Inside Expedition Cloud: Leaked Documents Reveal Chinaโ€™s Secret Platform for Rehearsing Attacks on Critical Infrastructure

Leaked technical documents expose a Chinese government cyber range designed to practice attacks against foreign power grids, telecoms, and transportation systems. This isnโ€™t preparation for defenseโ€”itโ€™s rehearsal for war.

The Leak That Exposed Everything

In February 2026, security researchers discovered something extraordinary on an unsecured FTP server: thousands of documents from a personal device belonging to a developer at Chinese cybersecurity company CyberPeace (่ต›ๅฎ็ฝ‘ๅฎ‰, Nanjing Saining Network Technologies). The device had been infected with malware, and its contents had been quietly exfiltrated to an accessible server.

Among the leaked files: source code, training materials, engineering documentation, and system architecture blueprints for a classified platform called โ€œExpedition Cloudโ€ (่ฟœๅพไบ‘)โ€”a sophisticated cyber range designed to let Chinese operatives practice hacking replicas of foreign critical infrastructure.

โ€œThis is a first,โ€ said Dakota Cary of SentinelOne. โ€œItโ€™s not just developing a cyber range for the state, this is mimicking critical infrastructure. This was created to meet the needs of a state customer.โ€

That customer? The Ministry of Public Securityโ€”Chinaโ€™s primary internal security agency.

What Is Expedition Cloud?

Expedition Cloud is a large-scale cyber training platform that allows Chinese hackers to practice attacks against virtualized replicas of real foreign networks. Unlike defensive cyber ranges used for training security personnel, Expedition Cloud is explicitly designed for offensive operations.

Technical Specifications

According to leaked documentation:

CapabilitySpecification
User Capacity300 concurrent users
Connection Capacity10,000 simultaneous connections
DNS Gateway Database100 million URL entries
Worker Nodes200+ globally distributed
Team StructureReconnaissance groups + Attack groups

Target Profiles

The documents describe training environments that replicate โ€œthe real network environmentsโ€ of Chinaโ€™s โ€œmain operational opponents in the South China Sea and Indochina directionsโ€โ€”meaning Vietnam, the Philippines, Malaysia, Brunei, Taiwan, and other regional nations.

Sector templates include:

  • Power grids and energy transmission networks
  • Telecommunications infrastructure
  • Transportation systems
  • Smart home/IoT infrastructure

Vendor-specific targets:

  • Cisco
  • Fortinet
  • WatchGuard
  • Juniper

Operational Security

Expedition Cloud incorporates sophisticated measures to avoid attribution:

  • Physical and logical isolation between training and operational networks
  • โ€œOptical gatesโ€โ€”unidirectional data flow devices preventing information leakage
  • 200+ globally distributed โ€œworker nodesโ€ using three encrypted protocols
  • โ€œIndependent, private anti-piracy routesโ€ designed to prevent tracking

โ€œThis is basically indicating that they are using something that is classified, or some operational tools,โ€ noted Allar Vallaots of CR14, who helps run NATOโ€™s Locked Shields exercise. โ€œThey are rehearsing here more than training.โ€

The AI Factor

Perhaps most concerning is Expedition Cloudโ€™s data collection architecture. The platform records every action taken during exercises:

  • Network traffic patterns
  • System activity logs
  • Operator decisions and timing
  • Attack methodology effectiveness

This comprehensive logging enables comparison of different attack methods and optimization of techniques. But it also provides training data for something else: artificial intelligence.

โ€œIf you can measure all the different parameters within an attack, then you train the attacks,โ€ Vallaots explained. โ€œAI can find paths, bottlenecks, other ideas, much faster than a humanโ€ฆ Whoever possesses the better AI wins.โ€

The implication is chilling: China may be developing AI systems capable of autonomously identifying and exploiting vulnerabilities in critical infrastructure.

The Typhoon Campaigns: Rehearsal Becomes Reality

Expedition Cloud doesnโ€™t exist in isolation. Itโ€™s the training ground for a family of threat actorsโ€”collectively known as the โ€œTyphoonsโ€โ€”who are already inside American critical infrastructure.

