A newly surfaced cache of internal documents has provided one of the clearest views to date into how Chinese hackers are trained, deployed, and evaluated inside a structured government backed cyber operations program. The material outlines the technical design, infrastructure, and operational workflow of “Expedition Cloud,” a large scale cyber range built for China’s Ministry of Public Security. The system is designed to replicate real world foreign networks so trainees can practice intrusion techniques, exploit development, lateral movement, and full mission operations under conditions that closely match global critical infrastructure.
The documents detail a distributed training environment with worker nodes positioned on the public internet, an isolated internal command network, covert routing channels, simulated targets, and a full audit pipeline that records every action taken by operators. These elements form a training ecosystem that resembles a live operational environment more than a traditional cyber lab. This design gives Chinese operators the ability to rehearse attacks on digital replicas of power grids, SCADA environments, transportation systems, enterprise networks, and industrial control systems modeled on foreign nations.
Internal Architecture of Expedition Cloud
The system is divided into two major components. The internal network is the command and analysis environment. It stores operator data, training results, mission templates, vulnerability libraries, and evaluation tools. All inbound data sent from the external worker nodes is processed here. The internal network includes strict segmentation, multiple network interface layers, and one way “optical gate” devices that prevent unauthorized data exfiltration.
The external network hosts the live training elements. It includes dozens to hundreds of globally distributed worker nodes. Each node consists of a compute host and a control host. Operators connect to these nodes to launch simulated attacks, run virtual machines, test exploits, and interact with target environments. The external network also maintains a passive relay server. This relay functions as a dead drop where worker nodes post mission data and logs. The internal network retrieves that information through controlled transfer channels without exposing itself to the open internet.
Worker Nodes Positioned on the Global Internet
The worker nodes are the core operational element. Each node can run multiple virtual machines including Windows, Linux, macOS, Solaris, Android, and specialized security focused distributions like Kali. Operators conduct missions inside these controlled VMs. Every keystroke, file change, network packet, and desktop action is recorded. The nodes support three internal VLANs for segmentation and use at least three encrypted protocols to communicate with the relay server.
The system uses OpenStack for virtualization management. A Rednet overlay maps the distributed nodes into what appears to be a single internal network. From the perspective of supervisors inside the internal network, the distributed worker nodes appear as reachable internal hosts even though they are physically remote and exposed to the public internet.
Login to the operator dashboard on a worker node is protected by a decoy system. If a valid authentication token is not presented, the node displays a benign front end website. Only authenticated users see the real dashboard where virtual machines can be created, monitored, assigned to operators, and linked to specific training scenarios. References in the documents indicate that authentication may involve USB tokens, QR based app verification, and standard login credentials.
Simulated Foreign Targets and Training Scenarios
The documents reference a large template library used to generate simulated target environments. These templates include electric power systems, metro signaling, rail networks, airport control systems, industrial control platforms, and enterprise IT networks. The library contains more than one hundred complete target templates and more than two hundred resource sets. These resource sets include firmware, operating systems, device models, known vulnerabilities, and configuration structures similar to those used in foreign environments.
Training scenarios allow operators to rehearse exploitation chains, escalate privileges, pivot across simulated networks, deploy implants, and maintain persistence. Each mission can be configured, authorized, and monitored through the internal dashboard. Supervisors can assign operators, evaluate performance, review logs, and initiate follow up tasks.
Routing Obfuscation and Stealth Links
The documents repeatedly reference a set of infrastructure elements described as “stealth links.” These are proxy nodes placed on the public internet that mask the origin and routing paths of operator activity. They serve as intermediate points for traffic, making it more difficult for outside observers to track operations or map the network.
The stealth links appear to rely on encrypted communication layers, dynamic routing choices, and a large pool of potential relay nodes around the world. Some references in the installation files suggest that Shadowsocks or V2Ray style configurations may be used for elements of this routing system. The dashboards include a world map that displays available stealth nodes, their assignments, and their operational status.
Relay Server and Passive Data Exchange
The relay server sits between the internal network and the external worker nodes. It is intentionally passive. It does not initiate connections to other components but instead stores JSON based messages, mission results, packet logs, and screen recordings uploaded by the worker nodes. The internal network retrieves this data through controlled one way transfers using the optical gates.
This design prevents the internal network from ever being directly reachable from the public internet. Even if a worker node were compromised, the attacker would not be able to pivot directly into the internal network. The relay is isolated and does not allow lateral movement across components.
Internal Network Control Room and Evaluation Tools
The internal dashboard is the command and coordination platform for the entire cyber range. Administrators and supervisors can assign missions, authorize tasks, evaluate operator performance, manage accounts, and review the full dataset produced by training sessions. This includes raw network logs, behavioral analysis data, desktop recordings, and audit trails.
The internal network also contains a communication platform referred to as the 809 intranet system. It provides messaging, scenario documentation, training materials, and knowledge base articles. Operators and supervisors can discuss missions, share findings, and coordinate activity inside the isolated network.
A Comprehensive Training Ecosystem for Chinese Hackers
The leaked documents depict a system that is designed to prepare Chinese operators for real world offensive cyber operations. The cyber range replicates foreign critical infrastructure, hides operational routes behind stealth links, logs every action taken during training, and provides supervisors with detailed insights into the capabilities and weaknesses of each operator.
The architecture reflects a long term strategy to professionalize training, scale operator capacity, and maintain a library of simulations based on realistic global systems. While there is no evidence in the documents that this platform is used for live attacks, its design clearly supports training for intrusion operations against foreign targets.
For more articles covering state backed cyber operations, intrusion tools, and major global cyber incidents, explore the latest updates in the Botcrawl cybersecurity and data breaches sections.
