China’s Guardian of Secrets: Inside the 保密管理系统 Leak

A newly uncovered internal software platform sheds rare light on how China’s security apparatus controls information leakage inside its own government networks. The system, known internally as 保密管理系统, or Confidentiality Management System, is deployed across government workstations to monitor documents, restrict data movement, and enforce strict internal security policies.

The leaked materials and recovered software components reveal a centrally managed compliance and surveillance platform designed not to protect users from malware or external attackers, but to prevent state employees from leaking, mishandling, or extracting sensitive information. The system operates as a digital enforcement layer across Windows workstations used by government departments, security bureaus, and affiliated institutions.

While only partial access to the system was possible, analysis of decompiled executables, configuration files, and network behavior provides a clear picture of its purpose and design. What emerges is a tool built to address one of the Chinese state’s deepest concerns: insider risk.

Inside the 保密管理系统 Leak

The software analyzed originates from an internal Chinese government deployment dating to at least August 2019, based on timestamps embedded in compiled components. The product was developed by Super Red Technologies, also known as Wanlihong Technologies, a known contractor for Chinese government and security agencies. It is designed primarily for Windows 7 and Windows XP environments, which remain common in legacy government networks.

Researchers were able to install the base client but could not fully activate the system due to missing credentials, server authorization, and required hardware tokens. Despite this limitation, significant insight was gained through static and dynamic analysis. This included reverse engineering of executable files and DLLs, inspection of configuration and policy files, and observation of outbound network behavior.

The system appears to be designed for long term deployment in controlled environments. It does not rely on stealth, obfuscation, or covert persistence. Instead, it presents itself openly to the user, reinforcing awareness that activity is monitored and subject to oversight.

A Centralized Workstation Control System

At its core, 保密管理系统 is a modular client platform composed of multiple cooperating processes. Rather than a single monolithic application, it uses separate executables and shared libraries to handle networking, supervision, file analysis, and enforcement.

The central coordination process oversees system health and ensures that critical components remain active. If a worker process crashes or is terminated, it is restarted automatically. This design ensures resilience and continuous operation even if individual modules fail.

A dedicated networking component maintains persistent communication with a government controlled command server. Communication is conducted using XMPP over TLS, suggesting a design optimized for structured command exchange rather than bulk data transfer. Through this channel, supervisors can issue instructions, retrieve data, and enforce policy remotely.

An initial launcher process is responsible for starting and maintaining all major components. This process also appears to expose a local proxy interface, though that functionality could not be activated in the test environment.

Access to the system requires multiple layers of authorization. In addition to user credentials, the workstation itself must be registered and approved server side. Hardware authentication via USB smart card is also required. This combination suggests a strong emphasis on device identity and centralized trust enforcement.

Document Intelligence and Confidentiality Detection

The most sophisticated component of 保密管理系统 is its document analysis engine. The system continuously scans files stored or accessed on the workstation, extracting content from a wide range of formats including PDF, text documents, Microsoft Office files, HTML content, images, and compressed archives.

Rather than relying on simple keyword searches, the system uses a layered classification approach. One module performs heuristic analysis of document content to detect confidentiality markings commonly used in Chinese administrative and government documents. A particular focus is placed on the character 密, which denotes secrecy or confidentiality depending on context.

The detection engine assigns scores based on how 密 appears within a document. Higher scores are generated when the character is enclosed in brackets, positioned near the beginning of a line, or accompanied by formatting indicators such as stars, dates, or header structures. This allows the system to distinguish between incidental usage and intentional classification labels.

In parallel, a template driven classification engine analyzes documents for linguistic patterns associated with specific government bodies or document types. Templates encode expected phrases, formatting conventions, and institutional identifiers used by particular organizations, such as provincial public security departments.

When a document matches both a template and confidentiality indicators, it is classified as sensitive. Metadata about the file, including classification scores and origin indicators, is stored in a local encrypted SQLite database. This creates a persistent record of sensitive material present on the workstation.

These records can then be checked against server side authorization policies to determine whether the file is permitted on the device. If a violation is detected, the system can notify supervisors or initiate enforcement actions.

Policy Enforcement and Endpoint Lockdown

Identification alone is not the goal of 保密管理系统. Once sensitive material is detected, the system enforces granular usage policies defined through XML configuration files.