Volt Typhoon: Pre-Positioned for Destruction

Aliases: VANGUARD PANDA, BRONZE SILHOUETTE, Insidious Taurus, VOLTZITE

Attribution: Peopleโ€™s Liberation Army Cyberspace Force

Mission: Pre-positioning in U.S. critical infrastructure for potential destructive attacks during a Taiwan conflict

Confirmed Compromises:

  • 100+ U.S. critical infrastructure organizations
  • Littleton Electric Light & Water Department (Massachusetts): 10 months undetected access, exfiltrated grid operating procedures
  • Guam power authority: Strategic location for Taiwan defense
  • Major U.S. cell carriers
  • Federal defense networks

Dwell Time: Up to 5+ years in some networks without triggering any destructive action

Lt. Gen. Thomas Hensley of the 16th Air Force characterized the threat: โ€œIf we find ourselves in a conflict with China and they execute destructive cyberattacks against our critical infrastructure in the United States, that is total war in my definitionโ€ฆ using the cyber domain to execute a counter-value attack against the U.S. population.โ€

Salt Typhoon: Telecommunications Penetration

Attribution: Ministry of State Security (MSS)

Mission: Cyber espionage focused on counterintelligence targets

Scale:

  • 9 confirmed U.S. telecommunications companies
  • 200+ targets across 80 countries
  • 1+ million usersโ€™ communications metadata
  • Access to FBI wiretap (CALEA) systems
  • Trump, Vance, and Harris campaign phones compromised

Flax Typhoon: The Botnet Builders

Attribution: MSS-linked, operated through Integrity Technology Group

Mission: Building botnets from compromised IoT devices; targeting Taiwan

Scale: Hundreds of thousands of hijacked devices before FBI disruption

The Typhoon Ecosystem

GroupPrimary TargetAgencyStatus
Volt TyphoonCritical InfrastructurePLAActive, pre-positioned
Salt TyphoonTelecommunicationsMSSActive, partially remediated
Flax TyphoonTaiwan, IoT botnetsMSSDisrupted September 2024
Silk TyphoonGovernment agenciesMSSActive
Linen TyphoonVariousUnknownActive
Violet TyphoonVariousUnknownActive

Living Off the Land: Why Detection Fails

The Typhoon actors share a distinctive operational approach: Living Off the Land (LOTL). Rather than deploying custom malware that security tools might detect, they use legitimate administrative tools already present on target systems:

  • wmic (Windows Management Instrumentation)
  • ntdsutil (Active Directory maintenance)
  • netsh (Network configuration)
  • PowerShell (Scripting and automation)

These are tools that system administrators use daily. When a Typhoon operator runs PowerShell to enumerate network shares, it looks identical to a legitimate administrator doing their job.

โ€œTraditional signature-based detection is ineffective,โ€ one incident responder explained. โ€œThese arenโ€™t foreign executables tripping antivirus. Theyโ€™re native Windows commands executed by what appears to be an authorized user.โ€

Initial Access Methods

The Typhoon groups favor exploiting internet-facing devices:

  • VPN appliances
  • Firewalls
  • Routers
  • Edge security devices

Many compromised devices were:

  • Running outdated firmware
  • Missing critical security patches
  • Using default or weak credentials
  • End-of-life products no longer receiving updates

The Taiwan Connection

U.S. officials believe the ultimate purpose of these operations is preparation for a potential conflict over Taiwan. The year 2027 is frequently cited as a pivotal date for possible Chinese military action.

Strategic Logic

In any Taiwan conflict, the United States would likely attempt to:

  • Deploy naval forces to the region
  • Reinforce allies in Japan, the Philippines, and elsewhere
  • Coordinate logistics through Pacific bases (especially Guam)
  • Communicate strategy through government networks

By pre-positioning in U.S. critical infrastructure, China could:

  • Disrupt power to military installations and logistics hubs
  • Cripple communications by attacking telecommunications
  • Slow mobilization by targeting transportation systems
  • Create domestic chaos to divide American attention

The โ€œTacit Admissionโ€

At a 2024 diplomatic meeting, Chinese officials made remarks that U.S. counterparts interpreted as โ€œa tacit admission and a warning to the U.S. about Taiwan.โ€ The message was clear: these capabilities exist, and they would be used.

