Great Firewall of China Leak: digest and dumps

There was a really crazy set of events that unfolded over the last few weeks, and two days ago about a 500-600GB data store was “leaked” revealing a lot of the internal workings, organizations, and likely protocol level details on engineering behind a great many of China and its companies that sell surveillance systems and censorship technologies and exactly how they all interact and work together.

There’s only a beginning of understanding so far, but this site (https://gfw.report), and the folks working around it, are going to be a better long term source than anything I have here.

For now though there’s some pretty cool initial details I dove into specific to one company that is used to do business in other countries and implement these systems for other nation states.

The biggest fallout here will be decreased business from those and other clients: that is a massive loss of both global surveillance power and revenue.

Here’s what I’ve distilled regarding the Geedge ecosystem of products and interactions:

The Geedge platform is a modular system, with several core components working in concert to achieve total information control.

1. Tiangou Secure Gateway (TSG): The Core Firewall

This is the workhorse of the operation. The TSG is a multi-purpose gateway handling the heavy lifting of Deep Packet Inspection (DPI), VPN detection, traffic throttling, and user monitoring. It runs a custom Red Hat-based OS and bypasses the standard Linux kernel using DPDK for high-speed packet processing, enabling it to function at national ISP scale.

2. TSG Galaxy: The Surveillance Data Warehouse

Think of this as the system's brain and long-term memory. TSG Galaxy is a massive ETL data warehouse built on Apache Kafka, designed to ingest and store metadata on a national scale. It collects records of all TCP/UDP sessions, VoIP calls, DNS queries, and TLS/QUIC metadata (like SNI). Using connection fingerprinting (e.g., JA3 hashes), it identifies user applications and links this network activity directly to individual subscribers via ISP data like IP addresses, IMEI, and IMSI numbers.

3. Cyber Narrator: The User-Friendly Face of Mass Surveillance

This is the slick, web-based UI for government operators. Cyber Narrator allows non-technical users to query the vast dataset in TSG Galaxy. Its capabilities are extensive: blocking services, identifying users who accessed specific content (even retroactively), and performing real-time geographic tracking of mobile subscribers by correlating network activity with cell tower IDs.

4. Network Zodiac (Nezha): The High-Risk Monitoring System

While seemingly a simple Grafana-like monitoring dashboard for the Geedge components, Network Zodiac contains a critical flaw by design. It features an integrated web terminal that gives administrators remote SSH access to any monitored endpoint. This creates an enormous single point of failure; compromising a single Network Zodiac host could grant an attacker keys to an entire country's security infrastructure.

5. Sanity Directory (SAN): The Identity Linker

This is arguably the most invasive component. SAN integrates the TSG directly with an ISP’s core authentication protocols (RADIUS, 3GPP). Its primary function is to attribute all traffic flows to a specific SIM card. In countries like Pakistan, where SIM cards are linked to biometric national ID databases, this creates a comprehensive, un-anonymized record of a citizen's every digital move.

Under the Hood: Key Capabilities and Attack Vectors

Geedge's power lies in its advanced, multi-layered capabilities that create a formidable barrier to internet freedom.

• Advanced VPN & Circumvention Blocking: Geedge doesn't just rely on IP blocklists. The company actively reverse-engineers circumvention tools by maintaining paid VPN accounts and operating a mobile device farm to analyze network traffic. This data feeds a fingerprinting database (AppSketch) used to identify and block specific services. In a particularly insidious technique, the system can identify "known VPN users" and monitor their traffic to discover and subsequently block new VPN endpoints they switch to.

• Throttling and Traffic Shaping: The system can surgically degrade the performance of specific services or applications using traffic shaping and DSCP marking, making services unusable without blocking them entirely.

• In-Path Injection and Modification: The TSG can perform real-time modification of unencrypted HTTP traffic, including injecting scripts, altering text, or serving fake redirect responses. More alarmingly, it has a built-in capability to inject malware into a wide range of file types (APKs, EXEs, DMGs, office documents) as they are being downloaded by a target.

• From Defense to Offense: The "DLL Active Defence" System: In a stunning ethical breach for a "cybersecurity" company, Geedge offers what is essentially a DDoS-for-hire platform. This system recruits the computers of unsuspecting internet users into a botnet by using the TSG's injection capabilities. It then uses this botnet to launch DDoS attacks against politically inconvenient websites, functioning similarly to China's infamous Great Cannon.

Deployment Strategies: The Tell-Tale Signs of a Shutdown

Geedge systems are deployed in two modes, and the switch between them is a critical indicator for analysts.

• Mirrored Mode (Passive Surveillance): Traffic is copied to the Geedge system via a network tap. This allows for comprehensive surveillance without impacting network speed or reliability, but it cannot actively block traffic flows.

• In-line Mode (Active Blocking): All traffic is forced to pass through the Geedge appliance. This provides granular control to block specific traffic but introduces latency and reduces network quality. The leak confirms a direct correlation: governments switching their Geedge deployments from mirrored to in-line mode are often preparing for targeted service blocking or a full internet shutdown.

Some other Key Takeaways

The Geedge Networks leak is more than just a data breach; it's a stark look into the future of state-sponsored digital control.

1. The Arms Race Has Escalated: State-level actors are no longer just blocking IPs. They are actively reverse-engineering tools, using machine learning on encrypted traffic, and developing sophisticated fingerprinting to defeat circumvention. Flagging any "unidentifiable high-bandwidth flow" as suspicious is a powerful generic defense against future tools.

2. Anonymity is an Illusion: The ability to link network data to biometric IDs via SIM cards effectively eliminates online anonymity, creating profound risks for activists, journalists, and ordinary citizens.

3. OpSec is Paramount: For individuals in these regions, the stakes are higher than ever. The system's ability to build comprehensive user profiles (location history, social graphs, browsing habits) means that multi-layered operational security is not optional—it's essential for survival.

4. The Blurring Line Between Cybersecurity and Cybercrime: A state contractor selling a tool that weaponizes a nation's citizens to launch DDoS attacks represents a dangerous new frontier, fundamentally undermining the principles of a secure and open internet.