China's National Supercomputing Center: 10PB Data Breach by FlamingChina

A hacker group calling itself FlamingChina has claimed responsibility for the theft of over 10 petabytes of sensitive data from China's National Supercomputing Center in Tianjin, one of the country's most critical high-performance computing facilities. The breach, corroborated by multiple international outlets including TechRadar, NDTV, and Der Spiegel, is believed to be the largest known data leak in Chinese history. The group is now attempting to sell the dataset for cryptocurrency.

What Happened

FlamingChina gained access to the Tianjin supercomputing facility, which supports over 6,000 institutions involved in advanced science and defense research. The group claims to have maintained persistent access for months, extracting data gradually before going public on April 9, 2026. Sample data shared online has been reviewed by cybersecurity experts who say it appears credible and consistent with what would be stored at such a facility. Full verification remains ongoing.

What Was Taken

The alleged dataset exceeds 10 petabytes, roughly equivalent to the combined storage of 10,000 high-end laptops. Reported contents include:

Documents marked as classified or secret
Missile and bomb schematics
Aerospace and aviation research data
Bioinformatics datasets
Fusion technology simulation data
Technical engineering files and animated simulations

Organizations reportedly affected include the Aviation Industry Corporation of China, the Commercial Aircraft Corporation of China, and the National University of Defense Technology.

Why It Matters

This breach represents a significant exposure of military and advanced research data from a nation-state supercomputing facility. For the global defense and intelligence community, the implications are severe: weapons systems schematics, aerospace research, and classified defense documents potentially entering the open market or falling into adversarial hands. The incident also signals that even heavily resourced state infrastructure remains vulnerable to prolonged intrusions. Defenders across critical infrastructure sectors should treat this as a warning that high-performance computing environments are high-value targets requiring commensurate security investment.

The Attack Technique

Initial analysis indicates the attacker exploited a compromised VPN domain associated with the facility to gain initial access. Once inside the network, FlamingChina reportedly deployed a botnet to automate and distribute the data extraction process, allowing them to siphon petabytes of data over an extended period without triggering volume-based detection thresholds. The prolonged dwell time suggests gaps in network monitoring, lateral movement detection, and data loss prevention controls.

What Organizations Should Do

Audit VPN infrastructure. Review all VPN endpoints for known vulnerabilities, enforce multi-factor authentication, and monitor for anomalous connection patterns.
Implement data loss prevention at scale. Deploy DLP solutions capable of detecting sustained, high-volume data exfiltration, not just single large transfers.
Monitor for botnet indicators. Watch for signs of automated tooling within internal networks, including unusual process creation, scheduled tasks, and command-and-control traffic patterns.
Segment high-value research environments. Isolate systems hosting classified or sensitive research data from general-purpose network segments.
Reduce dwell time with threat hunting. Conduct proactive threat hunts focused on long-duration access patterns, especially in environments supporting defense or national security research.
Review credential hygiene. Rotate credentials for all systems connected to high-performance computing infrastructure and audit for reused or compromised passwords.

Sources: China Hit by 10PB Data Breach at Supercomputing Center