Executive Summary

• Salt Typhoon, first reported in September 2024, compromised over 80 telecommunications companies globally, facilitating an expansive intelligence collection effort that included intercepting unencrypted calls and texts, and breaching lawful intercept (CALEA) systems.
• The operation is tied to Yuyang (余洋) and Qiu Daibing (邱代兵), co-owners of companies named in the cybersecurity advisory and who worked closely to file patents and orchestrate the attacks.
• The hackers’ history traces back to the 2012 Cisco Network Academy Cup, where they excelled as students from a poorly-regarded university.
• The episode suggests that offensive capabilities against foreign IT products likely emerge when companies begin supplying local training and that there is a potential risk of such education initiatives inadvertently boosting foreign offensive research.
• In markets where foreign firms are given a fair shake at competition these initiatives still make sense. As China seeks to delete American-made IT from its tech stacks, these initiatives may present more risk than reward.

First publicly reported in September 2024, Salt Typhoon’s campaign is now known to have penetrated more than 80 telecommunications companies globally. The group’s campaign collected unencrypted calls and texts between US presidential candidates, key staffers, and many China-experts in Washington, DC.

However, Salt Typhoon’s collection activity went beyond those intercepts. Systems embedded in telecommunications companies for CALEA, which facilitates lawful intercept of criminals’ communications, were also breached by Salt Typhoon. A recent Joint Cybersecurity Advisory published by the U.S. and more than 30 allies sheds light on how Salt Typhoon came to penetrate global telecommunications infrastructure.

All of that high-tech novelty disguises a tale as old as time: skilled master trains apprentice, apprentice masters skills with tutelage, apprentice usurps the master owing to some core ideological difference between the two that festers over time. Gordon Ramsay’s feud with Marco Pierre White, Anakin’s rise under Obi-wan Kenobi, and Mao Zedong’s study of communism under Chen Duxiu all fit the mold.

This report adds Yuyang (余洋) and Qiu Daibing’s (邱代兵) and their history with the Cisco Networking Academy to the list of master-apprentice turned rivals narrative arc.

From Students to Operators

Qiu Daibing and Yuyang appear in various reports on companies named in the Salt Typhoon cybersecurity advisory. Both Qiu and Yu are co-owners of Beijing Huanyu Tianqiong, and Yu is also tied to another Salt Typhoon connected company, Sichuan Zhixin Ruijie. Qiu and Yu worked closely, filing patents together for work done at Beijing Huanyu Tianqiong.

Through their work at these firms, they hacked more than 80 telecommunications companies, facilitating one of the most expansive intelligence collection efforts of the last decade.

Qiu and Yu’s personal history extends back at least 13 years before their companies would be named in the Cybersecurity Advisory.

In 2012, the same names–Qiu Daibing and Yu Yang–appeared on different teams in the Cisco Network Academy Cup both representing their school, Southwest Petroleum University. Yu Yang’s team would win second place in Sichuan. Qiu Daibing’s team took first prize and eventually won third place nationally.

The data suggests this is not just some weird name collision and a case of mistaken identity. A database of 1.2 billion Chinese last names from 1930 to 2008 compiled by Bruce H.W.S.Bao at East China Normal University finds the last name “Qiu” (邱) is used by 0.27% of China’s population.

A second database of 30,282,623 first names from 1920-2019 shows a frequency of the first name “Daibing” (代兵) at a rate of 0.000845%. In other words, there are approximately 3,194 “Qiu Daibings” in China, or 0.000228% of the population. Yu Yang is a much more common name, so is less useful for trying to de-duplicate these characters.

Qiu Daibing helpfully created a LinkedIn account. His education confirms that this person is the same Qiu Daibing who won the Cisco Network Cup competition as a SWPU student in 2012. But his employer is listed as Ruijie Network Company, not Sichuan Zhixin Ruijie. Why?

Qiu likely selected this much larger, well-known networking company in China with a partial name match simply because Sichuan Zhixin Ruijie is not a verified employer on LinkedIn. Although Qiu Daibing is not listed in corporate records as a shareholder of Sichuan Zhixin Ruijie, that absence of evidence does not preclude him from having been an employee at his friend Yu Yang’s company.

Alternatively, it is far less likely that two people with the same name, in the same province, in the same line of work, work at companies which have a partial name match. The odds of that happening? Even less than 0.000228%.

This, combined with other circumstantial evidence, like their alma mater being located in the same province as the companies registered to individuals of the same names, their career trajectories being related to the same field of study, and the apparent enduring relationship between the two across patent and corporate registration data, suggests that the Qiu Daibing and Yu Yang associated with the companies in the Salt Typhoon CSA are almost certainly the same Cisco Cup winners from 2012.

The World is Flat and Anyone Can Cook

The Cisco Network Academy began in 1997 and entered China’s market in 1998. Among the content covered in Cisco networking academy were many of the products Salt Typhoon exploited, including Cisco IOS and ASA Firewalls.

