackers targeted both general information, such as databases, and pinpointed information of specific individuals: monitoring correspondence, calls and movement. Data analysis showed that the volume of stolen information is measured in terabytes,” TSARKA reported.
Cyberattacks were launched at the infrastructure of a number of countries, among them Kazakhstan. The hacker group had access to the infrastructure of Kazakhstani telecom operators Kcell, Tele2, Beeline and others for two years. The hackers had access to the operators’ event logs, call duration, IMEI of devices and call billing. The leak includes files with information about subscribers of the telecom operators. The cybercriminals also knew the user data of IDNET, IDTV with personal data of subscribers, their logins and passwords, and even logs of individual subscribers with details of all calls and activities.
Furthermore, data from Kazakhstan’s Unified Accumulative Pension Fund (JSC UAPF), information on the mail server of the Kazakh Ministry of Defense, and data from airline Air Astana were also among those accessed by iSoon.
TSARKA found screenshots of correspondence between members of the cybercriminal group, in which they discussed the hacked subscribers and their information. Investigations revealed that targeted attacks were also carried out on employees of law enforcement agencies.
“The Trojan Horse (malware) could pull out all host information, manage processes, files (view, delete, execute, modify), execute commands (CMD operations), take screenshots, record every button pressed on the keyboard, and more. The authors claim that 95% of antivirus programs will not be able to detect this trojan, including Kaspersky, Symantec and others. At the same time, the Trojan Horse is able to uninstall and restart on its own,” TSARKA claims.
Moreover, the hackers had a Mac OS version of the trojan. They could also control iOS and Android systems. However, the functionality for iOS was much smaller than Android. In addition, the hackers had Linux versions and an implantable Wi-Fi device.
TSARKA noted that the Chinese group had access to Kazakhstan’s data for at least two years. The group suggested creating an independent cybersecurity agency. TSARKA experts believe that as long as the information security committee is subordinate to the Ministry of Digitalization, the structure of the state will be vulnerable.
The Unified Accumulative Pension Fund denies any knowledge of a data breach concerning ordinary Kazakhs. “UAPF, in connection with the spread of information in the network about the leakage of personal data of Kazakhstanis from the database of the EAPF, which allegedly posted by unknown persons in documents on the site GitHub, makes an official statement that this does not correspond to reality. The security services of the EAPF conducted a detailed analysis of the data posted on the GitHub site. As a result, it was found that the published catalog contains only a description of the enpf.kz website. At the same time, the site is an open source of information and does not contain personal data of depositors and recipients,” the EAPF said in a statement.