A major data breach at **Knownsec (Chuangyu)**, a prominent Chinese cybersecurity firm with ties to government-backed hacking operations, exposed over **12,000 confidential files** on GitHub in early November 2025. The leaked documents revealed China’s state-sponsored cyber espionage tools, including **Remote Access Trojans (RATs)**, Android malware targeting messaging apps (e.g., Telegram), and even a **malicious power bank** designed to exfiltrate data while charging devices. The breach compromised **95GB of Indian immigration records**, **3TB of South Korean call logs (LG U Plus)**, and **459GB of Taiwanese transport data**, alongside evidence of attacks on **80 foreign organizations**, primarily critical infrastructure like telecom firms. The leak also exposed a list of **20+ targeted countries**, including Japan, Vietnam, the UK, and Nigeria, confirming Knownsec’s role in developing cyber weapons and maintaining international surveillance databases. While the files were quickly removed, traces suggest the initial theft may date back to **2023**. The Chinese government denied knowledge of the breach but did not refute state-affiliated cyber activities. Experts emphasize the incident underscores the inadequacy of traditional defenses (e.g., antivirus, firewalls) against **state-level threats**, advocating for **multi-layered security strategies**.
Source: https://hackread.com/chinese-tech-firm-leak-state-linked-hacking/
Beijing Zhidao Chuangyu Information Technology Co., Ltd. cybersecurity rating report: https://www.rankiteo.com/company/knownsec
"id": "KNO5392653111425",
"linkid": "knownsec",
"type": "Breach",
"date": "6/2023",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Cybersecurity',
'location': 'China',
'name': 'Knownsec (Chuangyu)',
'size': 'Large (backed by Tencent since 2015)',
'type': 'Private Cybersecurity Firm'},
{'customers_affected': 'Citizens (immigration records)',
'industry': 'Public Sector',
'location': 'India',
'name': 'Government of India',
'type': 'Government'},
{'customers_affected': 'Subscribers (call logs)',
'industry': 'Telecom',
'location': 'South Korea',
'name': 'LG U Plus',
'type': 'Telecommunications Company'},
{'industry': 'Transportation',
'location': 'Taiwan',
'name': 'Taiwanese Transport Authorities',
'type': 'Government Agency'},
{'industry': 'Multiple',
'location': ['Japan',
'Vietnam',
'India',
'Indonesia',
'Nigeria',
'United Kingdom',
'Others (20+ countries)'],
'name': '80+ Foreign Organizations (Critical '
'Infrastructure)',
'type': ['Telecommunications',
'Government',
'Energy',
'Other Sectors']}],
'attack_vector': ['Insider Threat (suspected)',
'Unauthorized Data Exposure (GitHub)',
'Potential State-Sponsored Theft (2023)'],
'data_breach': {'data_exfiltration': ['Confirmed (via GitHub)',
'Potential earlier exfiltration (2023)'],
'file_types_exposed': ['Documents',
'Spreadsheets',
'Hacking tool binaries',
'Databases',
'Code repositories'],
'number_of_records_exposed': '12,000+ files (total volume: '
'~3.5TB+)',
'personally_identifiable_information': ['Immigration records '
'(India)',
'Call logs (South '
'Korea)',
'Potential chat app '
'data (Telegram, '
'Chinese apps)'],
'sensitivity_of_data': ['Top Secret (cyber weapons)',
'High (PII, call logs, transport '
'data)',
'Confidential (target lists)'],
'type_of_data_compromised': ['Government hacking tools (RATs, '
'spyware)',
'Immigration records (95GB)',
'Telecom call logs (3TB)',
'Transport data (459GB)',
'Target lists (80+ '
'organizations)',
'Attack methodologies']},
'date_detected': '2025-11-02',
'date_publicly_disclosed': '2025-11-02',
'description': 'A significant data leak at Knownsec (Chuangyu), a major '
'Chinese cybersecurity firm, exposed over 12,000 secret files '
'on GitHub around November 2, 2025. The files revealed details '
'of China’s government-backed hacking tools, operations, and '
'international targets, including critical infrastructure in '
'over 20 countries. The breach included 95GB of Indian '
