China's National Supercomputing Center: Massive Defense Data Breach by FlamingChina

A threat actor operating under the handle "FlamingChina" claims to have breached China's state-run National Supercomputing Center (NSCC) in Tianjin, exfiltrating what they describe as over 10 petabytes of classified defense, aerospace, and military research data. Samples posted to Telegram on February 6, 2026, include documents marked "Secret" and missile schematics. Cybersecurity experts who reviewed the samples say the data appears genuine. The Chinese government has not acknowledged the incident.

What Happened

FlamingChina posted sample data to Telegram claiming a successful breach of the NSCC Tianjin, one of China's premier supercomputing facilities. The actor is offering partial data sets for thousands of dollars and full access for hundreds of thousands, payable in cryptocurrency. If confirmed at scale, this would represent the largest known breach of Chinese government infrastructure, dwarfing the 2021 incident that exposed personal data of up to one billion Chinese citizens (23 TB). The claimed 10 petabytes would be orders of magnitude larger.

What Was Taken

The alleged exfiltration includes research and classified documents spanning multiple sensitive domains:

Aerospace engineering data from the Aviation Industry Corporation of China (AVIC) and the Commercial Aircraft Corporation of China (COMAC)
Military research from the National University of Defense Technology
Missile schematics and defense department documents marked as classified
Fusion simulation research and bioinformatics data
Over 10 petabytes (10,000 TB) of total data claimed

The breadth of organizations affected suggests the NSCC served as a centralized compute and storage hub for multiple defense and research entities, making it a high-value single point of compromise.

Why It Matters

This breach carries significant intelligence implications. As cybersecurity expert Marc Hofer noted, only nation-state intelligence agencies have the resources to process and exploit 10 petabytes of mixed classified data. The stolen information could provide adversaries with insight into China's missile programs, aerospace capabilities, and advanced research initiatives. However, cybersecurity consultant Dakota Cary offered a counterpoint: governments with mature intelligence programs may already possess much of this information through existing collection methods. Regardless of the intelligence value to foreign governments, the breach exposes a critical vulnerability in China's national research infrastructure and raises questions about centralized supercomputing security across all nations.

The Attack Technique

FlamingChina claims initial access was achieved through a VPN vulnerability at the NSCC. VPN exploitation remains one of the most common and effective initial access vectors, consistently ranking among the top entry points for both ransomware operators and state-sponsored actors. Supercomputing centers frequently maintain VPN access for remote researchers, creating a broad attack surface. The scale of the alleged exfiltration (10 PB) suggests either prolonged undetected access, insufficient data loss prevention controls, or both. The lack of detection over what would have been a significant data transfer raises serious questions about the NSCC's network monitoring capabilities.

What Organizations Should Do

Organizations operating high-performance computing environments or centralized research infrastructure should take the following defensive actions:

Audit VPN infrastructure immediately. Ensure all VPN appliances are patched against known CVEs, particularly those from Ivanti, Fortinet, and Palo Alto that have been widely exploited over the past 18 months.
Implement network segmentation. Classified and sensitive research data should not be accessible from the same network segment as general VPN access. Zero-trust architecture should govern access to high-value data stores.
Deploy data loss prevention (DLP) at scale. Monitor for anomalous outbound data transfers, especially large-volume exfiltration patterns. A 10 PB transfer should trigger alerts in any properly instrumented environment.
Enforce multi-factor authentication on all remote access. VPN access protected only by credentials is insufficient for environments housing classified data.
Conduct threat hunting for long-dwell intrusions. Organizations with similar profiles should assume compromise and hunt for indicators of persistent access, particularly through VPN and remote access infrastructure.
Review centralization risk. Any single facility serving as a compute hub for multiple classified programs represents an attractive target. Evaluate whether the security posture matches the aggregated sensitivity of the data it holds.

Broader Context

This incident fits a pattern of escalating cybersecurity failures within China's public and private sectors. The 2021 breach that exposed up to one billion citizens' personal data went unnoticed for over a year. China's 2025 National Security White Paper implicitly acknowledged these vulnerabilities. For the global threat landscape, this breach is a reminder that no nation is immune to large-scale compromise, and that centralized high-value targets demand security investment proportional to the data they aggregate.

Sources: China Just Allegedly Suffered The Biggest Hack In The Country's History