TopSec data leak: 7000+ documents expose potential Chinese government surveillance and censorship practices. Learn about the key findings and implications.
A data leak from TopSec, a prominent Chinese cybersecurity firm, has exposed details about the company’s operations and its probable involvement in internet censorship for the Chinese government.
This was revealed by SentinelOne whose SentinelLABS threat research team analysed the leaked data including over 7,000 lines of work logs and code used for DevOps practices. The data revealed scripts connecting to Chinese government hostnames, academic institutions, and news sites, suggesting TopSec’s services extend to a wide range of organizations.
The latest allegation against a Chinese company came just a few months after the United States sanctioned two Chinese firms, Integrity Technology Group and Sichuan Silence Information Technology, for cyber attacks and cybercrime.
TopSec, founded in 1995, provides monitoring, IT security, big data, and cloud services. The leaked documents, according to SentinelOne’s blog post shared with Hackread.com ahead of its publishing on Friday, mention several public and private sector organizations, likely its customers or partners.
On the public side, this includes agencies like the Municipal Commissions for Discipline Inspection and the Illegal and Harmful Information Reporting Center, both key players in China’s political system and online information control. On the private side, its clients range from banks to tech companies.
The documents also detail TopSec’s involvement in projects for Bureaus of the Ministry of Public Security in several cities, including Shanghai, suggesting their participation in monitoring website security and content. One such project, the “Cloud Monitoring Service Project,” involved monitoring website security and content, with alerts for breaches or policy violations.
The data, submitted to a multi-scanner platform, includes employee work logs, scripts, and commands used for infrastructure administration, featuring DevOps technologies like Ansible, Docker, and Kubernetes. Critically, hardcoded credentials were found, posing a significant security risk.
SentinelLABS researchers note that the data was disorganized and in Chinese. Their analysis was mainly focused on identifying technologies and examining references in commands and API data.
“The leaked file is very large, and disorganized, and the formatting is inconsistent, which complicates analysis. It is highly likely that we have not identified all capabilities outlined in the leak. Our analysis approach focused on translating the Chinese language content, identifying known technologies, and identifying interesting references in the commands and API JSON artifacts,” the report revealed.
The leak contained code for initializing Docker images for security monitoring, potentially involving network monitoring probes with privileged access. Work logs referenced “Sparta,” a project handling sensitive word processing, indicating censorship keyword monitoring. Sparta, using GraphQL APIs, appears to be an in-house solution tailored for Chinese language processing. Severe detection alerts were reportedly distributed via WeChat.
TopSec offers web content monitoring services, including “Website Monitoring Service” and detection of events related to tampering, hidden links, and sensitive words. The “WebSensitive” event, is triggered by politically sensitive words.
Moreover, a task list focused on sensitive word monitoring in September 2023, with alerts sent to Zhao Nannan, whose background and subsequent career move suggest a link to political events.
Coincidentally, the head of the Shanghai SASAC, where Zhao Nannan later worked, was under corruption investigation at the same time, raising questions about the reported “validated events.” The Shanghai Municipal Commission for Discipline Inspection is a TopSec customer.
This leak, while its origin remains unclear, highlights the close ties between the Chinese government and private cybersecurity firms and emphasizes the importance of proper credential management and secure coding practices. Using secrets managers integrated with CI/CD pipelines can minimize the risk of credential exposure and subsequent compromise.