Of course, a product training academy educating students on the company’s wares is hardly surprising. More notable is the fact that two students from a regional university, with limited recognition in IT and cybersecurity education participated in the Cisco Network Academy and went on to run one of the most expansive collection operations against global telecommunications firms ever detected and disclosed publicly.

Southwest Petroleum University is not a beneficiary of China’s efforts to professionalize and harmonize the country’s offensive cyber talent pipeline. SWPU is a Double First-Class institution, meaning the university is in the top 150 schools in the country, but it has relatively few accolades for its cybersecurity and information security programs.

The Ministry of Education’s China Academic Degrees and Graduate Education Development Center gives the school’s Computer Science and Technology degree its lowest rating of C-. The school’s software engineering program scores a few points higher with just a C rating.

Qiu Daibing and Yu Yang are all the more remarkable given SWPU’s apparently unremarkable cybersecurity education.

The duo’s participation in Cisco Network Academy and excellence in the Cisco Academy Cup, given the lack of excellent education at their alma mater, underlines what the author considers one of the best parts of the cybersecurity community–as the line from Ratatouille goes, “Anyone can cook.”

Cisco Network Academy has trained more than 200,000 students in China since the roll out of its program in the late 90s. No doubt that other graduates have gone on to participate in offensive operations against its products, but the vast majority do not. The program itself is not cause for concern, nor should participation in it be construed as such.

Lessons from the Kitchen

Instead, the episode of Qiu and Yu should highlight to defenders, policymakers, and the offensive hacking community a few key findings. First, offensive cyber capabilities against foreign-made IT products likely extends to whenever those companies entered the market and began supplying training to locals. As a result, China likely had some offensive capabilities against Cisco products by the early 2000s. This dynamic exists for most countries where such training takes place, not just the PRC.

Second, hiring processes for cybersecurity roles should emphasize demonstration of technical competencies, similar to coding interviews for software engineers, as the university degree may itself be a modest indicator of potential success in the workplace. China does an excellent job emphasizing hands-on learning for cybersecurity students. Other countries should follow suit.

Finally, some offensive teams may benefit from putting employees through similar product academies offered by firms manufacturing targeted products–like Huawei’s ICT academy.

Conclusion

Like other master-apprentice rivalries, the betrayal of Qiu and Yu was based on ideology and, ultimately, nationality. Qiu and Yu are not an oddity; they are evidence of a world in which today’s students can become tomorrow’s rivals with little more than time, opportunity, and a different notion of whose security they serve.

Their path to attacking Cisco products also raises the spectre of more widespread capability against western ICT products than previously acknowledged. Throughout the 1990s and 2000s, the PRC pushed the line of “China’s peaceful rise” with the help of influence operations of the Ministry of State Security. With money on their mind and a rapidly growing market, most western technology companies set up shop in China and moved to train new talent on their products and systems. The result was a boon to sales and growth over the following 20 years.

Only in hindsight, and with the story of Qiu and Yu, can security researchers now see how those efforts may have incidentally boosted offensive researchers. Microsoft’s sharing of source code with the MSS has long been touted as a Faustian bargain by the security community. Education initiatives fall short of such acclaim, but may come to present more risk than return as the Chinese Communist Party remakes the country’s computer networks with home-grown technology–as the Delete America document makes clear is their goal.

All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third-party.

Executive Summary

• SentinelLABS identified 10+ patents for highly intrusive forensics and data collection technologies that were registered by companies named in U.S. indictments as working on behalf of the Hafnium threat actor group.
• These technologies offer strong, often previously unreported offensive capabilities, from acquisition of encrypted endpoint data, mobile forensics, to collecting traffic from network devices.
• Our research explores the relationships between indicted hackers, ownership of the firms they are associated with, and the relationships those firms have with several government entities who conduct offensive cyber operations on behalf of China.

Overview

In July 2025, the Department of Justice (DOJ) released an indictment of two hackers, Xu Zewei and Zhang Yu, working on behalf of China’s Ministry of State Security (MSS) that sheds new light on the People’s Republic of China’s (PRC) contracting ecosystem. The indictment outlined that Xu and Zhang worked for two firms previously unattributed in the public domain to the Hafnium (aka Silk Typhoon) threat actor group. Hafnium has a long history of attacks against defense contractors, policy think tanks, higher education, and infectious disease research institutions, with an exceptionally prolific 2021 campaign that exploited several 0-day vulnerabilities in Microsoft Exchange Server (MES). Hafnium’s history of exploits and 0day use, combined with its targets and observed campaigns make it one of China’s best APTs.

This research resulted in three key findings.

