Welcome to Memetic Warfare.

This week we’ll take a look at the two latest US indictments of Chinese threat actors: APT 27 and i-Soon, and then a look at Greynoise’s writeup of an interesting botnet.

The i-Soon indictment is the most interesting, so we’ll start with it.

The indictment starts off with some background:.

For those who want more, check out Natto Thoughts:

Natto Thoughts

Where is i-SOON Now?

One hour before we were going to publish this post, US Department of Justice unsealed an indictment charging eight i-SOON employees and highlighting the importance of companies like i-SOON in China's cyberthreat landscape…

Read more

12 days ago · 8 likes · Natto Team

We get some interesting context on MSS/MPS relations with i-Soon:

The insight into how they viewed social engineering and phishing is also interesting:

The screenshots of their software is also fun - for example, their hash cracker and Outlook inbox attack software:

As previously mentioned, they have software available for hijacking Twitter accounts:

We get some information on affiliated MPS officers:

The indictment then moves to i-Soon’s US campaign:

This is interesting and shows some unique cases of “transnational repression”, such as identifying Chinese that visited a targeted US news website, as well as at least one DDoS operation:

Other newspapers were targeted, as was the DIA and DOC:

There are a ton of other targets also in the US, Taiwan and abroad. There’s a bit more here, but on the whole, not a super fascinating indictment with just a few IoCs to investigate.

Let’s move to APT 27 and the two actors affiliated with it - Yin Kecheng and Zhou Shuai. The file itself is available here. I’ll be honest, there isn’t a ton here worth mentioning. These two actors liked to target American defense contractors for financial gain, nothing we wouldn’t expect.

We have to really dig to find any IoCs:

Beyond that, it’s mostly just the counts and some other legal points, maybe more will come out soon. I miss the previous indictments of the SDA - there was much more context there.

We’ll conclude with a brief look at a DDoS botnet, probably run by Iran/Iranian actors, that’s made headlines recently. Read Greynoise’s writeup here.

This botnet does what botnets do: scans for exposed devices, usually running open SSH or Telnet ports, takes them over when it can, and expands.

This botnet, smaller than some, have described it, runs a variant of the Mirai malware, used mainly to target IP cameras. Greynoise observed that of 1,500 IPs used by it that they looked at, the majority are non-spoofable and can be traced back to Iran:

Hacking IP cameras is a pretty low-level operation on the whole, but it serves at least two purposes.

Firstly, the exposed IoT devices (in this case mainly cameras) can be used as exit points for traffic or as nodes of an operational relay box network to mask infrastructure used for cyber operations. Cameras and IoT devices are a great choice for this as there usually is no real telemetry available on the targeted device to trace back activity.

Additionally, taking over cameras could be used as part of espionage or IO. ASA has done so in the past for IO and intelligence collection, and this campaign could serve that as well.

We’ll conclude here. Thanks for reading, and see you next week.