Unveiling the Great Firewall of China Data Leak: A Cybersecurity Analysis

Estimated reading time: 12 minutes

Key takeaways:

  • A massive data leak allegedly containing 600 GB of material related to the Great Firewall’s infrastructure has surfaced.
  • The leak includes source code, internal communications, work logs, and technical documentation from organizations involved in the system’s development and maintenance.
  • The data leak has significant implications for cybersecurity, including understanding censorship infrastructure, supply-chain risk monitoring, and identifying potential vulnerabilities.
  • The leak also reveals the potential export of censorship technology to countries involved in the Belt and Road Initiative.

Table of contents:

The Great Firewall of China has long been a subject of scrutiny and debate within the cybersecurity community. A recent event has brought this topic back into focus: a massive data leak, allegedly containing 600 GB of material related to the Great Firewall’s infrastructure. This leak provides a rare glimpse into the inner workings of one of the world’s most sophisticated censorship and surveillance systems. This post examines the implications of this leak, its potential impact, and what it means for cybersecurity professionals.

Analyzing the 600 GB Great Firewall Data Leak

On September 11, 2025, a substantial data breach surfaced online, purportedly containing 600 GB of data associated with the Great Firewall of China. This material encompasses source code, internal communications, work logs, and technical documentation from organizations allegedly involved in the system’s development and maintenance. The leak was attributed to Enlace Hacktivista, a group previously linked to the Cellebrite data leak. The collective asserted that the data originates from Geedge Networks and the MESA Lab at the Chinese Academy of Sciences’ Institute of Information Engineering, both critical entities in the Firewall’s research and development. Geedge is notably led by Fang Binxing, often referred to as the “Father of the Great Firewall.”

The leaked data’s implications extend beyond China’s borders, potentially revealing the export of censorship and surveillance technology to countries involved in the Belt and Road Initiative, including Myanmar, Pakistan, Ethiopia, and Kazakhstan.

What Was Leaked?

The leaked material is available via BitTorrent and direct links. The primary component is a 500 GB mirror/repo.tar file, essentially an archive of the RPM packaging server, alongside compressed document sets from Geedge and MESA. In total, the leak comprises tens of thousands of pages and repositories, offering a detailed view of the infrastructure underpinning the Firewall. This data leak differentiates itself through its depth of detail, consisting of raw operational data that traces years of development and collaboration rather than isolated documents.

Insights from the File Structure

The archive’s structure provides insights into the Firewall’s nature. For example, the geedge_docs.tar.zst and mesalab_docs.tar.zst files contain thousands of internal reports, project descriptions, and technical proposals. File names such as CTF-AWD.docx, BRI.docx, and CPEC.docx suggest connections to Belt and Road Initiative projects and international collaborations. Project management records, like geedge_jira.tar.zst, detail the coordination between researchers and engineers, while communication drafts illustrate the granular planning involved in censorship operations. The filelist.txt within the mirror directory serves as an archive of software packages supporting Firewall operations, highlighting the technical aspects of the project.

MESA and Geedge: A Closer Look

The leaked background information provides a detailed timeline of MESA’s formation and growth. Established in 2012, MESA expanded rapidly through talent programs, research grants, and government contracts, contributing to national-level awards in cybersecurity. Geedge Networks, founded in 2018 with Fang Binxing as its chief scientist, became a key private partner to Chinese authorities. It supports censorship operations both domestically and internationally, exporting surveillance solutions.

Implications for Cybersecurity

This leak presents several implications for the cybersecurity community:

Understanding Censorship Infrastructure

The leaked data offers researchers an opportunity to understand the technical underpinnings of China’s censorship apparatus. By analyzing the source code, documentation, and communication logs, researchers can gain insights into the methods, technologies, and strategies employed by the Great Firewall.

Supply-Chain Risk Monitoring

The leak highlights the complexity of the Great Firewall’s supply chain, involving research institutes, private companies, and government entities. Understanding these relationships is crucial for supply-chain risk monitoring, as vulnerabilities in one component could have far-reaching consequences. This is relevant for organizations concerned about the potential impact of Chinese technology on their cyber threat intelligence platform.

Identifying Potential Vulnerabilities

Analyzing the leaked code could reveal vulnerabilities that could be exploited to bypass or disrupt the Great Firewall. Security researchers may find weaknesses in the system’s design or implementation, leading to new methods for circumventing censorship.

Assessing the Impact on International Relations

The leak reveals the potential export of censorship technology to other countries involved in the Belt and Road Initiative. This raises concerns about the proliferation of surveillance capabilities and its impact on human rights and freedom of expression in these regions.

Enhancing Threat Intelligence

The leaked data can be integrated into cyber threat intelligence platform to improve the detection and analysis of cyber threats originating from or targeting China. By understanding the tools and techniques used by the Great Firewall, security professionals can better defend against related attacks.

Understanding the Global Reach of Chinese Cyber Activities

The documents suggest that the reach of the Great Firewall extends beyond China’s borders, supplying censorship and telegram threat monitoring technology to governments in Myanmar, Pakistan, Ethiopia, Kazakhstan, and others linked to the Belt and Road Initiative. This highlights the global implications of Chinese cyber activities.

