Inside Expedition Cloud: Leaked Documents Reveal China’s Secret Platform for Rehearsing Attacks on Critical Infrastructure
Leaked technical documents expose a Chinese government cyber range designed to practice attacks against foreign power grids, telecoms, and transportation systems. This isn’t preparation for defense—it’s rehearsal for war.
The Leak That Exposed Everything
In February 2026, security researchers discovered something extraordinary on an unsecured FTP server: thousands of documents from a personal device belonging to a developer at Chinese cybersecurity company CyberPeace (赛宁网安, Nanjing Saining Network Technologies). The device had been infected with malware, and its contents had been quietly exfiltrated to an accessible server.
Among the leaked files: source code, training materials, engineering documentation, and system architecture blueprints for a classified platform called “Expedition Cloud” (远征云)—a sophisticated cyber range designed to let Chinese operatives practice hacking replicas of foreign critical infrastructure.
“This is a first,” said Dakota Cary of SentinelOne. “It’s not just developing a cyber range for the state, this is mimicking critical infrastructure. This was created to meet the needs of a state customer.”
That customer? The Ministry of Public Security—China’s primary internal security agency.
What Is Expedition Cloud?
Expedition Cloud is a large-scale cyber training platform that allows Chinese hackers to practice attacks against virtualized replicas of real foreign networks. Unlike defensive cyber ranges used for training security personnel, Expedition Cloud is explicitly designed for offensive operations.
Technical Specifications
According to leaked documentation:
| Capability | Specification |
|---|---|
| User Capacity | 300 concurrent users |
| Connection Capacity | 10,000 simultaneous connections |
| DNS Gateway Database | 100 million URL entries |
| Worker Nodes | 200+ globally distributed |
| Team Structure | Reconnaissance groups + Attack groups |
Target Profiles
The documents describe training environments that replicate “the real network environments” of China’s “main operational opponents in the South China Sea and Indochina directions”—meaning Vietnam, the Philippines, Malaysia, Brunei, Taiwan, and other regional nations.
Sector templates include:
- Power grids and energy transmission networks
- Telecommunications infrastructure
- Transportation systems
- Smart home/IoT infrastructure
Vendor-specific targets:
- Cisco
- Fortinet
- WatchGuard
- Juniper
Operational Security
Expedition Cloud incorporates sophisticated measures to avoid attribution:
- Physical and logical isolation between training and operational networks
- “Optical gates”—unidirectional data flow devices preventing information leakage
- 200+ globally distributed “worker nodes” using three encrypted protocols
- “Independent, private anti-piracy routes” designed to prevent tracking
“This is basically indicating that they are using something that is classified, or some operational tools,” noted Allar Vallaots of CR14, who helps run NATO’s Locked Shields exercise. “They are rehearsing here more than training.”
The AI Factor
Perhaps most concerning is Expedition Cloud’s data collection architecture. The platform records every action taken during exercises:
- Network traffic patterns
- System activity logs
- Operator decisions and timing
- Attack methodology effectiveness
This comprehensive logging enables comparison of different attack methods and optimization of techniques. But it also provides training data for something else: artificial intelligence.
“If you can measure all the different parameters within an attack, then you train the attacks,” Vallaots explained. “AI can find paths, bottlenecks, other ideas, much faster than a human… Whoever possesses the better AI wins.”
The implication is chilling: China may be developing AI systems capable of autonomously identifying and exploiting vulnerabilities in critical infrastructure.
The Typhoon Campaigns: Rehearsal Becomes Reality
Expedition Cloud doesn’t exist in isolation. It’s the training ground for a family of threat actors—collectively known as the “Typhoons”—who are already inside American critical infrastructure.
