What happened
Leaked internal technical documents indicate that China has been rehearsing cyberattacks against the critical infrastructure of its closest neighboring countries. According to the report, the materials describe a secret training platform known as “Expedition Cloud” designed to simulate network environments of potential target systems. The cache includes source code, training data, and software assets that recreate replicas of networks in sectors such as power, energy transmission, transportation, and smart home infrastructure. The platform supports “reconnaissance groups” and “attack groups” by allowing operators to practice offensive operations against these simulated environments. Independent experts consulted for the reporting expressed high confidence in the authenticity of the files and noted that the platform’s architecture suggests intentional preparation of offensive capabilities rather than defensive simulation. The documents were exposed on an unsecured FTP server tied to a developer’s machine containing malware, and were first reported by the specialist blog NetAskari before coverage in Recorded Future News.
Who is affected
Critical infrastructure operators in countries neighboring China could be affected if real-world offensive cyber operations — rehearsed using the disclosed platform — are conducted against their networks; the platforms simulated include replicas of power, energy, transportation, and smart home systems.
Why CISOs should care
The existence of an offensive cyber range focused on critical infrastructure rehearsals highlights the strategic intent of threat actors to plan and refine sophisticated attacks prior to execution, a factor that underscores the evolving landscape of state-aligned cyber capabilities and potential preparatory targeting.
3 practical actions
- Assess threat intelligence feeds. Integrate updates on foreign state rehearsal platforms to adjust defensive postures.
- Strengthen critical infrastructure defenses. Review and harden protections around systems in energy, transportation, and industrial control sectors.
- Enhance monitoring for reconnaissance behavior. Detect early signs of external scanning or probing against replicated environments similar to those described.