In February, the cybersecurity community was provided with an unauthorized public information disclosure that gave an unprecedented look into some adversarial tools and tactics leveraged by the Chinese government, as well as specific campaigns and capabilities deployed against international companies and governments.
The data came from a private Chinese company called iSoon, also known as Auxun, which sold its tools and services to multiple Chinese government entities. Comprising documents and chat logs largely from 2022, while the leak was informative, it was incomplete in terms of in-depth technical details and evidence. However, a 44-page whitepaper included within provided a very interesting look at a tool used to manage and carry out cyber operations -- The integrated operations platform (一体化作战平台). The following provides selected highlights and our analysis of this platform’s claimed capabilities, design, and features based on the available information. (Screen shots below are taken directly from the dump. We wanted to provide them “as is” for context and have detailed interesting elements in text to compensate for the low resolution.)
The following are some key takeaways of the integrated operations platform:
The integrated operations platform is an offensive cyber campaign management platform developed by iSoon and used by the company in its own campaigns, as well as sold to the MPS. The single platform allows them to standardize and improve service integration, resources efficiencies, team collaboration, and platform security.
The platform consists of two applications (an internal and an external application) split between two private networks, with a firewall that segments the two networks. The internal application is referred to as the integrated operations intranet platform (一体化作战内网平台) and the external application is referred to as the integrated operations extranet platform (一体化作战外网平台). Both of these applications appear very similar but have distinct functionalities and roles. The internal network consists of the internal application and Command and Control (C2) terminals that send out encrypted commands to external C2 terminals over an encrypted out-of-band connection. The external application and private network are used to hide the identity of operators and direct attack campaigns through anonymously registered virtual private servers (VPS) that are purchased via potentially unwitting host providers allowing attack activity to hide in the noise. The external application manages the VPSs, payloads and exploits, as well as link generation used for the cyber campaign. Connection to the internet is anonymized through a proxy layer (likely Tor or a similar service) before reaching the target host to conceal their tracks.
The primary user of this platform is the TZ cyber unit in the MPS. TZ is noted in the leaked documents as an abbreviation for “special detective/reconnaissance” (特侦 or 特别侦察) based off the following context:
The following is an old recruitment article available on Sohu.com for the 2018 Special Detective Unit of the Xinjiang Public Security Bureau that had a reference to this type of unit’s title:
The whitepaper also stated the external network of the platform cannot contain any personally identifiable information (PII). Below are a few prohibited types of PII including “public security officer number”:
This indicates that that platform is likely used by the MPS for offensive cyber operations and they want to prevent any potential vectors for identification and attribution.
The white paper indicates that the platform has various “best practice” security design principles to ensure the integrity of the platform, such as data-at-rest and data-in-transit encryption, periodic security testing, system and vulnerability monitoring, and patching. However, the most interesting security elements are the anti-reconnaissance design features in the external network elements, including:
The self-destruct features appear to be a common feature found on previously identified Chinese spyware used to target dissidents:
The intranet platform appears to primarily focus on mission and resources management. It maintains a community knowledge base and its own security sandbox environment for analysis of retrieved files.
The internal application offers task management for leaders (superiors) to create, review, approve, (re)assign, comment, and distribute missions to operators. The following is a screenshot of the create mission page that contains the following input fields: mission name, description, mission duration, mission template, teams (each city can have multiple teams), assigned servers:
The next screenshot is a mission detail dashboard that contains the following tabs across the top: mission information tab, notes tab, file management tab, vulnerability tab, access permission tab, server tab. However, the data on this page are mock data to demonstrate the product:
The missions(tasks) can be approved or denied by superiors and can be assigned to, and carried out, by different teams across different cities:
The platform also contains scoring management functionality that can award points for each completed mission and display points earned by each operator for performance review purposes.
The dashboard can also provide statistical data and analysis to the superior on the operator’s area of expertise and resources assigned to each mission.
The techniques and tactics, skills, tools usage, and experiences of operators can be shared and catalogued in the internal knowledge base built into the internal platform. The following screenshot is the techniques and tactics knowledge base tab:
The list of categories shown in the techniques and tactics knowledge base tab of the screenshot above (starting from the top left) are: web application penetration, internal network penetration, terminal penetration, anti-reconnaissance/detection, web application control and bypass, vulnerability discovery and exploitation, data analytics, evasion, password cracking, intelligent analysis, network reconnaissance. The whitepaper did display an actual knowledge base page, but the text shown in the screenshots consists of mock data.
The extranet platform is primarily a cyber operational management platform used by the operators to carry out attack operations. It provides operators the ability to deploy, manage, and securely decommission the VPS used in cyber campaigns, manage the tools and exploits used by operators, and keep track of mission notes, vulnerabilities, and servers.
The weapon management feature is an arsenal warehouse that allows operators to import, search, display, and keep track of their tools. It also has versioning functionality to keep copies of the older tools and manage updates. As to what kind of tools are available or used by the iSoon and MPS team, this information was not discussed in the whitepaper.
Both the internal and external application have their own security sandbox environments for identifying any potential malware in the tools or files/data retrieved from the target. The weapon sandbox environment on the external application offers the same capability as the internal security sandbox environment. The latter is used to inspect the stolen data that was transmitted back to the internal application to prevent honeypot attacks or trojans. The sandbox environment capabilities include:
* The white paper document had PCAP spelled incorrectly as “PACP”.
The integrated operations platform documentation provided a glimpse into how cyber operations are run by a foreign adversary and how they coordinate and manage their team, business, and infrastructure. This blog post only summarized the highlights and interesting facts from the whitepaper, it is not a comprehensive translation and analysis of the original document.
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.