A recent data leak from TopSec, a prominent Chinese cybersecurity firm, has shed light on the company’s alleged involvement in internet censorship activities on behalf of the Chinese government. SentinelOne, a cybersecurity research team, conducted an analysis of the leaked data, revealing over 7,000 lines of work logs and code related to DevOps practices used by TopSec.
The leaked data uncovered scripts connecting to Chinese government-related hostnames, academic institutions, and news sites, indicating TopSec’s extensive reach across various organizations. This disclosure comes on the heels of the United States sanctioning two other Chinese cybersecurity firms for cyber attacks and cybercrime, further escalating tensions in the cybersecurity realm.
Founded in 1995, TopSec offers a range of services including monitoring, IT security, big data, and cloud services. The leaked documents, shared with Hackread.com, mention several public and private sector organizations that are likely customers or partners of TopSec. On the public sector side, TopSec’s clients include significant agencies within China’s political system, such as the Municipal Commissions for Discipline Inspection and Illegal and Harmful Information Reporting Center. The company also provides services to private sector entities like banks and tech companies.
Furthermore, the leaked documents reveal TopSec’s involvement in various projects for the Bureaus of the Ministry of Public Security in cities like Shanghai, indicating their role in monitoring website security and content. One notable project, the “Cloud Monitoring Service Project,” involved monitoring website security and content with alerts for breaches or policy violations.
The leaked data included employee work logs, scripts, and commands related to infrastructure administration, utilizing technologies such as Ansible, Docker, and Kubernetes. Of particular concern were hardcoded credentials found in the leak, posing a significant security risk.
SentinelOne’s researchers noted that the data was disorganized and predominantly in Chinese, requiring translation and analysis to identify technologies and references in the commands and API data. The leak contained code for initializing Docker images for security monitoring, potentially involving network monitoring probes with privileged access. Work logs referenced a project called “Sparta,” which focused on sensitive word processing and censorship keyword monitoring, with alerts distributed via WeChat.
Additionally, TopSec offers web content monitoring services, including detecting tampering, hidden links, and sensitive words on websites. The company triggers alerts for politically sensitive words, highlighting their role in monitoring online content for censorship purposes.
The leak also revealed a task list focusing on monitoring sensitive words in September 2023, with alerts sent to an individual named Zhao Nannan, whose background suggests a tie to political events. This connection raises questions about the reported “validated events” and underscores the potential implications of TopSec’s activities in monitoring online content.
Overall, the TopSec data leak underscores the significance of secure coding practices and proper credential management in cybersecurity operations. The close relationship between the Chinese government and private cybersecurity firms like TopSec highlights the importance of transparency and accountability in the cybersecurity industry. Implementing robust security measures, such as secrets managers integrated with CI/CD pipelines, can help mitigate the risk of credential exposure and subsequent compromises in sensitive operations.