1. We identified previously unobserved or unreported offensive tooling owned by Hafnium-associated companies named in U.S. indictments. The tooling raises questions about these firms’ on-going work in support of the MSS and how attribution is difficult. The company holds at least one patent on software designed to remotely recover files from Apple computers, which has not been documented as a capability used by Hafnium or any related threat actor groups.
2. The DOJ indictment provides new insights into the tiers of relationships between hackers and their customers. This report raises important questions about the extent to which the MSS and its regional offices offer operational support to its contracted hackers.
3. Our research delves into several companies tied to the indicted Hafnium-affiliated hackers and documents their relationships. Importantly, the report finds evidence of multiple companies registered by one of the defendants, and dozens more by an associate.

This new insight into the Hafnium-affiliated firms’ capabilities highlights an important deficiency in the threat actor attribution space: threat actor tracking typically links campaigns and clusters of activity to a named actor. Our research demonstrates the strength in identifying not only the individuals behind attacks, but the companies they work for, the capabilities those companies have, and how those capabilities fortify the initiatives of the state entities who contract with these firms.

Hafnium’s Impact

It’s rare for a hacking team to behave so recklessly that it changes a country’s foreign policy and unify the E.U., U.K., and U.S. into speaking with one voice, but Hafnium wouldn’t be famous if they hadn’t done that. And, actually, they didn’t do it.

Hafnium gained fame following the revelation of their stealthy access to U.S. Government emails through an MES vulnerability known as ProxyLogon, which came to light in March 2021. But the group is often wrongly blamed for what happened next. The name Hafnium became associated with the wider abuse of the ProxyLogon vulnerabilities that followed the original Hafnium activity as lesser tier threat groups flooded the zone with exploitation attempts to opportunistically deliver payloads ranging from espionage to ransomware.

Microsoft alerted its Microsoft Advanced Protection Program partners to some POC code on February 23. This program provides some select cybersecurity companies early access to powerful new exploits, so they can better defend their customers. Five days later on February 28th, new Chinese state-affiliated and criminal hacking groups began exploiting the vulnerability at an immense scale. It remains unclear how exactly the exploit proliferated ahead of the patch. The longer tail of the problem arises from the prevalence of webshells littered by each attacker’s use of ProxyLogon. These groups left shells on vulnerable servers allowing access to these servers even after the vulnerability itself was patched. The situation was so dire that the DOJ received its first court authorization for the FBI to remove these shells en masse from compromised servers.

The rapid dissemination and exploitation of the vulnerability led the U.S., U.K., and E.U. to issue their first ever joint statement condemning PRC actions in cyberspace in July 2021. The statement roiled CCP policymakers who had previously fended off such joint decrees by convincing one E.U. state to reject such declarations. Because the E.U. requires unanimous consent for foreign policy statements, the fallout from the wanton abuse of the vulnerability upended China’s foreign policy success.

The joint statement so perturbed CCP policymakers that the country launched an offensive public opinion campaign against U.S. hacking operations that continues today. Before the July 2021 joint statement, the PRC did not coordinate cyber threat intelligence publications with state propaganda outlets. Following the statement, a pattern emerged of coordinated private-sector CTI reports, English-language propaganda pieces, and statements by the PRC Ministry of Foreign Affairs. SentinelOne published a report detailing this change in February 2024 and the findings of that report are corroborated by a textbook on cybersecurity published by a committee of experts in China. China now regularly releases propaganda pieces alongside cyber threat intelligence reports–the change was completely prompted by the success the U.S. had in unifying the European Union behind a joint statement, which was itself enabled by China’s behavior.

Hafnium’s False Start or The Less Capable Cluster?

Following an intrusion into U.S. Treasury systems that came to light in late 2024, the Department sanctioned one of its alleged hackers, Yin Kecheng (尹可成). The Treasury sanctions announced in January 2025 were quickly followed by a March DOJ indictment of Yin and a business associate, Zhou Shuai (周帅). Two separate indictments were released for Yin in March. The first document is dated 2017 and only Yin is named as the defendant. The second indictment is dated 2023 and lists both Yin and Zhou.

Zhou Shuai, aka Coldface, is a first-generation patriotic hacker from China with a storied history of corporate registrations and work for the state. The March 2025 indictment of Zhou and Yin indicate that Zhou brokered the sale of Yin’s work through iSoon, a company whose internal chats and corporate records were leaked online in early 2024. Leaked chats showed iSoon executives considering a merger and acquisition of Zhou’s Shanghai-based company. iSoon executives also chastised Zhou for being a mere broker.

The DOJ press release for the indictments indicate that Yin’s and Zhou’s activities were tracked under various naming conventions and clusters, including Silk Typhoon. Microsoft updated the group’s alias from Hafnium to Silk Typhoon in 2022.

As of March 2025, Hafnium apparently consisted of a Shanghai-based company, Shanghai Heiying Information Technology Company (上海黑英信息技术有限公司), run by Zhou Shuai, which collaborated with Yin Kecheng in some fashion.

