On September 11, over 500GB of internal documents including source code, work logs, operational runbooks, and build systems from Geedge Networks, a company linked to China’s Great Firewall, were leaked online. The breach exposed the internal architecture of ‘Tiangou’, a commercial deep packet inspection (DPI) platform used for mass censorship and surveillance, including VPN detection, SSL fingerprinting, and full-session logging. Deployment records revealed the system was operational in 26 data centers in Myanmar, monitoring 81 million TCP connections, and had been exported to Pakistan, Ethiopia, and Kazakhstan for state-level surveillance. The leak also contained dev notes and build logs, potentially exposing protocol vulnerabilities exploitable by circumvention tools. Researchers warn the archive may contain operational missteps or weaknesses in China’s censorship infrastructure, though full analysis remains incomplete. The data was mirrored by groups like Enlace Hacktivista, with experts advising extreme caution (e.g., air-gapped VMs) due to potential risks in handling the files.
Source: https://www.tomshardware.com/tech-industry/chinas-great-firewall-springs-huge-leak
TPRM report: https://www.rankiteo.com/company/open-technology-fund
"id": "ope1902319091425",
"linkid": "open-technology-fund",
"type": "Breach",
"date": "5/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'cybersecurity/censorship technology',
'location': 'China',
'name': 'Geedge Networks',
'type': 'private company'},
{'industry': 'academia/government',
'location': 'China',
'name': 'MESA Lab (Institute of Information '
'Engineering, Chinese Academy of Sciences)',
'type': 'research institution'},
{'customers_affected': '81 million TCP connections '
'monitored',
'industry': 'telecommunications',
'location': 'Myanmar',
'name': 'Myanmar State-Run Telecoms Company',
'type': 'government entity'},
{'industry': 'surveillance/telecommunications',
'location': 'Pakistan',
'name': 'Pakistan Government (WMS 2.0)',
'type': 'government'},
{'industry': 'telecommunications',
'location': 'Ethiopia',
'name': 'Ethiopia Government',
'type': 'government'},
{'industry': 'telecommunications',
'location': 'Kazakhstan',
'name': 'Kazakhstan Government',
'type': 'government'}],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['source code files',
'PDF/Word documents (internal '
'communications)',
'log files (work logs, build logs)',
'configuration files (deployment '
'sheets)'],
'number_of_records_exposed': '500GB+ (exact record count '
'unknown)',
'sensitivity_of_data': 'high (includes censorship '
'infrastructure details, VPN detection '
'logic, SSL fingerprinting methods)',
'type_of_data_compromised': ['source code',
'internal documents',
'operational runbooks',
'build logs',
'dev notes',
'deployment sheets',
'DPI platform architectures']},
'date_detected': '2023-09-11',
'date_publicly_disclosed': '2023-09-11',
'description': 'On September 11, researchers confirmed that over 500GB of '
'internal documents, source code, work logs, and '
"communications from China's Great Firewall were dumped "
'online. The leak includes build systems for deep packet '
'inspection (DPI) platforms, VPN detection modules, SSL '
'fingerprinting tools, and operational runbooks. The leaked '
'data originates from Geedge Networks (linked to Fang Binxing) '
'and the MESA lab at the Chinese Academy of Sciences. The '
"files reveal details of the 'Tiangou' system a commercial "
"'Great Firewall in a box' deployed in 26 data centers in "
'Myanmar (monitoring 81M TCP connections) and exported to '
'Pakistan, Ethiopia, and Kazakhstan for mass surveillance and '
'censorship.',
'impact': {'brand_reputation_impact': ["Undermined trust in China's Great "
'Firewall efficacy',
'Negative publicity for Geedge '
'Networks and MESA lab',
'Scrutiny over export of surveillance '
'tech to authoritarian regimes'],
'data_compromised': ['internal documents',
'source code (DPI platforms, VPN detection, '
'SSL fingerprinting)',
'work logs',
'internal communications',
'operational runbooks',
'build systems',
'deployment sheets',
'dev notes'],
'operational_impact': ['Exposure of censorship infrastructure '
'architecture',
'Potential exploitation of protocol-level '
'weaknesses by circumvention tools',
'Risk of operational missteps being '
'identified by adversaries',
"Reputation damage to China's censorship "
'systems'],
'systems_affected': ['Tiangou (Great Firewall in a box)',
'DPI-based VPN detection systems',
'SSL fingerprinting modules',
'full-session logging platforms',
'HP/Dell servers (early deployments)',
'Chinese-sourced hardware (later deployments)',
'Myanmar state-run telecom infrastructure (26 '
'data centers)',
"WMS 2.0 (Pakistan's surveillance system)"]},
'investigation_status': 'ongoing (researchers still analyzing the 500GB+ '
'archive)',
'lessons_learned': ['Exposure of internal censorship infrastructure '
'highlights risks of centralized surveillance systems.',
'Leaked dev notes/build logs may enable adversaries to '
'exploit protocol-level weaknesses.',
'Commercialization of state censorship tools (e.g., '
'Tiangou) increases global proliferation risks.',
'Need for secure handling of sensitive source code (e.g., '
'air-gapped analysis environments).'],
'post_incident_analysis': {'root_causes': ['Unclear (potential insider '
'threat, misconfigured repository, '
'or targeted breach)']},
'recommendations': ['Conduct forensic analysis of leaked code to identify and '
'patch vulnerabilities in DPI/VPN detection systems.',
'Assess supply chain risks for hardware/software used in '
'censorship infrastructure (e.g., shift from HP/Dell to '
'Chinese hardware).',
'Monitor dark web for further dissemination of leaked '
'materials.',
'Evaluate legal and diplomatic implications of exporting '
'surveillance tech to authoritarian regimes.',
'Implement stricter access controls for high-sensitivity '
'projects like the Great Firewall.'],
'references': [{'source': 'Great Firewall Report'},
{'source': 'WIRED'},
{'source': 'Amnesty International'},
{'source': "Tom's Hardware",
'url': 'https://www.tomshardware.com'},
{'source': 'Enlace Hacktivista (archive mirror)'}],
'response': {'containment_measures': ['Researchers urge use of air-gapped '
'VMs/sandboxed environments for '
'analysis',
'Archive mirrored by Enlace Hacktivista '
'and others']},
'title': "Leak of Internal Documents and Source Code from China's Great "
'Firewall (Tiangou System)',
'type': ['data leak', 'unauthorized disclosure', 'source code exposure']}