Policies control whether files can be printed, copied, written to removable media, burned to optical disks, or shared over networks. Policies can be time specific, role based, or tied to document classification levels. Violations can trigger warnings, reports to supervisors, automatic blocking of the action, or forced system shutdown.

Beyond file handling, the system enforces strict control over the workstation environment itself. Configuration files reference extensive lists of prohibited processes. These include virtual machine software, debugging tools, and other programs that could be used to bypass monitoring or extract data.

Multiple enforcement mechanisms exist for process control, suggesting redundancy and layered protection. Certain DLLs are responsible for terminating prohibited processes based on one configuration set, while other components reference separate process lists. This layered approach reduces the risk of bypass through configuration manipulation.

Hardware interfaces are also regulated. USB devices, printers, and optical drives are monitored and controlled according to policy. While full enforcement could not be observed without authenticated access, configuration files clearly define the intended restrictions.

Network Supervision and User Surveillance

The system is designed to operate within a controlled network environment. Configuration files reference private IP ranges and internal routing assumptions, indicating deployment within segmented government networks rather than unrestricted internet access.

Network monitoring capabilities include scripts designed to inspect unencrypted traffic protocols such as HTTP, FTP, SMTP, and POP3. These scripts are capable of identifying login attempts, credentials, and content flowing through the network.

While modern encryption limits the effectiveness of such inspection on open networks, the design strongly suggests operation within environments where encryption is managed or terminated upstream. This could include government controlled proxies or inspection gateways that enforce plaintext traffic internally.

The presence of these monitoring scripts highlights a broad threat model. The system does not assume that sensitive data leaks only through official channels. Personal email, webmail, and non sanctioned services are all treated as potential exfiltration paths.

Remote Authority and Supervisor Control

Beyond monitoring and restriction, 保密管理系统 provides supervisors with direct intervention capabilities. The software bundle includes components that enable remote desktop access, screen capture, file upload and download, and forced file deletion.

An integrated remote access tool allows authorized operators to view and interact with the workstation. A screenshot utility can capture the user’s desktop environment. Dedicated executables allow files to be pushed to or pulled from the system, typically within a local network context.

A particularly powerful component enables forced deletion of files. This tool can override file locks and operate on hidden files, suggesting it is intended as a last resort mechanism to ensure removal of sensitive material.

These capabilities indicate that enforcement is not limited to automated policy actions. Human supervisors retain the ability to intervene directly when necessary.

What 保密管理系统 Reveals About China’s Internal Security Doctrine

This system is not a traditional endpoint detection and response platform. It is not designed primarily to stop malware, detect intrusions, or defend against external attackers. Instead, it functions as an internal compliance and control system.

The underlying assumption is clear. Insider risk is treated as seriously as foreign espionage. Employees are not fully trusted, and security policy is enforced through visibility, restriction, and authority rather than discretion.

The software does not attempt to hide its presence. It reinforces awareness that activity is monitored and governed. This aligns with broader state messaging around secrecy, discipline, and accountability.

The modular architecture and reliance on standard components suggest the system is designed for maintainability and long term evolution rather than stealth. It is built to function reliably in controlled environments where it operates with full authorization.

The Broader Implications

Although the analyzed version dates back several years, the system’s design provides valuable insight into how large state bureaucracies approach internal cybersecurity. The emphasis on document intelligence, behavioral monitoring, and enforced compliance reflects a model increasingly relevant beyond China.

As governments and large organizations confront insider threats, data leakage, and unauthorized disclosure, similar approaches are emerging globally. The balance between security and autonomy remains contentious, but the technical direction is clear.

This leak offers a rare look at an internal control system built not for secrecy through obscurity, but for discipline through visibility. It demonstrates how modern states increasingly view information security as a governance problem as much as a technical one.

For organizations responsible for sensitive data, the lesson is not about copying this model wholesale, but about understanding the seriousness with which insider risk is treated by major state actors. Systems like 保密管理系统 show how far internal enforcement can go when secrecy is considered a matter of national security.

For more coverage of state backed cyber operations, internal security platforms, and major investigative disclosures, explore the latest reporting in the data breaches and cybersecurity sections.