Inside Expedition Cloud: Leaked Documents Reveal China’s Secret Platform for Rehearsing Attacks on Critical Infrastructure

Leaked technical documents expose a Chinese government cyber range designed to practice attacks against foreign power grids, telecoms, and transportation systems. This isn’t preparation for defense—it’s rehearsal for war.

The Leak That Exposed Everything

In February 2026, security researchers discovered something extraordinary on an unsecured FTP server: thousands of documents from a personal device belonging to a developer at Chinese cybersecurity company CyberPeace (赛宁网安, Nanjing Saining Network Technologies). The device had been infected with malware, and its contents had been quietly exfiltrated to an accessible server.

Among the leaked files: source code, training materials, engineering documentation, and system architecture blueprints for a classified platform called “Expedition Cloud” (远征云)—a sophisticated cyber range designed to let Chinese operatives practice hacking replicas of foreign critical infrastructure.

“This is a first,” said Dakota Cary of SentinelOne. “It’s not just developing a cyber range for the state, this is mimicking critical infrastructure. This was created to meet the needs of a state customer.”

That customer? The Ministry of Public Security—China’s primary internal security agency.

What Is Expedition Cloud?

Expedition Cloud is a large-scale cyber training platform that allows Chinese hackers to practice attacks against virtualized replicas of real foreign networks. Unlike defensive cyber ranges used for training security personnel, Expedition Cloud is explicitly designed for offensive operations.

Technical Specifications

According to leaked documentation:

Capability	Specification
User Capacity	300 concurrent users
Connection Capacity	10,000 simultaneous connections
DNS Gateway Database	100 million URL entries
Worker Nodes	200+ globally distributed
Team Structure	Reconnaissance groups + Attack groups

Target Profiles

The documents describe training environments that replicate “the real network environments” of China’s “main operational opponents in the South China Sea and Indochina directions”—meaning Vietnam, the Philippines, Malaysia, Brunei, Taiwan, and other regional nations.

Sector templates include:

• Power grids and energy transmission networks
• Telecommunications infrastructure
• Transportation systems
• Smart home/IoT infrastructure

Vendor-specific targets:

• Cisco
• Fortinet
• WatchGuard
• Juniper

Operational Security

Expedition Cloud incorporates sophisticated measures to avoid attribution:

• Physical and logical isolation between training and operational networks
• “Optical gates”—unidirectional data flow devices preventing information leakage
• 200+ globally distributed “worker nodes” using three encrypted protocols
• “Independent, private anti-piracy routes” designed to prevent tracking

“This is basically indicating that they are using something that is classified, or some operational tools,” noted Allar Vallaots of CR14, who helps run NATO’s Locked Shields exercise. “They are rehearsing here more than training.”

The AI Factor

Perhaps most concerning is Expedition Cloud’s data collection architecture. The platform records every action taken during exercises:

• Network traffic patterns
• System activity logs
• Operator decisions and timing
• Attack methodology effectiveness

This comprehensive logging enables comparison of different attack methods and optimization of techniques. But it also provides training data for something else: artificial intelligence.

“If you can measure all the different parameters within an attack, then you train the attacks,” Vallaots explained. “AI can find paths, bottlenecks, other ideas, much faster than a human… Whoever possesses the better AI wins.”

The implication is chilling: China may be developing AI systems capable of autonomously identifying and exploiting vulnerabilities in critical infrastructure.

The Typhoon Campaigns: Rehearsal Becomes Reality

Expedition Cloud doesn’t exist in isolation. It’s the training ground for a family of threat actors—collectively known as the “Typhoons”—who are already inside American critical infrastructure.

