A threat actor operating under the alias FlamingChina has allegedly exfiltrated up to 10 petabytes of sensitive military research data from China's National Supercomputing Center of Tianjin, according to CNN reporting citing cybersecurity experts tracking China-focused threat activity. The stolen trove spans aerospace engineering, missile development, bioinformatics, and fusion simulation research, with a sample already advertised on Telegram.

What Happened

The National Supercomputing Center of Tianjin, established in 2009 at the National University of Defense Technology and once ranked first on the global TOP500 list in 2010, was reportedly compromised over a six-month exfiltration campaign. The attacker gained entry through a compromised VPN domain, then deployed a botnet to systematically harvest, download, and stage the massive dataset outside the facility. A sample of the stolen data surfaced in February on Telegram under the handle FlamingChina, which has since been marketing preview access for several thousand dollars and offering the complete archive to prospective buyers.

What Was Taken

FlamingChina claims the haul totals roughly 10 petabytes of intellectual property tied to Chinese state defense programs. Advertised categories include:

• Military research files and missile development programs
• Aerospace engineering data tied to entities such as AVIC and COMAC
• Bioinformatics datasets
• Nuclear fusion simulation workloads
• Academic and applied research from Northwestern Polytechnical University and Huazhong University of Science and Technology

If the volume claim is accurate, this would represent one of the largest single-incident exfiltrations of state-backed research data ever publicly disclosed.

Why It Matters

This incident is significant regardless of which side of the geopolitical line defenders sit on. First, it demonstrates that high-performance computing environments, often hardened against intrusion but weakly monitored for data egress, remain viable targets for long-dwell operations. Second, the six-month exfiltration window underscores how VPN-edge compromises can translate directly into strategic-scale data loss when outbound traffic inspection is inadequate. Third, the public Telegram sale mirrors a broader trend of state-originated data landing in criminal marketplaces, blurring the line between espionage and cybercrime monetization.

The Attack Technique

Per the reporting, the initial access vector was a compromised VPN domain serving the facility's remote access infrastructure. Once inside, the attacker reportedly stood up a botnet within the environment to parallelize extraction and download operations, allowing sustained, distributed egress over approximately six months without triggering a detective response. The use of internal botnet nodes for exfiltration is consistent with living-off-the-land and distributed tasking patterns designed to blend with legitimate HPC job scheduling and data movement activity.

What Organizations Should Do

1. Audit VPN and remote access gateways for exposed management interfaces, unpatched appliances, and credential reuse; enforce phishing-resistant MFA on every remote entry point.
2. Deploy egress monitoring and anomaly detection tuned for sustained, low-and-slow data transfers, not just burst exfiltration, on any environment storing research or regulated IP.
3. Segment HPC and research clusters from general enterprise networks, and restrict outbound internet reachability from compute nodes to explicit allowlists.
4. Hunt for internal botnet behavior: unexpected lateral SSH, unauthorized scheduler jobs, and compute nodes initiating outbound connections to non-research destinations.
5. Inventory and classify research datasets by sensitivity, and apply DLP controls at storage and transit layers for crown-jewel corpora.
6. Monitor Telegram and underground markets for brand, project, and researcher mentions to catch downstream exposure before adversaries or regulators do.

Sources: Hacker Stole 10 Petabytes Of Military Research Data From Chinese Supercomputer