Hafnium and Other Elements

Following the July 2025 released indictment of Xu Zewei and Zhang Yu, the number of people alleged to work for Hafnium grew to four and the number of companies involved grew to three. The DOJ maintains that Xu Zewei and Zhang Yu worked at the “direction” of Shanghai State Security Bureau (SSSB). Xu Zewei completed his tasking while working at Shanghai Powerock Network Company (上海势岩网络科技发展有限公司); Zhang Yu worked at Shanghai Firetech Information Science and Technology Company (上海势炎信息科技有限公司).

This “directed” nature of the relationship between the SSSB and these two companies contours the tiered system of offensive hacking outfits in China.

Other capable analysts adeptly delve into Shanghai Powerock, so this report focuses on Zhang Yu’s company, Shanghai Firetech. Far from being an offensive shop procuring initial access and intelligence in the hopes of finding a willing buyer, as in the case of i-Soon, Shanghai Firetech worked on specific tasking handed down from MSS officers. The indictment maintains that Zhang Yu “supervised hacking activity, including that of other Firetech personnel in support of such [SSSB] taskings, and coordinated hacking activities with fellow hacker XU.” This indicates that Shanghai Firetech and co-conspirators earned an on-going, trusting relationship with the MSS’s premier regional office, the SSSB.

China experts and law enforcement distinguish between China’s operational structures. At the lowest tier of the contracting ecosystem are bottom feeders, like i-Soon. That company’s leaked files and U.S. indictment of their employees show a firm stuck in low-paying contracts with poor morale, and often subcontracting to bigger, better firms. A step up from i-Soon might be its prime contractor and competitor, Chengdu404, whose founders were also indicted. Chengdu 404 has stable business, works from multiple offices, and at one point was China’s most prolific APT. The tier of contractors the Chinese government holds closest are actors like Xu Zewei and Zhang Yu. But the MSS has not completely abandoned state-run operations. Past DOJ indictments show that other MSS offices do indeed use front companies. The Hubei State Security Department established Wuhan Xiao Rui Zhi (Wuhan XRZ) in 2010 as a front company for state operations.

You’re My Favorite Deputy

The peculiarities of Hafnium’s MES exploitation campaign raise questions about the relationship between the SSSB and its contractors. Hafnium began exploiting MES vulnerabilities beginning in January 2021. The exact date Hafnium’s campaign began is unclear, but the month is itself enough to raise eyebrows. On January 5, 2021, OrangeTsai tweeted he had found an incredibly powerful pre-auth RCE vulnerability, later confirmed to be the same MES vulnerabilities exploited by Hafnium. How did Hafnium come to exploit those vulnerabilities in the same month that OrangeTsai found them?

Theories swirled that Hafnium had compromised devices of employees working on inbound vulnerability reports at Microsoft. Other attention turned to the researcher’s personal security. As a resident of Taiwan, international conference attendee, and among the most talented vulnerability researchers with a public persona, it would not be inconceivable that Hafnium had itself hacked into OrangeTsai’s devices and stolen the vulnerabilities during his research phase.

But the Zhang and Xu’s close relationship with the SSSB raises the possibility that the Bureau collected OrangeTsai’s research themselves, either through an insider at Microsoft, a close-access operation against OrangeTsai, or some other collection method, and then passed the vulnerabilities to Xu and Zhang. A DOJ indictment shows the Guangdong State Security Department passing malware to its contracted hackers: had the SSSB done something similar?

Before Shanghai

How Zhang Yu and Shanghai Firetech came to work for the SSSB remains unclear. Before moving into offensive hacking, Zhang Yu co-founded a company Shanghai Weiling Information Science and Technology Co. (上海微令信息科技有限公司) whose smartphone application Campus Command (校园司令) aimed to connect college students with local events and information at Universities across China. But, as with all investigations, that is perhaps not the whole story. Zhang Yu co-founded Campus Command with the CEO and legal representative of Shanghai Firetech, Yin Wenji (尹文基). The two associated were joined by a third person, Peng Yinan (彭一楠). Campus Command was, until 2016, a subsidiary of Xin Kai Pu (新开普), a company whose shares are publicly traded on the stock exchange in Shenzhen. When Xin Kai Pu divested its shares, Peng, Yin, and Zhang moved their holdings into a privately held company offering business consulting services Shanghai Siling Commerce Consulting Center (上海司领商务咨询中心). Peng now holds shares in at least 25 companies registered in China.

A 2015 talk by Yin Wenji, the eventual founder of Shanghai Firetech and co-founder of Campus Command, raises questions about his offensive capabilities while working at the university-focused company with the indicted Zhang Yu.

Yin spoke at the Central University of Finance and Economics program for cybersecurity. His 2015 talk advertised his ability to recover files from Apple Filevault five years before his new company would file for patent protection on a tool capable of collecting files from Apple computers.