Actionable Advice for Technical and Non-Technical Readers

Given the complexity and scope of the leak, here are some actionable insights for both technical and non-technical audiences:

For Technical Readers

  • Conduct Isolated Analysis: If you plan to analyze the leaked data, do so in a completely isolated environment to prevent potential malware infections.
  • Focus on Key Components: Prioritize the analysis of key components such as the mirror/repo.tar archive, geedge_docs.tar.zst, and mesalab_docs.tar.zst files.
  • Look for Vulnerabilities: Scrutinize the source code for potential vulnerabilities that could be exploited to bypass or disrupt the Great Firewall.
  • Correlate with Existing Threat Intelligence: Integrate findings with existing threat intelligence feeds to identify potential overlaps and enhance breach detection capabilities.
  • Contribute to Community Knowledge: Share your findings with the cybersecurity community to enhance collective knowledge and improve defenses against related threats.

For Non-Technical Readers

  • Be Aware of the Risks: Understand that the leak may reveal sensitive information about individuals and organizations operating in China.
  • Assess Your Exposure: Determine if your organization has any connections to entities involved in the Great Firewall’s supply chain.
  • Enhance Security Awareness: Educate employees about the risks of phishing and social engineering attacks, particularly those impersonating Chinese government or military institutions.
  • Monitor Network Traffic: Implement network monitoring tools to detect suspicious traffic patterns that may indicate communication with Chinese censorship infrastructure.
  • Advocate for Transparency: Support efforts to promote transparency and accountability in the development and deployment of censorship technologies.

PurpleOps and the Great Firewall

The Great Firewall data leak is relevant to PurpleOps and its services in several ways:

Threat Intelligence

PurpleOps can leverage the leaked data to enhance its cyber threat intelligence platform. By analyzing the tools, techniques, and infrastructure used by the Great Firewall, PurpleOps can provide clients with better insights into potential cyber threats originating from or targeting China. This includes real-time ransomware intelligence and identifying potential brand leak alerting.

Dark Web Monitoring

PurpleOps’s dark web monitoring service can be used to track the distribution and discussion of the leaked data on underground forums and marketplaces. This can help identify potential misuse of the data and alert clients to any threats targeting their organizations.

Supply-Chain Security

PurpleOps can help clients assess their supply-chain risk monitoring by identifying potential connections to entities involved in the Great Firewall’s development and deployment. This includes conducting due diligence on suppliers and partners operating in China.

Brand Protection

The leaked data may contain information about organizations and individuals operating in China. PurpleOps can help clients protect their brand by monitoring for mentions of their name or products in the leaked data and taking steps to mitigate any potential damage.

Proactive Security Measures

The insights gained from the leak can inform proactive security measures, such as strengthening network defenses, improving incident response plans, and enhancing employee security awareness training.

The ShinyHunters Attack on Vietnam’s CIC: A Parallel Case

In a separate but related incident, the ShinyHunters cybercriminal group claimed responsibility for exfiltrating over 160 million records from Vietnam’s National Credit Information Center (CIC). This attack, which targeted a government-owned repository of credit information, highlights the potential consequences of centralized data storage and the value of such data on the dark web.

The ShinyHunters group offered the stolen data for sale on the “Breachsta” underground forum, asking for $175,000, and the data included personally identifiable information (PII), credit payment histories, risk analysis data, credit card information, military, government, and tax IDs, income statements, debts, contact and employment information, and banking details.

The parallels between the Great Firewall data leak and the CIC breach underscore the importance of robust cybersecurity measures, breach detection, and proactive threat intelligence. In both cases, valuable data was exfiltrated and offered for sale on the dark web, highlighting the need for organizations to protect their sensitive information and monitor for potential misuse.

Conclusion

The Great Firewall data leak represents a significant event in the cybersecurity space. It offers a rare glimpse into the inner workings of one of the world’s most sophisticated censorship systems and has implications for cybersecurity professionals, researchers, and policymakers alike. By understanding the technologies, strategies, and relationships involved, we can better defend against related cyber threats and advocate for greater transparency and accountability in the development and deployment of censorship technologies.

To learn more about how PurpleOps can help you protect your organization from cyber threats, explore our services or contact us today.

FAQ

Q: What is the Great Firewall of China?

A: The Great Firewall of China is a censorship and surveillance project operated by the Chinese government to regulate the Internet within the country.

Q: What was leaked in the Great Firewall data leak?

A: The leak allegedly contains 600 GB of data, including source code, internal communications, work logs, and technical documentation related to the Great Firewall’s infrastructure.

Q: Who is allegedly responsible for the Great Firewall data leak?

A: The leak was attributed to Enlace Hacktivista, a group previously linked to the Cellebrite data leak.

Q: What are the implications of the Great Firewall data leak for cybersecurity?

A: The leak has implications for understanding censorship infrastructure, supply-chain risk monitoring, identifying potential vulnerabilities, and enhancing threat intelligence.

Q: How can PurpleOps help protect organizations from cyber threats related to the Great Firewall data leak?

A: PurpleOps can leverage the leaked data to enhance its cyber threat intelligence platform, dark web monitoring service, and supply-chain security assessments.