The new leak surrounding China’s offensive cyber training systems has exposed one of the most revealing looks yet into the internal structure of the China cyberwarfare ecosystem. The documents show detailed planning files, internal communication, network diagrams, and architectural blueprints for a sophisticated training platform used by China’s Ministry of Public Security. The platform, codenamed Expedition Cloud, mirrors the digital infrastructure of foreign nations and allows Chinese operators to practice attacks on simulated power grids, transportation networks, energy systems, airport control systems, road traffic management, and other critical sectors.
This leak offers a rare look into how the China cyberwarfare program prepares its operatives. It shows a structured, well funded, and highly organized system built to model foreign networks, rehearse intrusion methods, refine malware deployment, and conduct offensive cyber missions in controlled environments. These simulations appear to target regions in the South China Sea and the Indochina Peninsula, two areas that align with China’s ongoing geopolitical interests.
Inside the Expedition Cloud Leak
The leaked documents consist of a photographed technical brief, internal development notes, network topology diagrams, operator workflow charts, IP address references, and communication records between Nanjing Saining Network Technologies and the Ministry of Public Security. The brief outlines a system designed to support 300 concurrent operators with up to 10,000 active connections, complete network wide monitoring, a DNS gateway structure, and a URL classification database containing more than 100 million entries.
The documents repeatedly reference foreign cyberspace operations and operational training needs. They describe realistic simulation environments that allow Chinese operators to rehearse attacks on replicas of adversary systems. The brief also contains contact lists with names and phone numbers of ministry personnel, further confirming that the client behind the project is a state agency. These features position Expedition Cloud as a critical component of the China cyberwarfare infrastructure.
An Architecture Built for Large Scale Cyber Operations
The architecture of Expedition Cloud separates the system into an internal network and an external network. This separation is intentional. The internal network stores mission data, tracks operator activity, records logs, and maintains the tools, templates, and vulnerability sets used in training. All outgoing data flows through optical gates that enforce one way transmission, preventing any external intrusion from penetrating the core of the system.
The external network contains worker nodes, target machines, and simulated foreign environments. Each worker node includes multiple VLAN segments for traffic separation, encrypted protocols for secure communication, and support for mobile phone based operator authentication through a VPN. These nodes are distributed globally to mimic the structure of a real attack infrastructure. Operators connect to worker nodes to perform drills, test exploits, and practice operational tasks.
The presence of relay servers in the external network adds another layer of complexity. These servers act as neutral communication points that store data temporarily. They sit behind firewalls yet remain reachable from the public internet. A historical analysis of one of the referenced IP addresses showed a past connection to a Sichuan Public Security Bureau domain, indicating the involvement of official networks.
A Template Library Modeling Foreign Critical Infrastructure
The most significant part of the Expedition Cloud system is the template library. This library contains full scale simulated environments based on the infrastructure of foreign nations. These templates model electric power systems, metro control networks, rail signal systems, airport operations, energy control centers, road traffic lights, port scheduling systems, and industrial control networks. The goal is to allow operators within the China cyberwarfare ecosystem to practice attacks using conditions that closely resemble the real world.
A simulated power grid template might include substations, switching nodes, SCADA controllers, communication interfaces, and protocols that match those used in target regions. An airport template might replicate scheduling systems, baggage operations, ticketing systems, and flight information modules. These environments offer opportunities to test vulnerabilities, rehearse multi stage attacks, and conduct red team drills based on real system structures.
The library also includes more than one hundred target templates and more than two hundred resource sets. These sets contain device models, firmware, software versions, and known vulnerabilities. The range of available resources shows that Chinese operators are not simply experimenting but are training with highly accurate models built for specific offensive outcomes.
Simulating Western Security Technologies
Throughout the leak, there are numerous references to verified support for Cisco, Fortinet, Juniper, and WatchGuard products. These vendors represent some of the most commonly deployed security and networking products in global government and industrial environments. The inclusion of these product lines shows that the China cyberwarfare training system is designed to simulate attacks against systems protected by Western technologies.
The specifications require that Expedition Cloud support more than two hundred device models and dozens of vulnerability verification procedures. This allows Chinese operators to practice against the same equipment used in real facilities around the world. It also suggests that the training system is updated regularly with new device models and newly discovered vulnerabilities.
Obfuscation and Anonymous Routing
The leak goes into significant detail about the routing and obfuscation layer used by Expedition Cloud. This layer exists to conceal the activity of Chinese operators. It uses private anti trace routes, IP hopping, port shifting, encrypted communication chains, and dynamic routing decisions. The system includes more than two hundred intermediary nodes that form a protected routing cloud.
Each route uses multiple encrypted protocols and can shift paths automatically if an operator encounters detection or interference. The routing system is designed to hide ongoing operations from foreign detection systems and prevent attribution. It also makes it difficult for external observers to map the overall infrastructure. These features align directly with the broader goals of the China cyberwarfare ecosystem.
Full Traffic Monitoring and Behavioral Analysis
The system implements a full flow audit system that monitors and records every packet. This flow audit tool provides behavioral analysis, protocol inspection, anomaly detection, and operator performance evaluation. It includes thousands of inspection rules across numerous attack categories. Mission leaders can evaluate drills, measure operator responses, and identify weak areas in training.
Flow analysis is a key part of offensive cyber training. It allows leaders to review exactly how an operator handled a task and refine the methods and tactics used in real operations. The inclusion of these tools shows that China is building an evaluation system similar to military pilot simulators or intelligence agency training environments.
Covert Links and Hidden Network Structures
The term “covert links” appears throughout the leaked documents. These links appear to be hidden communication paths that connect worker nodes, relay servers, and target machines. The exact implementation is not described in detail, but frequent references suggest that covert links help prevent detection and mapping of the system.
These links likely combine encryption, routing concealment, unused protocol channels, and opportunistic network paths. They are designed to obscure the presence of the nodes and mask communication across the system. For a platform designed for offensive training, covert links are essential to preventing outside observers from identifying the infrastructure or the operators.
Training Programs for Chinese Operators
Expedition Cloud includes a comprehensive training platform for Chinese cyber operators. The application layer provides modules for individual and team training, red versus blue exercises, vulnerability research, and real time situational awareness drills. Instructors can set mission objectives, adjust difficulty settings, simulate real world events, and observe operator performance with full visibility.
The system allows large teams to work together on multi stage operations that mimic real intrusion campaigns. Operators can simulate pivoting across networks, avoiding detection, exploiting vulnerabilities, and maintaining persistence on a target system. The training pipeline supports both new recruits and advanced operatives who need to practice high level offensive techniques.
Strategic Alignment With China’s Cyber Goals
The leaked materials date back to 2021 but show a long term development strategy. The modular architecture, the large template library, the foreign infrastructure models, and the obfuscation layers all point to a program that is designed to grow over time. References to regions in the South China Sea and the Indochina Peninsula align closely with China’s known geopolitical interests.
The strategic value of this system is clear. The China cyberwarfare program has built a realistic, comprehensive, and large scale simulation environment that allows operators to practice on digital replicas of foreign networks. It gives China an advantage by allowing teams to rehearse offensive cyber operations repeatedly until they are refined, efficient, and ready to be deployed.
This leak is one of the most detailed public windows into China’s offensive cyber preparation. It highlights the scale of the program and the importance of nationwide cybersecurity readiness among countries that may be targeted. It also underscores how essential it is for critical infrastructure operators to assume adversaries may already be simulating their networks in controlled environments.
For more articles covering state backed cyber operations, global intrusion programs, and major security incidents, explore the latest updates in the Botcrawl data breaches and cybersecurity sections.