Volt Typhoon: Pre-Positioned for Destruction

Aliases: VANGUARD PANDA, BRONZE SILHOUETTE, Insidious Taurus, VOLTZITE

Attribution: People’s Liberation Army Cyberspace Force

Mission: Pre-positioning in U.S. critical infrastructure for potential destructive attacks during a Taiwan conflict

Confirmed Compromises:

• 100+ U.S. critical infrastructure organizations
• Littleton Electric Light & Water Department (Massachusetts): 10 months undetected access, exfiltrated grid operating procedures
• Guam power authority: Strategic location for Taiwan defense
• Major U.S. cell carriers
• Federal defense networks

Dwell Time: Up to 5+ years in some networks without triggering any destructive action

Lt. Gen. Thomas Hensley of the 16th Air Force characterized the threat: “If we find ourselves in a conflict with China and they execute destructive cyberattacks against our critical infrastructure in the United States, that is total war in my definition… using the cyber domain to execute a counter-value attack against the U.S. population.”

Salt Typhoon: Telecommunications Penetration

Attribution: Ministry of State Security (MSS)

Mission: Cyber espionage focused on counterintelligence targets

Scale:

• 9 confirmed U.S. telecommunications companies
• 200+ targets across 80 countries
• 1+ million users’ communications metadata
• Access to FBI wiretap (CALEA) systems
• Trump, Vance, and Harris campaign phones compromised

Flax Typhoon: The Botnet Builders

Attribution: MSS-linked, operated through Integrity Technology Group

Mission: Building botnets from compromised IoT devices; targeting Taiwan

Scale: Hundreds of thousands of hijacked devices before FBI disruption

The Typhoon Ecosystem

Group	Primary Target	Agency	Status
Volt Typhoon	Critical Infrastructure	PLA	Active, pre-positioned
Salt Typhoon	Telecommunications	MSS	Active, partially remediated
Flax Typhoon	Taiwan, IoT botnets	MSS	Disrupted September 2024
Silk Typhoon	Government agencies	MSS	Active
Linen Typhoon	Various	Unknown	Active
Violet Typhoon	Various	Unknown	Active

Living Off the Land: Why Detection Fails

The Typhoon actors share a distinctive operational approach: Living Off the Land (LOTL). Rather than deploying custom malware that security tools might detect, they use legitimate administrative tools already present on target systems:

• wmic (Windows Management Instrumentation)
• ntdsutil (Active Directory maintenance)
• netsh (Network configuration)
• PowerShell (Scripting and automation)

These are tools that system administrators use daily. When a Typhoon operator runs PowerShell to enumerate network shares, it looks identical to a legitimate administrator doing their job.

“Traditional signature-based detection is ineffective,” one incident responder explained. “These aren’t foreign executables tripping antivirus. They’re native Windows commands executed by what appears to be an authorized user.”

Initial Access Methods

The Typhoon groups favor exploiting internet-facing devices:

• VPN appliances
• Firewalls
• Routers
• Edge security devices

Many compromised devices were:

• Running outdated firmware
• Missing critical security patches
• Using default or weak credentials
• End-of-life products no longer receiving updates

The Taiwan Connection

U.S. officials believe the ultimate purpose of these operations is preparation for a potential conflict over Taiwan. The year 2027 is frequently cited as a pivotal date for possible Chinese military action.

Strategic Logic

In any Taiwan conflict, the United States would likely attempt to:

• Deploy naval forces to the region
• Reinforce allies in Japan, the Philippines, and elsewhere
• Coordinate logistics through Pacific bases (especially Guam)
• Communicate strategy through government networks

By pre-positioning in U.S. critical infrastructure, China could:

• Disrupt power to military installations and logistics hubs
• Cripple communications by attacking telecommunications
• Slow mobilization by targeting transportation systems
• Create domestic chaos to divide American attention

The “Tacit Admission”

At a 2024 diplomatic meeting, Chinese officials made remarks that U.S. counterparts interpreted as “a tacit admission and a warning to the U.S. about Taiwan.” The message was clear: these capabilities exist, and they would be used.