Volt Typhoon: Pre-Positioned for Destruction
Aliases: VANGUARD PANDA, BRONZE SILHOUETTE, Insidious Taurus, VOLTZITE
Attribution: People’s Liberation Army Cyberspace Force
Mission: Pre-positioning in U.S. critical infrastructure for potential destructive attacks during a Taiwan conflict
Confirmed Compromises:
- 100+ U.S. critical infrastructure organizations
- Littleton Electric Light & Water Department (Massachusetts): 10 months undetected access, exfiltrated grid operating procedures
- Guam power authority: Strategic location for Taiwan defense
- Major U.S. cell carriers
- Federal defense networks
Dwell Time: Up to 5+ years in some networks without triggering any destructive action
Lt. Gen. Thomas Hensley of the 16th Air Force characterized the threat: “If we find ourselves in a conflict with China and they execute destructive cyberattacks against our critical infrastructure in the United States, that is total war in my definition… using the cyber domain to execute a counter-value attack against the U.S. population.”
Salt Typhoon: Telecommunications Penetration
Attribution: Ministry of State Security (MSS)
Mission: Cyber espionage focused on counterintelligence targets
Scale:
- 9 confirmed U.S. telecommunications companies
- 200+ targets across 80 countries
- 1+ million users’ communications metadata
- Access to FBI wiretap (CALEA) systems
- Trump, Vance, and Harris campaign phones compromised
Flax Typhoon: The Botnet Builders
Attribution: MSS-linked, operated through Integrity Technology Group
Mission: Building botnets from compromised IoT devices; targeting Taiwan
Scale: Hundreds of thousands of hijacked devices before FBI disruption
The Typhoon Ecosystem
| Group | Primary Target | Agency | Status |
|---|---|---|---|
| Volt Typhoon | Critical Infrastructure | PLA | Active, pre-positioned |
| Salt Typhoon | Telecommunications | MSS | Active, partially remediated |
| Flax Typhoon | Taiwan, IoT botnets | MSS | Disrupted September 2024 |
| Silk Typhoon | Government agencies | MSS | Active |
| Linen Typhoon | Various | Unknown | Active |
| Violet Typhoon | Various | Unknown | Active |
Living Off the Land: Why Detection Fails
The Typhoon actors share a distinctive operational approach: Living Off the Land (LOTL). Rather than deploying custom malware that security tools might detect, they use legitimate administrative tools already present on target systems:
- wmic (Windows Management Instrumentation)
- ntdsutil (Active Directory maintenance)
- netsh (Network configuration)
- PowerShell (Scripting and automation)
These are tools that system administrators use daily. When a Typhoon operator runs PowerShell to enumerate network shares, it looks identical to a legitimate administrator doing their job.
“Traditional signature-based detection is ineffective,” one incident responder explained. “These aren’t foreign executables tripping antivirus. They’re native Windows commands executed by what appears to be an authorized user.”
Initial Access Methods
The Typhoon groups favor exploiting internet-facing devices:
- VPN appliances
- Firewalls
- Routers
- Edge security devices
Many compromised devices were:
- Running outdated firmware
- Missing critical security patches
- Using default or weak credentials
- End-of-life products no longer receiving updates
The Taiwan Connection
U.S. officials believe the ultimate purpose of these operations is preparation for a potential conflict over Taiwan. The year 2027 is frequently cited as a pivotal date for possible Chinese military action.
Strategic Logic
In any Taiwan conflict, the United States would likely attempt to:
- Deploy naval forces to the region
- Reinforce allies in Japan, the Philippines, and elsewhere
- Coordinate logistics through Pacific bases (especially Guam)
- Communicate strategy through government networks
By pre-positioning in U.S. critical infrastructure, China could:
- Disrupt power to military installations and logistics hubs
- Cripple communications by attacking telecommunications
- Slow mobilization by targeting transportation systems
- Create domestic chaos to divide American attention
The “Tacit Admission”
At a 2024 diplomatic meeting, Chinese officials made remarks that U.S. counterparts interpreted as “a tacit admission and a warning to the U.S. about Taiwan.” The message was clear: these capabilities exist, and they would be used.