The talk description translates to:

“In this speech, the author will sort out some methods and directions of forensics on Apple electronic products, and propose new ideas for some technical difficulties such as Mac computer firmware passwords and FileVault full disk encryption technology, and will demonstrate the latest research results.”

Silk Bandolier

There is good reason to believe only some of Shanghai Firetech’s activities have been uncovered or made public by defenders. Hafnium rose to prominence in 2021 following the exploitation of four 0-day vulnerabilities in Microsoft Exchange Servers. Subsequent publications demonstrate the group is responsible for cracking a host of firewalls and network appliances. Intellectual property rights filings by Shanghai Firetech indicate an arsenal of tools not publicly attributed to Hafnium thus far. Shanghai Firetech filed for patents on a number of forensics technologies with clear applications as offensive capabilities including

• “remote automated evidence collection software”
• “Apple computer comprehensive evidence collection software”
• “router intelligent evidence collection software”
• “computer scene rapid evidence collection software”
• “defensive equipment reverse production software”

While Hafnium’s observed capabilities check some of these generic boxes, no one has previously reported the group’s capabilities against Apple devices.

More recent patent filings from Shanghai Firetech, combined with the company’s history of working with the SSSB, suggests the company holds capabilities that may be useful in HUMINT operations. Capabilities like “intelligent home appliances analysis platform (2),” “long-range household computer network intelligentized control software (6),” and “intelligent home appliances evidence collection software (23)” could support close access operations against individuals. Other recent patents demonstrate that the firm still supports offensive cyber operations, such as “specially designed computer hard drive decryption software (13),”remote cellphone evidence collection software (21),” or “network information security actual confrontation practice software (24).”

Shanghai Firetech relationships with MSS offices beyond just the Shanghai Bureau may explain why some patented capabilities have not been observed to be associated with Hafnium tradecraft. While no public tenders or contracts were found, Shanghai Firetech likely offers offensive services to additional customers beyond Shanghai. The company maintains a subsidiary in Chongqing, Chongqing Firetech (重庆势炎信息科技有限公司). Chongqing Firetech is likely larger than its Shanghai-based mothership. In the summer of 2018, Chongqing Firetech opened positions for up to 25 college interns, including for a third office in Nanchang. Shanghai Firetech, by contrast, only paid insurance benefits on 32 full-time employees. It is unclear whether the absence of Chongqing Firetech from the indictment indicates that the company was not involved in activity attributed to the Hafnium cluster.

Conclusion

The combination of leaked chat logs from iSoon, the March 2025 indictments of Yin Kecheng and Zhou Shuai, and the July 2025 indictment Xu Zewei and Zhang Yu indicate that the Hafnium cluster consisted of at least three different companies. At least two of those persons, Xu Zewei and Zhang Yu, and their respective companies, Shanghai Powerock Network Co Ltd. and Shanghai Firetech Information Science and Technology Co Ltd, worked under the direction of the Shanghai SSB. Yin Kecheng likely worked alongside Xu and Zhang, though in what capacity–as an employee, subcontractor, or jointly-tasked by the SSSB–is unclear. Although Zhou Shuai is observed trying to sell Yin’s work through i-Soon, it is unknown what of Yin’s work, access, or tooling Zhou was trying to push.

The variety of tools under the control of Shanghai Firetech exceed those attributed to Hafnium and Silk Typhoon publicly. The findings underline the difficulty in successfully attributing intrusions to the organizations responsible for them. The capabilities may have been sold to other regional MSS offices, and thus not attributed to Hafnium, despite being owned by the same corporate structure. It is possible that none of the tooling uncovered by this report was ever deployed in offensive operations. Tooling for the remote control of home appliances, home computer networks, decryption of files, and remote mobile forensics do have commercial defensive applications. That said, we reasonably expect those tools to be advertised if sold for defensive purposes, and no such collateral exists.

Threat actor designations and naming conventions track clusters of behavior, not the organizations carrying out operations. Successful attribution resolves a campaign back to their actual operators, like Hafnium or Fancy Bear. This report finds there are very likely other campaigns and activities tracked under different names which can be attributed to Shanghai Firetech. The absence of their inclusion in the DOJ indictment of Zhang Yu and Xu Zewei may reflect a balance of equities on the part of the FBI, releasing in the indictment only what is popularly recognized as Hafnium and meets relevant legal thresholds while privately retaining intelligence of the company’s other campaigns and tooling.

Executive Summary

• SentinelLABS has analyzed a data leak containing infrastructure details and work logs from employees of a state-affiliated private sector security firm in China.
• The leaked data contains references to web content monitoring services used to enforce censorship for public and private sector customers.
• Work logs reveal that the firm provided bespoke monitoring services to a state-owned enterprise when a corruption scandal impacted this organization, providing insights into how the state and CCP coordinate with some cybersecurity companies to manage fallout from corruption scandals.