The Hardware Problem

The threat extends beyond software. Multiple independent analyses have identified undocumented communication modules embedded in Chinese-manufactured equipment:

• Solar inverters with hidden cellular radios
• Battery storage systems with unexplained network capabilities
• Smart grid components with undisclosed communication features

The 2025 U.S.-China Economic and Security Review Commission report recommended:

• Stronger procurement safeguards
• National testing requirements for foreign OT devices
• Mandatory Software/Firmware/Hardware Bills of Materials (SBOM/FBOM/HBOM)
• Forensic evaluation of field-deployed Chinese components

What Defenders Should Do

Immediate Priorities

1. Edge Device Hygiene

• Inventory all internet-facing devices
• Patch VPNs, firewalls, and routers immediately
• Replace end-of-life equipment
• Audit for default credentials

2. Network Segmentation

• Isolate OT/ICS networks from IT systems
• Implement strict firewall rules between segments
• Deploy unidirectional security gateways where feasible

3. Behavioral Monitoring

• Don’t rely on signatures; look for anomalies
• Monitor administrative tool usage patterns
• Alert on unusual lateral movement
• Baseline normal traffic and investigate deviations

4. Supply Chain Review

• Audit Chinese-manufactured OT components
• Evaluate firmware update mechanisms
• Consider component replacement for high-risk systems

Detection Indicators

Watch for:

• Unexpected administrative tool usage outside business hours
• Large data transfers from OT segments
• New scheduled tasks or services on critical systems
• Configuration changes to network devices without change tickets
• Connections to unusual IP ranges or countries

The U.S. Response

Government Actions

Sanctions (2024-2025):

• Sichuan Silence Information Technology Company
• Integrity Technology Group (Flax Typhoon)
• Yin Kecheng, Sichuan Juxinhe Network Technology
• Zhou Shuai, Shanghai Heiying Information Technology

Law Enforcement:

• January 2024: FBI disrupted Volt Typhoon’s KV Botnet
• September 2024: U.S. seized Flax Typhoon botnet
• $10 million bounty for Salt Typhoon information

Policy Shifts:

• RSA 2025 keynote: “If you come and do this to us, we’ll punch back”
• “Defend forward” posture under consideration
• Increased coordination between intelligence and private sector

What’s Missing

Critics note that despite years of activity, responses remain largely reactive:

• No demonstrated offensive consequences for attackers
• Limited legal authority for preemptive action
• Inconsistent patching across critical infrastructure
• No mandatory security standards for utilities

Chinese Denials

Beijing maintains its standard position:

• Foreign Ministry: China “stands against hacking and fights such activities in accordance with the law”
• State media: Volt Typhoon is a “misinformation campaign by U.S. intelligence agencies”
• Embassy statements: “unfounded and irresponsible smears and slanders”

The leaked Expedition Cloud documents make these denials increasingly difficult to sustain.

The Bottom Line

The Expedition Cloud leak confirms what U.S. intelligence has warned for years: China is systematically preparing for cyber warfare against critical infrastructure. The Typhoon campaigns demonstrate that this preparation has already translated into action—persistent access established across power grids, telecommunications, water systems, and transportation networks.

This isn’t cybercrime. It isn’t traditional espionage. It’s preparation for conflict, conducted in peacetime, against civilian infrastructure.

Key Statistics:

Metric	Value
Volt Typhoon compromises	100+ confirmed
Salt Typhoon victims	200+ across 80 countries
Longest persistence	5+ years
Taiwan daily intrusion attempts	2.63 million
FBI bounty	$10 million
Expedition Cloud capacity	300 users, 10K connections

The cyber conflict is already underway. The only question is when—or if—it escalates from preparation to destruction.

---

Sources

• Recorded Future News - Expedition Cloud leak analysis
• McCrary Institute - “Code Red” Typhoon campaign report
• U.S.-China Economic and Security Review Commission - 2025 Annual Report
• Taiwan National Security Bureau - 2025 cyber threat analysis
• Dragos - Volt Typhoon incident response case studies
• CISA/NSA/FBI - Joint advisories on Typhoon actors

---

For real-time updates on nation-state cyber threats, follow @breaboredcompany on X.