The Hardware Problem
The threat extends beyond software. Multiple independent analyses have identified undocumented communication modules embedded in Chinese-manufactured equipment:
- Solar inverters with hidden cellular radios
- Battery storage systems with unexplained network capabilities
- Smart grid components with undisclosed communication features
The 2025 U.S.-China Economic and Security Review Commission report recommended:
- Stronger procurement safeguards
- National testing requirements for foreign OT devices
- Mandatory Software/Firmware/Hardware Bills of Materials (SBOM/FBOM/HBOM)
- Forensic evaluation of field-deployed Chinese components
What Defenders Should Do
Immediate Priorities
1. Edge Device Hygiene
- Inventory all internet-facing devices
- Patch VPNs, firewalls, and routers immediately
- Replace end-of-life equipment
- Audit for default credentials
2. Network Segmentation
- Isolate OT/ICS networks from IT systems
- Implement strict firewall rules between segments
- Deploy unidirectional security gateways where feasible
3. Behavioral Monitoring
- Don’t rely on signatures; look for anomalies
- Monitor administrative tool usage patterns
- Alert on unusual lateral movement
- Baseline normal traffic and investigate deviations
4. Supply Chain Review
- Audit Chinese-manufactured OT components
- Evaluate firmware update mechanisms
- Consider component replacement for high-risk systems
Detection Indicators
Watch for:
- Unexpected administrative tool usage outside business hours
- Large data transfers from OT segments
- New scheduled tasks or services on critical systems
- Configuration changes to network devices without change tickets
- Connections to unusual IP ranges or countries
The U.S. Response
Government Actions
Sanctions (2024-2025):
- Sichuan Silence Information Technology Company
- Integrity Technology Group (Flax Typhoon)
- Yin Kecheng, Sichuan Juxinhe Network Technology
- Zhou Shuai, Shanghai Heiying Information Technology
Law Enforcement:
- January 2024: FBI disrupted Volt Typhoon’s KV Botnet
- September 2024: U.S. seized Flax Typhoon botnet
- $10 million bounty for Salt Typhoon information
Policy Shifts:
- RSA 2025 keynote: “If you come and do this to us, we’ll punch back”
- “Defend forward” posture under consideration
- Increased coordination between intelligence and private sector
What’s Missing
Critics note that despite years of activity, responses remain largely reactive:
- No demonstrated offensive consequences for attackers
- Limited legal authority for preemptive action
- Inconsistent patching across critical infrastructure
- No mandatory security standards for utilities
Chinese Denials
Beijing maintains its standard position:
- Foreign Ministry: China “stands against hacking and fights such activities in accordance with the law”
- State media: Volt Typhoon is a “misinformation campaign by U.S. intelligence agencies”
- Embassy statements: “unfounded and irresponsible smears and slanders”
The leaked Expedition Cloud documents make these denials increasingly difficult to sustain.
The Bottom Line
The Expedition Cloud leak confirms what U.S. intelligence has warned for years: China is systematically preparing for cyber warfare against critical infrastructure. The Typhoon campaigns demonstrate that this preparation has already translated into action—persistent access established across power grids, telecommunications, water systems, and transportation networks.
This isn’t cybercrime. It isn’t traditional espionage. It’s preparation for conflict, conducted in peacetime, against civilian infrastructure.
Key Statistics:
| Metric | Value |
|---|---|
| Volt Typhoon compromises | 100+ confirmed |
| Salt Typhoon victims | 200+ across 80 countries |
| Longest persistence | 5+ years |
| Taiwan daily intrusion attempts | 2.63 million |
| FBI bounty | $10 million |
| Expedition Cloud capacity | 300 users, 10K connections |
The cyber conflict is already underway. The only question is when—or if—it escalates from preparation to destruction.
Sources
- Recorded Future News - Expedition Cloud leak analysis
- McCrary Institute - “Code Red” Typhoon campaign report
- U.S.-China Economic and Security Review Commission - 2025 Annual Report
- Taiwan National Security Bureau - 2025 cyber threat analysis
- Dragos - Volt Typhoon incident response case studies
- CISA/NSA/FBI - Joint advisories on Typhoon actors
For real-time updates on nation-state cyber threats, follow @breaboredcompany on X.
