HQC: key encapsulation based on codes

New attacks in Italy, state-sponsored activity, operations in Ukraine

 View all
Threat Intelligence

Parts of the Great Firewall of China may have been “exported” to other countries

Threat Discovery Telsy TS WAY Cyber Threat Intelligence

A year and a half after the leak to the technology company iSoon, which shed light on an important segment of the Chinese government’s cyber ecosystem, a new data leak is providing insight into the Great Firewall of China (GFW), one of the subsystems of the Golden Shield Project surveillance apparatus. The leaked information concerns the design and management of the GFW and the distribution of alleged commercial versions of the Firewall itself in other countries.

Porzioni del Great Firewall of China sarebbero state “esportate” anche in altri Paesi Telsy

The control of information flows in China operates on at least three macro-levels:

  • At the network level, by monitoring incoming and outgoing information, but not information exchanged within the national perimeter.
  • At the service level, on internal communications: services such as blogs, social media apps, and gaming platforms, which already have the tools to filter certain information and block specific accounts as part of their content moderation policies, are required to perform these operations on behalf of the government as well.
  • Through a bureaucracy that detects specific cases of violation and applies sanctions.

The authorities would also be able to launch targeted DDoS attacks using a tool known as the “Great Cannon,” which can disrupt the functionality of web portals. However, as several analysts and researchers have pointed out, the Golden Shield Project operates with the dynamics of state censorship that does not only take the form of peremptory blocks or authentic “walls.” It is, in reality, a gigantic, elastic, semi-permeable, multifaceted apparatus that is, in many respects, imperfect and unpredictable.

Apparently, no one knows for sure what content is actually censored at any given time and how censorship takes place. Not even the human operators involved in this analysis and filtering work are fully aware of the rules to be applied. This is where the great paradox, which oscillates between Kafka and Orwell, of having to eliminate what should not be known comes into play.

Thus, the greatest effectiveness comes from inducing self-censorship in users. To put it very simply, if you know you are being monitored, the monitoring does not need to be systematic or perfect (and it is better if it is not even logical or recognizable). It is enough for you to have random evidence of censorship for a whole series of psychological self-defense reactions to be triggered in your behavior and, therefore, self-censorship.

The GFW, renamed “Locknet” by some researchers, is in fact a national intranet that connects to the global  network, managing information flows according to its own rules. The leak originates from an important branch of GFW research and development, consisting of the company Geedge Networks and the MESA Lab, affiliated with the Institute of Information Engineering (IIE) of the Chinese Academy of Sciences (CAS). The two entities are closely linked, as Geedge Networks, founded in 2018, counts computer engineer Fang Binxing, the ‘father’ of the GFW, among its main investors.

Porzioni del Great Firewall of China sarebbero state “esportate” anche in altri Paesi Telsy

The leak, revealed in early September 2025, consists of 600 GB of data—including source code, work logs, and internal communications—which can be downloaded from the independent platform Enlace Hacktivista. Numerous teams of professionals have begun analyzing the content.

Although the source code is still being studied, the 100,000 internal documents from Geedge Networks have already provided a wealth of highly significant technical, commercial, and strategic information. One of the investigations, which lasted several months, was conducted by the investigative journalism platform Follow the Money, the German investigative journalism outlet Paper Trail Media, the Austrian newspaper DER STANDARD, and the Canadian newspaper The Globe and Mail, with the help of Amnesty International, Justice for Myanmar activists, the Tor Project, and InterSecLab.

It emerged that Geedge Networks had marketed a suite of highly sophisticated monitoring technologies that are believed to have points of contact with the GFW. Specifically, the suite includes Cyber Narrator, the main interface with which customers interact, which also allows non-technically qualified operators to monitor groups of internet users in specific areas. Tiangou Secure Gateway, considered the flagship product, can block VPNs, but also distribute malicious code to websites or launch attacks against them. TSG Galaxy stores the data collected on users. Finally, Network Zodiac controls all other systems in the suite and reports any errors.

Porzioni del Great Firewall of China sarebbero state “esportate” anche in altri Paesi Telsy

The entire arsenal, analysts explain, is not only powerful but also scalable, which would have allowed it to be distributed in several countries, including Myanmar, Pakistan, Kazakhstan, and Ethiopia . The examples provided outline rather intrusive activities carried out by regimes widely classified as undemocratic. In particular, the company allegedly provided the backbone for the creation of a new version of Pakistan’s national firewall, known as Web Monitoring System (WMS) 2.0. In Myanmar, on the other hand, it allegedly collaborated with the current military junta to implement a commercial version of the GFW, which would be supported by at least 13 national telecommunications companies. Ethiopia, on the other hand, allegedly used Fang Binxing’s company to block the internet during the conflict in Tigray (2020), effectively using these resources as a tool of war. Finally, Kazakhstan allegedly purchased the Tiangou Secure Gateway.

Fang Binxing’s ‘internationalist’ vocation – and China’s interest in collaborating with Russia on this specific issue – would be confirmed by a 2023 report by RadioFreeEurope.

In April 2016 – many years before Beijing and Moscow declared their “no limits” partnership – the Safe Internet League, a censorship lobby group funded by conservative Russian oligarch Konstantin Malofeyev, organized a conference in Moscow attended by a large Chinese delegation led, among others, by the architect of the GFW. Malofeyev and the Safe Internet League, the authors of the report explain, were part of a group promoting close cooperation that would have allowed them to learn from China how to better manage the web and limit Western digital influence.

 

TS-Intelligence

The information reported is the result of the collection and analysis work carried out by the specialists of Telsy’s Threat Intelligence & Response team with the support of the TS-Intelligence platform, a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.

TS Intelligence_Telsy_Platform 2_LUG25It is available as a web-based and full-API platform, designed to be integrated into the organization’s systems and defensive infrastructures, with the goal of enhancing protection against complex cyber threats.

The platform’s continuous research and analysis on threat actors and emerging online threats—whether APTs or cybercrime—produces a constant stream of exclusive intelligence, delivered in real time and structured into technical, strategic, and executive reports.

 

Discover more about our Intelligence services.