'immigration records, 3TB of South Korean call logs (LG U '
'Plus), and 459GB of Taiwanese transport data. The leak also '
'exposed advanced hacking tools like Remote Access Trojans '
'(RATs), Android spyware for apps like Telegram, and a '
'malicious power bank designed for covert data exfiltration. '
'The Chinese government denied knowledge of the breach but did '
'not refute state-associated cyber intelligence activities.',
'impact': {'brand_reputation_impact': ["Severe damage to Knownsec's "
'credibility',
'Erosion of trust in Chinese '
'cybersecurity firms',
"International scrutiny of China's "
'cyber activities'],
'data_compromised': ['95GB of Indian immigration records',
'3TB of South Korean call logs (LG U Plus)',
'459GB of Taiwanese transport data',
'Hacking tools (RATs, Android spyware, '
'malicious power bank)',
'List of 80 foreign organizations targeted '
'(critical infrastructure)',
'Details of attacks on 20+ countries/regions'],
'identity_theft_risk': ['High (given PII in immigration records)',
'Potential misuse of call logs and '
'transport data'],
'operational_impact': ['Exposure of state-backed cyber operations',
'Compromise of national security tools',
'Reputation damage to Knownsec and Chinese '
'cybersecurity sector']},
'initial_access_broker': {'entry_point': ['Potential insider (2023 theft)',
'GitHub repository misconfiguration '
'(2025 leak)'],
'high_value_targets': ['Government hacking tools',
'Lists of international '
'targets (20+ countries)',
'Critical infrastructure '
'data (telecom, transport)'],
'reconnaissance_period': 'Possibly years (since '
'2023)'},
'investigation_status': 'Ongoing (unofficial; Chinese government denies '
'breach but acknowledges state-linked cyber '
'activities)',
'lessons_learned': ['Private cybersecurity firms can be deeply entangled in '
'state-sponsored operations, creating significant risks '
'if breached.',
'GitHub and public repositories require stricter '
'monitoring for sensitive data leaks.',
'Advanced hacking tools (e.g., RATs, spyware, malicious '
'hardware) pose evolving threats beyond traditional '
'malware.',
'Critical infrastructure in multiple countries is '
'actively targeted by state-associated actors.',
'Basic antivirus/firewalls are insufficient; layered '
'defenses (e.g., network segmentation, behavioral '
'analysis) are essential.'],
'motivation': ['Espionage',
'Intelligence Gathering',
'Cyber Warfare Preparation'],
'post_incident_analysis': {'corrective_actions': ['Unknown (no official '
'response from Knownsec or '
'Chinese government)',
'Experts recommend '
'overhauling access '
'controls and third-party '
'risk management'],
'root_causes': ['Likely insider threat or '
'compromised credentials (2023 '
'theft)',
'Inadequate protection of '
'sensitive files (GitHub exposure)',
'Blurred lines between private '
'cybersecurity work and state '
'operations']},
'recommendations': ['Implement zero-trust architectures and continuous '
'network monitoring.',
'Enhance insider threat detection and access controls for '
'sensitive projects.',
'Conduct regular audits of third-party code repositories '
'for exposed secrets.',
'Develop international norms for cybersecurity firms’ '
'involvement in state operations.',
'Invest in threat intelligence sharing to counter '
'cross-border cyber espionage.'],
'references': [{'source': 'Mrxn (Chinese News Outlet)'},
{'source': 'International Cyber Digest (X/Twitter)'},
{'date_accessed': '2025-11-02 (estimated)',
'source': 'Chinese Foreign Ministry Statement'}],
'response': {'communication_strategy': ['Chinese Foreign Ministry denial of '
'breach knowledge',
'No refutation of state-associated '
'cyber intelligence work'],
'containment_measures': ['Files removed from GitHub',
'No official confirmation of further '
'actions'],
'enhanced_monitoring': ['Security experts recommend layered '
'defenses beyond antivirus/firewalls']},
'title': 'Major Data Leak at Chinese Security Firm Knownsec (Chuangyu)',
'type': ['Data Leak', 'Espionage', 'Cyber Weapon Exposure']}