Redazione RHC : 10 November 2025 08:51
Only the flag changes, but the result is always the same.
In 2017, WikiLeaks published Vault7 , a leak that exposed the CIA’s arsenal: toolkits for penetrating smartphones, smart TVs, and operating systems, command and control infrastructure, and frameworks for obfuscating code. Tools like Weeping Angel (which turned TVs into microphones), HIVE (C2 for hundreds of implants), and the Marble Framework (for masking and falsely attributing malware) demonstrated that offensive intelligence was common practice even for Western powers.
Today, with the Knownsec leak, the same scenario is being repeated under a different banner: rather than judging who is “worse,” it’s confirmation that in the gray area of cyberspace, everyone acts out of self-interest and opportunism. Vault 7 was proof that digital weapons exist and are being used systematically, and now it’s China’s turn to showcase that same reality.
Hackers have released the largest data leak in Chinese cybersecurity history, from the archives of Knownsec , a company with close ties to Chinese government agencies.
The published materials , consisting of over 12,000 classified documents, revealed details about the country’s cyberintelligence program, internal attack tools, and global target lists covering over 20 countries. This event sparked a furious reaction from the international expert community, as it marked the first time the internal contours of China’s network operations infrastructure had been exposed on such a large scale.
The data leak was first noticed on November 2, 2025. The files appeared on GitHub, where they were later removed by the platform’s administration for violating the terms of service. However, copies had already spread across research forums and the private archives of cybersecurity specialists. According to published materials, the compromised files included internal reports, the source code of specialized programs, and spreadsheets documenting the company’s interactions with Chinese government agencies . The documents include descriptions of network operations conducted against foreign targets, as well as internal credentials and billing records, indicating that the attackers had access to Knownsec’s corporate infrastructure.
The company was founded in 2007 and received a significant investment from Tencent in 2015. Before the incident, it employed over 900 people, with regional offices operating across the country. Knownsec is known as a pioneer in cloud monitoring and distributed security concepts in China. Its clients include financial institutions, government organizations, and major online platforms. This position within the Chinese cybersecurity ecosystem makes the incident particularly significant: it impacted not just a single contractor, but the entire model of private contractor interaction with government cyberintelligence projects.
The contents of the leaked archives indicate that they are not commercial materials, but strategic infrastructure. The most notable section is a spreadsheet listing global targets, identifying assets in Japan, Vietnam, India, Indonesia, Nigeria, the United Kingdom, and other countries . One spreadsheet lists 80 foreign targets against which, according to the archive’s authors, operations were successfully conducted. Examples include 95 gigabytes of migration data stolen from India, 3 terabytes of phone records from the South Korean mobile operator LG U Plus, and 459 gigabytes of travel documents obtained from Taiwan. Taken together, these materials demonstrate Knownsec’s inextricable ties to intelligence-gathering operations outside of China.
In addition to the target’s data, the archive also contained descriptions of the technical tools used in the attacks. The company possessed a suite of multifunctional Remote Access Trojans (RATs) designed to infiltrate Linux, Windows, macOS, iOS, and Android systems. Of particular note was a mobile component for Android capable of extracting message history from Chinese messaging apps and Telegram. Of particular note were references to hardware devices used in field operations: for example, a modified power bank that secretly uploads data to the attackers’ server when connected to the victim’s computer. This information suggests that Knownsec participated not only in the analytical, but also the practical aspects of offensive operations.
The leaked data confirms the existence of a proprietary email intelligence system, Un-Mail, designed to extract and analyze email correspondence. The attached materials also mention internal employee accounting services, financial transaction reports, and collaboration plans with various divisions of Chinese security agencies. For researchers, this directly supports the hypothesis that well-known Chinese cybersecurity vendors may be simultaneously engaging in state-sponsored cybersecurity activities.
A Chinese Foreign Ministry spokesperson told Mrxn that they were unaware of any data leak from Knownsec and emphasized that China opposes any form of cyberattack. This formulation is evasive and leaves room for interpretation, as it does not deny the possible involvement of private contractors in state-controlled operations . In the context of the current international situation, this response is perceived as a demonstration of China’s position: it considers cyber operations not a crime, but a national security tool not subject to public discussion.
In light of this incident, analysts note that the leak could represent the most significant revelation about the internal architecture of Chinese cyber operations in recent years, surpassing publications on similar APT group structures. International specialists are already studying the archives to refine attack methods and identify commonalities with known campaigns, including those targeting infrastructure in Asia and Europe. If the authenticity of all the files is confirmed, the incident could change our understanding of how China’s state cyberintelligence system is built and operated.
Redazione