Overview

SentinelLABS has analyzed a data leak from TopSec (北京天融), a Chinese cybersecurity firm offering services such as Endpoint Detection & Response (EDR) and vulnerability scanning, while offering boutique solutions to align with government initiatives and intelligence requirements.

The data leak includes a document with 7,000+ lines of work logs and code used to orchestrate infrastructure for the firm’s DevOps practices and downstream customers and includes scripts that connect to several Chinese government hostnames, academic institutions and news sites.

We identified work logs and system features that indicate TopSec is likely enabling content moderation for internet censorship purposes, a key strategy used by the Chinese Communist Party (CCP) to monitor and control public opinion on issues that the state deems contentious or antisocial.

Further, we found evidence indicating that TopSec provided bespoke services to a state-owned enterprise on the date that a corruption investigation was announced targeting the organization’s top official.

The Chinese cybersecurity market has long been a mystery for many researchers in the west. Unlike Europe and parts of the Middle East, which foster some degree of collaboration, the Chinese cybersecurity market is obscured behind the wall that divides China from the global internet. This finding reveals not only the types of technologies that are used by a prestigious Chinese tech firm, but how they are providing security services to private and public sector customers inside China.

TopSec

TopSec is a provider of monitoring and IT security solutions, as well as big data and cloud services. Established in 1995, TopSec prides itself on its long history and prioritizes national cyberspace security as a core element of its mission statement.

Company registration details reveal that TopSec holds over 1,000 patents, 87 software copyrights, and has 12 subsidiaries. The company is also a Tier 1 vulnerability supplier to China’s civilian intelligence ministry. According to TopSec’s 2024 annual corporate report for shareholders, the company has been offering cloud monitoring services–including IT security monitoring capabilities–since 2004. By 2020, these TopSec services were in use across all 31 of China’s administrative regions.

The leaked documents we analyzed reference multiple organizations in both the private and public sectors, likely customers or otherwise associated with TopSec, a selection of which is listed below. These references include probable deployment sites of monitoring probes and mentions in-work progress records.

Public sector organizations referenced in the documents include entities integral to China’s political system, such as the Municipal Commissions for Discipline Inspection, which enforce party regulations and investigate corruption. Another example is the Illegal and Harmful Information Reporting Center, an entity dedicated to combating what the Chinese Communist Party (CCP) considers illegal and harmful behavior in the online space. TopSec customers referenced in these documents include:

• Dongwu Fund Management Co., Ltd
• Gucheng County Petition Bureau
• Illegal and Harmful Information Reporting Center
• Linhai Rural Commercial Bank
• Petkit
• Shanghai Diepai Automobile Technology Co
• Shanghai Fengyilong Electronic
• Shanghai Medical Packaging Materials Factory
• Shanghai Municipal Commission for Discipline Inspection
• Shanghai Municipal Supervisory Commission
• Tibet Autonomous Region
• Tibet Autonomous Region Committee of the Communist Party of China
• Wuhu Discipline Inspection and Supervision Network

We observed references to three projects associated with Bureaus of the Ministry of Public Security in the northeastern city of Dandong, as well as the Songjiang and Pudong districts of Shanghai, with the latter project referred to as the “Cloud Monitoring Service Project”. The Ministry of Public Security is responsible for maintaining public order and overseeing law enforcement and surveillance activities to ensure compliance with national regulations.

[2024-2025 Shanghai Public Security Bureau Pudong Branch Cloud Monitoring Service Project (Phase II)]
The statistics of events that occurred today are as follows:
Aggregated events: 883 Valid: 129 Invalid: 672 On-hand: 82
Single events: 5637 Valid: 187 Invalid: 2781 On-hand: 2669
In terms of event volume, it is basically the same as that of our competitors.

A public procurement announcement for the “Cloud Monitoring Service Project” suggests that it involves monitoring the security posture and content of websites under the Bureaus’ jurisdiction, with alerts issued in case of security breaches or policy violations. TopSec was likely involved in the bidding process alongside competitor companies. Public documents, however, show TopSec did not win the contract.

Infrastructure Features

We identified this leak as a submission to a multi-scanner platform that fired off a rule that looks for common abuse activities associated with Kubernetes. The main file we analyzed (SHA-1: 1bccef07ad0348e326248fe321259e2bd8f8cf8b) contains numerous work logs, which are a description of the work performed by a TopSec employee and the amount of time the task took, often accompanied by scripts, commands, or data related to the task.

In addition to work logs, the leak contains many commands and playbooks used to administrate TopSec’s services via multiple common DevOps and infrastructure technologies that are used worldwide, including Ansible, Docker, ElasticSearch, Gitlab, Kafka, Kibana, Kubernetes, and Redis. There are many artifacts showing JSON data for web APIs used by TopSec services. There are also network configurations, SSH and port mapping commands with hardcoded credentials, which present a huge security risk should anyone obtain access to the environment–and would likely provide access to TopSec’s downstream customers as well.

