Keypoints
- Leaked documents from Anxun Information Technology (i‑SOON) reveal operational and organizational ties to Chinese state‑sponsored groups such as RedAlpha, RedHotel, and POISON CARP.
- Insikt Group corroborated that i‑SOON acted as a private contractor and digital quartermaster, providing shared cyber capabilities across multiple espionage operations.
- The materials indicate theft of telecommunications data was used to track individuals, evidencing targeted espionage techniques.
- Researchers observed newly created domains and infrastructure associated with i‑SOON‑linked groups after the leak, suggesting ongoing activity and infrastructure churn.
- Appendix A lists historical Indicators of Compromise (domains, IP addresses, and email addresses) used to map connections between i‑SOON and tracked threat activity.
- The disclosure may inform future legal and defensive actions but i‑SOON is expected to continue operations with limited operational adjustments.
MITRE Techniques
- No MITRE ATT&CK techniques were explicitly mentioned in the article.
Indicators of Compromise
- [Domains] Historical infrastructure linked to i‑SOON and tracked Chinese state‑sponsored groups – examples: i‑soon[.]net, gmail[.]isooncloud[.]com, and 22 more domains.
- [IP Addresses] Infrastructure endpoints observed in the report – examples: 1.192.194[.]162, 66.98.127[.]105, and 6 more IPs.
- [Email Addresses] Accounts attributed to individuals tied to i‑SOON personnel – examples: l3n6m0@gmail[.]com, shutdown@139[.]com, and 9 more addresses.
Insikt Group’s forensic review of the leaked i‑SOON documents tied the contractor’s infrastructure and personnel to multiple state‑sponsored campaigns. The analysis reconstructed operational relationships by correlating historical domains, IP ranges, and email addresses found in the documents with known activity attributed to RedAlpha, RedHotel, and POISON CARP, demonstrating that private contractors served as digital quartermasters provisioning shared tooling and infrastructure.
The leak also documents use of telecommunications data exfiltration for physical tracking and targeted intelligence collection. Insikt Group compiled these items into Appendix A, listing historical IOCs (domains, IPs, emails) that map the referenced infrastructure; the report notes newly observed domains and infrastructure churn among i‑SOON‑linked groups after the disclosure, indicating continued evolution of their operational footprint.
Defensive actions should prioritize the historical IOC set for network enrichment and monitoring while accounting for rapid infrastructure changes observed post‑leak. The compiled indicators and the documented organizational links provide actionable context for attribution, threat hunting, and legal/operational follow‑up against contractor‑enabled espionage activity.