A presentation circulated in late 2025 on the Chinese white hat hacker forum butian.net offers a rare look into how China conducts large-scale cyber attack and defense training across government networks. The material, originally presented at a cybersecurity conference in Changsha, outlines internal weaknesses in China’s national e-government infrastructure and details how red team exercises are designed to exploit those gaps under controlled conditions.
The presentation emerged at a sensitive time for China’s cybersecurity posture. In recent years, the country has faced repeated exposure of massive datasets tied to government and commercial systems, including leaks affecting hundreds of millions of citizens. Against that backdrop, the document provides context into how Chinese authorities and affiliated security researchers attempt to identify and stress-test systemic vulnerabilities before they are exploited in the wild.
Background of the Presentation and Its Author
The presentation, titled “Guidelines for Attack and Defense Drills in the Government Sector,” is attributed to an individual using the alias “Rj45mp.” While the presenter’s formal affiliation is not disclosed, the material demonstrates a level of familiarity with internal administrative networks, cloud deployments, and data exchange mechanisms that exceeds what is typically available in public technical documentation.
Slides reference internal statistics, architectural diagrams, and operational workflows related to government cloud platforms and national data systems. According to publicly available information, Rj45mp appears to be a cybersecurity professional based in Shenzhen who regularly participates in red team and blue team exercises across China.
Although the presentation does not claim to document live attacks, it offers insight into how government systems are modeled as potential targets during sanctioned cyber attack training.
Scale and Coordination of Cybersecurity Drills in China
One of the central themes of the presentation is the scale at which China conducts cybersecurity drills. According to the material, more than 46 government cyber defense exercises were carried out nationwide during 2025. Activity peaked in September, with multiple drills conducted across different provinces, as well as exercises involving Hong Kong and Macao.
These drills are portrayed as part of a broader effort to standardize cybersecurity capabilities across a highly fragmented administrative landscape. Historically, China’s regional governments have operated with uneven security maturity, leading to recurring incidents tied to misconfigurations, weak access controls, and inconsistent policy enforcement.
The presentation identifies three institutions as playing central roles in these exercises:
- The Public Security System, responsible for enforcement, investigation, and operational response
- The Cyberspace Administration of China, acting as the primary coordinator and supervisory authority
- The Bureau of Government Data, positioned as both a core defender and a simulated attack target
The appearance of the Bureau of Government Data as a focal point reflects the growing centralization of citizen and administrative data within national digital government platforms.
China’s E-Government Network Architecture
A substantial portion of the presentation focuses on the structure of China’s e-government infrastructure. While the information remains high-level, the diagrams illustrate how national, provincial, and municipal systems are interconnected through fiber-optic backbones, shared cloud platforms, and centralized authentication services.
As more government services migrate online, the presentation highlights the rapid expansion of the attack surface. Identified exposure points include cloud management platforms, single sign-on systems, VPN gateways, firewalls, bastion hosts, and cross-department data exchange platforms.
The presenter emphasizes that speed of deployment, combined with regional autonomy and inconsistent oversight, increases the likelihood of systemic weaknesses being overlooked.
Simulated Attack Paths Used in Training Exercises
To demonstrate how weaknesses can be exploited, the presentation walks through several simulated attack scenarios used during red team exercises. Seven scenarios are referenced, with detailed examples showing how attackers could pivot through interconnected systems once an initial foothold is established.
Examples include:
- Compromise of bastion hosts through vulnerabilities in single sign-on implementations
- Breaches of DMZ environments followed by lateral movement using previously unknown exploits
- Social engineering campaigns conducted through trusted platforms such as WeChat
- Delivery of malicious software through legitimate communication or maintenance channels
These scenarios are framed as training models, but the techniques described closely resemble methods observed in real-world intrusions against government and enterprise networks.
How Government Systems Are Classified as Targets
The presentation outlines a structured scoring system used to evaluate red team performance. Target systems are classified based on operational importance, data sensitivity, and potential impact.
High-value targets include access control hubs, cloud management platforms, population databases, healthcare systems, and centralized government service platforms. Medium-value targets include backend systems for government mobile applications, official social media accounts, financial administration tools, and internal collaboration platforms. Low-value targets include public-facing portals, decommissioned systems, and improperly isolated testing environments.
Several provincial and national government cloud platforms are cited as examples of systems that would qualify as high-impact targets due to the volume and sensitivity of the data they process.
Data Exchange Platforms and Big Data Risk
The presentation places particular emphasis on data exchange platforms that facilitate information sharing between government departments. Systems handling citizen identity records, social security data, healthcare information, and administrative approvals are described as especially attractive targets during training exercises.
Included diagrams show how data flows between national, provincial, and municipal entities, illustrating how a single point of compromise could propagate across multiple layers of government infrastructure.
This focus is especially notable given recent disclosures involving massive compilations of leaked Chinese citizen data aggregated from multiple sources.
Breaking Network Isolation as a Training Objective
Bypassing network isolation is described as a key goal in red team exercises. Chinese government environments often operate multiple parallel networks, including intranets, extranets, sector-specific networks, and public-facing systems.
The presentation describes common methods used to defeat these separations, including identifying dual-homed servers, exploiting firewall rules that are temporarily opened and not closed, building multi-stage pivot chains across segmented environments, and abusing trusted access held by vendors and service providers.
These techniques mirror methods frequently observed in sophisticated intrusions targeting government infrastructure worldwide.
Risks Introduced by Collaboration and Communication Platforms
The material also addresses risks associated with collaboration platforms widely used by government agencies. Tools such as WeChat and DingTalk are frequently employed for internal coordination and communication with citizens, often in modified or enterprise-managed forms.
Compromise of these platforms can expose contact lists, internal discussions, and shared documents, creating opportunities for follow-on social engineering and deeper network penetration. The presentation highlights supply chain attacks against software vendors and maintenance providers as a particularly effective entry point in these scenarios.
Taken together, the presentation provides a revealing look into how Chinese cyber attack training models real-world threats, while also underscoring the scale and complexity of the government systems being defended. The material suggests that even internally recognized weaknesses remain difficult to fully address in an environment defined by rapid digital expansion and massive data centralization.
