Pierluigi Paganini
February 24, 2025
SentinelLABS researchers analyzed a data leak that suggests that the Chinese cybersecurity firm TopSec offers censorship-as-a-service services. The origin of the data leak is unclear, the leak is large and inconsistently formatted, complicating the full analysis. TopSec was founded in 1995, it offers cybersecurity services such as Endpoint Detection and Response (EDR) and vulnerability scanning, along with “boutique” solutions to align with government initiatives and intelligence requirements.
TopSec is also a Tier 1 vulnerability supplier for China’s intelligence ministry and has provided cloud and IT security monitoring services nationwide since 2004.
The company provided monitoring services to a state-owned enterprise facing a corruption scandal.
The data leak includes infrastructure details and work logs from employees of a state-affiliated private sector security firm in China. The leak includes work logs, DevOps commands, API data, and network configs with hardcoded credentials, posing security risks to TopSec and its customers.
Some documents detail the use of web content monitoring services to enforce censorship for public and private sector customers.
“The data leak includes a document with 7,000+ lines of work logs and code used to orchestrate infrastructure for the firm’s DevOps practices and downstream customers and includes scripts that connect to several Chinese government hostnames, academic institutions and news sites.” reads the report published by SentinelLabs. “We identified work logs and system features that indicate TopSec is likely enabling content moderation for internet censorship purposes, a key strategy used by the Chinese Communist Party (CCP) to monitor and control public opinion on issues that the state deems contentious or antisocial.”
The leaked documents show that TopSec worked on projects for China’s Ministry of Public Security in Dandong, Songjiang, and Pudong, including a “Cloud Monitoring Service Project” in Shanghai.
The leaked TopSec data reveals infrastructure management code, network probes, and work logs referencing a specific censorship tool called Sparta. Sparta, migrated from Apollo-GraphQL, processes Chinese-language content via GraphQL APIs. Severe monitoring events are flagged and shared on WeChat for internal handling, raising privacy concerns due to China’s cybersecurity laws.
The tool allows operators to find hidden links in web content, identifying content related to political criticism, violence, or pornography. The operators can filter the content by searching for sensitive words.
A leaked document from September 2023 shows tasks related to sensitive word detection and forwarding asset identifiers to Zhao Nannan, linked to political events in Shanghai. Zhao, previously at the Ministry of Public Security, later worked at Shanghai SASAC, where she received alerts about sensitive content on the same day a corruption investigation involving the head of the Shanghai SASAC, Bai Tinghui, was announced.
News of Shanghai official Bai Tinghui’s corruption investigation was covered by major outlets and confirmed by the government. The Shanghai SASAC, where Zhao Nannan worked, posted the news on WeChat without censorship, raising questions about the “validated events” reported to her. Interestingly, the Shanghai Municipal Commission for Discipline Inspection, involved in the investigation, is listed as a TopSec customer. This highlights the role of cybersecurity firms like TopSec in managing politically sensitive content in China.
“These leaks yield insight into the complex ecosystem of relationships between government entities and China’s private sector cybersecurity companies.” concludes the report.”The September 2023 situation in Shanghai provides insight into how local and national government interests are enforced through private sector partnerships. The CCP’s strategy of controlling information is multifaceted and requires significant investment in resources that enable the monitoring and alteration of content that citizens engage with. While there are still many unknown factors regarding how such censorship is applied, these findings yield insights into how collaboration occurs between the government and other entities in China.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