The leaked file is very large, disorganized, and the formatting is inconsistent, which complicates analysis. It is highly likely that we have not identified all capabilities outlined in the leak. Our analysis approach focused on translating the Chinese language content, identifying known technologies, and identifying interesting references in the commands and API JSON artifacts, particularly those where there were upticks in work logs performed around specific dates documented in the work logs or web API data.

The data leak includes a file that starts with infrastructure management code, including some which initializes several Docker images to enable security monitoring related features. These containers run probes, which are likely used for network monitoring. We are unable to fully assess the capabilities of these containers without access to them. However, the containers are run with several flags such as --privileged and --net host that suggest deep access to the monitored data. This may indicate the probes inspect network traffic or perform privileged tasks in the deployment environment.

Deeper in the file, there are work logs which contain dates indicating when certain tasks were performed and notes from the TopSec staff who worked on specific infrastructure projects. One project referenced repeatedly is called Sparta or Sparda, with the spelling changing regularly. Notes from the TopSec staff indicate that Sparta handles sensitive word processing, an indication of censorship keyword monitoring.

On a technical level, Sparta is a framework that uses GraphQL APIs to receive content from downstream web applications. Work logs indicate that TopSec migrated from a system called Apollo, which is plausibly a reference to Apollo-GraphQL, an open-source framework offered by a company based in San Francisco. The work logs also indicate that Sparta is equipped to process Chinese language characters. This suggests that TopSec likely developed Sparta as an in-house solution that is tailored to the localized needs of TopSec’s customers and does not rely on a US-based solution.

Additionally, we observed a note indicating that detection alerts considered severe are likely distributed to internal teams via WeChat for prioritized handling. WeChat is a widely-used messaging and social media platform in China, known for its broad range of features, including messaging, social networking, and payment services. Its integration into daily life makes it an essential tool for communication and business operations within the country.

Severe monitoring events are sent to corporate WeChat

Since WeChat operates under Chinese regulations, there are significant implications regarding data privacy and government access. Under Chinese laws, such as the Cybersecurity Law, companies like Tencent, which owns WeChat, are required to cooperate with government entities, allowing them to access data when requested.

Web Content Monitoring

Our analysis found that TopSec’s capabilities include web content monitoring, as indicated by references to a service called Website Monitoring Service and detection events with internal identifiers prefixed with Web, such as WebTamper, WebHiddenLink, WebAvailHttp, WebDns, WebTr, and WebSensitive.

This feature of the platform is likely part of what would have been proposed in response to the bid issued by the Shanghai Pudong Bureau for the “Cloud Monitoring Service Project”, offering the Bureau tools to monitor website security and content as part of their broader surveillance and compliance efforts.

Inspect website monitoring-related services
[ . . . ]
[2024-06-12T18:00:00 to 2024-06-12T22:00:00 Event volume: 553] 2024-06-12T18:00:00 to 2024-06-12T22:00:00 Event volume: 553
WebSensitive 56
WebTamper 149
WebHiddenLink 348

While the exact logic behind how the Web events are triggered remains unclear, the event names and metadata present in the documents provide insight into the purpose of some of these events. For instance, the WebAvailHttp event is likely triggered when a website is considered unavailable due to its response time (measured in milliseconds as respTimeMs in the figure below) exceeding a predefined threshold (respThresholdMs).

Further, the WebHiddenLink event is likely triggered when web content contains hidden links — links that obscure their destination or mislead users, posing a security risk. Examples include links concealed within small or transparent elements, deceptive anchor text, and styling tricks that make links appear as plain text.

Web Content Monitoring | Sensitive Words

The WebSensitive event is likely triggered when web content contains so-called sensitive words (敏感词 in Simplified Chinese). These words are related to political criticism, violence, or pornography, and are central to China’s domestic Internet censorship efforts aimed at ensuring compliance with government policies. Detecting the presence of such words in web content helps prevent the dissemination of information considered inappropriate or harmful by PRC authorities.

Assist the product to check for missed scans and manual analysis and marking errors of sensitive word events

TopSec’s ability to detect sensitive words demonstrates the impact that state policies related to the cyber domain have on the design and implementation of monitoring solutions developed by the private sector in China. These policies shape the strategies and technologies used to monitor, filter, and control online content, ensuring that IT systems comply with governmental regulations and censorship guidelines.

WebSensitive alerts may be used by private sector organizations to monitor user-generated content on their websites in order to trigger actions such as issuing warnings, deleting content, or restricting access when sensitive words are detected. Government entities may also consume these alerts to track the presence of sensitive words on their own websites or across broader online spaces to enforce compliance with national censorship regulations. For example, the latter may have been an objective of the previously mentioned “Cloud Monitoring Service Project” by the Shanghai Pudong Bureau of the Ministry of Public Security.

