Full Report
Internal files describe a training platform as part of a large integrated system designed to allow attackers to practice hacking replicas of “the real network environments” of China’s “main operational opponents in the South China Sea and Indochina directions.”
Analysis Summary
The provided article focuses on a *training platform* used by a state actor and the activities surrounding its development and exposure, rather than focusing on a specific, previously identified threat actor group or campaign against victims. Therefore, the summary will be structured around the entity responsible for creating and presumably using this training capability (identified as Chinese state actors) and the platform itself.
***
# Threat Actor: Chinese State-Affiliated Cyber Operations (Training Focus)
## Attribution & Identity
* **Primary Actor:** Implied Chinese State Cyber Operations (Attribution suggested by the content and target environment focus).
* **Developers/Vendors:** The training platform, "Expedition Cloud," was developed by a company named **CyberPeace (赛宁网安)**, which has documented links to the Chinese government and military.
* **Potential Sponsoring Agencies:** Unspecified, but experts suggest possibilities include units of the People’s Liberation Army (PLA), or regional bureaus of the Ministries of Public Security and State Security.
* **Known Aliases/Groups:** Not specified, as this focuses on preparatory infrastructure rather than an established intrusion group.
## Activity Summary
The core activity described is the preparation and rehearsal of sophisticated cyberattacks using a dedicated, secret training platform named **“Expedition Cloud.”**
* This system allows operators to practice hacking replicas of the **"real network environments"** of China’s main operational opponents.
* The platform evaluates the work of **“reconnaissance groups”** and **“attack groups.”**
* The materials were leaked via an unsecured FTP server, originating from a developer’s infected personal device.
## Tactics, Techniques & Procedures
The description focuses on the *planning and practice* phase, emphasizing the systematic nature of the preparations:
* System design pointing toward **greater use of Artificial Intelligence (AI)** in future cyber operations.
* Structured evaluation of **reconnaissance** and **attack group** performance.
* Focus on executing attacks against **critical infrastructure scenarios**.
* Evidence includes review of **incremental patches** and **realistic debugging work** related to achieving objectives on the simulated targets.
* *Specific MITRE ATT&CK IDs are not mentioned.*
## Targeting
* **Sectors:** Critical infrastructure, specifically targeting replicas of environments in the:
* Power systems
* Energy transmission systems
* Transportation systems
* Smart home infrastructure
* **Geography:** China's “main operational opponents in the **South China Sea and Indochina directions**.” Specific countries/entities are not explicitly named but implied by the regional focus.
* **Victims:** No specific victim organizations targeted in active campaigns are described; the focus is on **simulated target networks** within the training environment.
## Tools & Infrastructure
* **Platform Name:** Expedition Cloud (part of a larger integrated system).
* **Developer:** CyberPeace (赛宁网安).
* **Malware:** The developer’s infected device contained **"several types of malware,"** although names are not provided.
* **Infrastructure:** The materials were exposed due to an **unsecured FTP server** used to collect data from a developer's device.
* *Defanged URLs/IPs:* Included in context, but not pertinent to threat infrastructure for external operations (only the FTP leak location).
## Implications
* Provides "rare documentary insight" into the offensive cyber preparation efforts of the Chinese state, contradicting public denials of conducting cyberattacks.
* The existence of a dedicated, sophisticated platform suggests planned, rehearsed operations that could grant a significant advantage over adversaries who must improvise in real-time.
* Indicates a strategic shift toward integrating AI into offensive cyber planning and execution.
## Mitigations
* Cybersecurity defenses should assume targeted adversaries are practicing attacks against environments mimicking critical infrastructure sectors (Power, Energy, Transportation).
* Focus hardening efforts on network environments that approximate the intended targets (e.g., operational technology (OT) networks, control systems).
* Given the reported focus on structure and rehearsal, detection engineering should prioritize identifying reconnaissance activity and staged operational staging indicative of pre-planned, systematic intrusions rather than opportunistic attacks.