The Hardware Problem

The threat extends beyond software. Multiple independent analyses have identified undocumented communication modules embedded in Chinese-manufactured equipment:

  • Solar inverters with hidden cellular radios
  • Battery storage systems with unexplained network capabilities
  • Smart grid components with undisclosed communication features

The 2025 U.S.-China Economic and Security Review Commission report recommended:

  • Stronger procurement safeguards
  • National testing requirements for foreign OT devices
  • Mandatory Software/Firmware/Hardware Bills of Materials (SBOM/FBOM/HBOM)
  • Forensic evaluation of field-deployed Chinese components

What Defenders Should Do

Immediate Priorities

1. Edge Device Hygiene

  • Inventory all internet-facing devices
  • Patch VPNs, firewalls, and routers immediately
  • Replace end-of-life equipment
  • Audit for default credentials

2. Network Segmentation

  • Isolate OT/ICS networks from IT systems
  • Implement strict firewall rules between segments
  • Deploy unidirectional security gateways where feasible

3. Behavioral Monitoring

  • Donโ€™t rely on signatures; look for anomalies
  • Monitor administrative tool usage patterns
  • Alert on unusual lateral movement
  • Baseline normal traffic and investigate deviations

4. Supply Chain Review

  • Audit Chinese-manufactured OT components
  • Evaluate firmware update mechanisms
  • Consider component replacement for high-risk systems

Detection Indicators

Watch for:

  • Unexpected administrative tool usage outside business hours
  • Large data transfers from OT segments
  • New scheduled tasks or services on critical systems
  • Configuration changes to network devices without change tickets
  • Connections to unusual IP ranges or countries

The U.S. Response

Government Actions

Sanctions (2024-2025):

  • Sichuan Silence Information Technology Company
  • Integrity Technology Group (Flax Typhoon)
  • Yin Kecheng, Sichuan Juxinhe Network Technology
  • Zhou Shuai, Shanghai Heiying Information Technology

Law Enforcement:

  • January 2024: FBI disrupted Volt Typhoonโ€™s KV Botnet
  • September 2024: U.S. seized Flax Typhoon botnet
  • $10 million bounty for Salt Typhoon information

Policy Shifts:

  • RSA 2025 keynote: โ€œIf you come and do this to us, weโ€™ll punch backโ€
  • โ€œDefend forwardโ€ posture under consideration
  • Increased coordination between intelligence and private sector

Whatโ€™s Missing

Critics note that despite years of activity, responses remain largely reactive:

  • No demonstrated offensive consequences for attackers
  • Limited legal authority for preemptive action
  • Inconsistent patching across critical infrastructure
  • No mandatory security standards for utilities

Chinese Denials

Beijing maintains its standard position:

  • Foreign Ministry: China โ€œstands against hacking and fights such activities in accordance with the lawโ€
  • State media: Volt Typhoon is a โ€œmisinformation campaign by U.S. intelligence agenciesโ€
  • Embassy statements: โ€œunfounded and irresponsible smears and slandersโ€

The leaked Expedition Cloud documents make these denials increasingly difficult to sustain.

The Bottom Line

The Expedition Cloud leak confirms what U.S. intelligence has warned for years: China is systematically preparing for cyber warfare against critical infrastructure. The Typhoon campaigns demonstrate that this preparation has already translated into actionโ€”persistent access established across power grids, telecommunications, water systems, and transportation networks.

This isnโ€™t cybercrime. It isnโ€™t traditional espionage. Itโ€™s preparation for conflict, conducted in peacetime, against civilian infrastructure.

Key Statistics:

MetricValue
Volt Typhoon compromises100+ confirmed
Salt Typhoon victims200+ across 80 countries
Longest persistence5+ years
Taiwan daily intrusion attempts2.63 million
FBI bounty$10 million
Expedition Cloud capacity300 users, 10K connections

The cyber conflict is already underway. The only question is whenโ€”or ifโ€”it escalates from preparation to destruction.

Sources

  • Recorded Future News - Expedition Cloud leak analysis
  • McCrary Institute - โ€œCode Redโ€ Typhoon campaign report
  • U.S.-China Economic and Security Review Commission - 2025 Annual Report
  • Taiwan National Security Bureau - 2025 cyber threat analysis
  • Dragos - Volt Typhoon incident response case studies
  • CISA/NSA/FBI - Joint advisories on Typhoon actors

For real-time updates on nation-state cyber threats, follow @breaboredcompany on X.