We observed a task list indicating a focused effort to ensure consistent monitoring for sensitive words between 7:00 AM and 8:00 AM on the 14th (converted from GMT to China Standard Time), with the month and year not specified. The preceding document content suggests that the reference is to September 2023. One item in the task list instructs verification of the availability and capacity of sensitive word detection capabilities during this period, while another item records the forwarding of ‘asset identifiers’ for collected ‘validated events’ to an individual named Zhao Nannan (赵楠楠). The task list issuing this instruction very likely includes a typo stating the validated events were from 7:00 AM to 10:00 PM on September 14.

1. 	Plan the probe deployment plan for the web split emergency milestone launch 3h
2. 	Check the number of agents for sensitive words between 23:00 on the 13th (GMT) and 14:00 at 00:00 (排查敏感词13日23点到14点0点之间的代办数量) 2h
3. 	Check cloud baseline 500 errors 1h
4. 	Collect asset identifiers of valid events on the 13th and provide them to Zhao Nannan 1h
5. 	Check the task execution failure of ipv6 probe 1h

The identification of an individual named Zhao Nannan as the likely recipient of this information, alongside the context of the monitoring effort, leads us to conclude with moderate confidence that this effort was in response to political events in Shanghai.

We identified a woman named Zhao Nannan as having worked at the 3rd Bureau of the Ministry of Public Security in Shanghai, which is responsible for network security and technical investigations. Our observations presented earlier in this post suggest close ties between Shanghai-based Bureaus of the Ministry of Public Security and TopSec, one example being TopSec’s participation in a project bidding process launched by the Shanghai Pudong Bureau.

However, Zhao Nannan no longer works for the MPS 3rd Bureau in Shanghai. According to an online announcement from the Shanghai State-owned Assets Supervision and Administration Commission (SASAC), Zhao Nannan was one of six successful applicants to SASAC for a network security role. The announcement even references her past role at the MPS 3rd Bureau. Congratulations are due to her, as she scored the highest among the applicants for the role–恭喜!

On the morning of September 14th, when Zhao Nannan received alerts for sensitive content, her new employer announced on its WeChat account that the head of the Shanghai SASAC, Bai Tinghui, was under investigation for corruption. The news was quickly picked up by the South China Morning Post, Caixing, and other news-reposting blogs in China. The Shanghai government itself confirmed the investigation into Bai Tinghui and his subsequent dismissal one month later.

Because the Shanghai SASAC posted the news on WeChat, we know that the investigation itself was not subject to censorship. The lack of complete censorship regarding the investigation raises questions about what “validated events” would have been reported to Zhao Nannan following the announcement.

Currently, only five webpages of the Shanghai SASAC still mention Bai Tinghui. All five pages also mention Bai leading a Party study session of Xi Jinping Thought. It’s unclear why only these pages of Bai Tinghui remain–perhaps his tarnished reputation is outshown by Xi Jinping: it may be hard to delete a website with Xi Jinping’s name on it, even if it is accompanied by a corrupt local official.

Intriguingly, the organization that is responsible for investigating the fallen Bai Tinghui, the Shanghai Municipal Commission for Discipline Inspection, is listed among TopSec’s customers in the tooling.

The downfall of Bai Tinghui and the resulting use of Beijing TopSec’s tooling for coordinated monitoring of politically sensitive content shines a light on the important role cybersecurity companies can play in Chinese politics. The CCP has long-acknowledged that “If our party cannot traverse the hurdle represented by the Internet, it cannot traverse the hurdle of remaining in power for the long term.” This episode provides a compelling example of how corruption investigations expand to rely on the institutions of those being investigated and the cybersecurity companies that service them.

Conclusion

These leaks yield insight into the complex ecosystem of relationships between government entities and China’s private sector cybersecurity companies. While many countries have significant overlap between government requirements and private sector cybersecurity firms, the ties between these entities in China are much deeper and represent the state’s grasp on managing public opinion through online enforcement.

The September 2023 situation in Shanghai provides insight into how local and national government interests are enforced through private sector partnerships. The CCP’s strategy of controlling information is multifaceted and requires significant investment in resources that enable the monitoring and alteration of content that citizens engage with. While there are still many unknown factors regarding how such censorship is applied, these findings yield insights into how collaboration occurs between the government and other entities in China.

The nature of how this data was leaked remains unclear, but the materials show that TopSec engineers were documenting their work in a highly granular way that included entire commands used to perform the outlined tasks. Considering the types of information in this leak, organizations should evaluate how their systems and infrastructure engineers are logging work. Proper credential management is essential to securing sensitive environments. Infrastructure engineers should rely on a secrets manager that integrates with the CI/CD pipeline rather than running commands from playbooks that include hardcoded credentials. This results in only variable names being stored in commands instead of sensitive credentials and lowers the likelihood that an unexpected disclosure could result in further compromise.