A Training Ground for Digital Warfare
Leaked technical documents have revealed the existence of "Expedition Cloud" — a Chinese cyber range platform specifically designed to let attackers practice hacking replicas of real network environments belonging to China's "main operational opponents in the South China Sea and Indochina directions."
The leak provides rare documentary evidence of a state-linked program where offensive cyber operators train against recreated versions of foreign critical infrastructure — power grids, energy transmission systems, transportation networks, and smart home infrastructure — before conducting real-world operations.
How the Leak Happened
The documents were discovered on an unsecured FTP server that had collected material from a personal device used by one of Expedition Cloud's developers. The device had been infected by malware — an ironic security failure for a company in the business of offensive cyber operations.
The cache includes:
- Source code for the Expedition Cloud platform
- Training documentation and operational procedures
- Software assets and configuration files
- Target network specifications for the simulated environments
Independent experts consulted by Recorded Future News have expressed high confidence in the authenticity of the files based on the volume, complexity, and variety of the technical documentation.
Platform Architecture
| Component | Purpose |
|---|---|
| Target Networks | Recreated computer networks from power, energy, transportation, and smart home sectors |
| Reconnaissance Groups | Teams that map and analyze target infrastructure |
| Attack Groups | Teams that execute offensive operations against the simulated targets |
| Defenders | None — no defensive role is defined in the platform |
The absence of a defensive component is telling. This is not a red team/blue team training exercise — it's a purely offensive simulation designed to rehearse attacks against specific foreign infrastructure.
The Developer: CyberPeace
The platform was developed by CyberPeace (Chinese: 赛宁网安), a company that openly celebrates extensive links to China's government and military on its website. CyberPeace specializes in cyber range technology and has participated in numerous government-sponsored cybersecurity competitions and training programs.
The connection between CyberPeace and the Chinese military establishment adds credibility to the assessment that Expedition Cloud is not merely an academic exercise but a mission-oriented training tool supporting real operational planning.
Target Geography
The leaked documents specifically reference:
- South China Sea direction — including nations like the Philippines, Vietnam, and Malaysia that have territorial disputes with China
- Indochina direction — encompassing mainland Southeast Asian nations
The simulated targets focus on sectors that would cause maximum disruption during a conflict:
- Power generation and distribution — Blackouts affecting civilian and military operations
- Energy transmission — Oil and gas pipeline control systems
- Transportation — Rail, aviation, and port management systems
- Smart infrastructure — IoT-connected systems in urban environments
Strategic Context
This leak arrives amid escalating tensions in the South China Sea and increased Chinese military activity near Taiwan. It corroborates what intelligence agencies have warned about for years: China is systematically preparing for potential cyber operations against its neighbors' critical infrastructure.
The documents complement previous revelations about Chinese cyber operations, including:
- Volt Typhoon — Chinese actors pre-positioning in US critical infrastructure (2023-2024)
- Salt Typhoon — Targeting telecommunications providers across multiple countries (2024-2025)
- UNC3886 — Compromising Southeast Asian telecom networks (2025-2026)
Expedition Cloud adds a new dimension: evidence of structured, repeatable training against specific national targets, suggesting these operations are not ad hoc but part of a systematic capability development program.
What This Means for Defenders
- Critical infrastructure operators in the Asia-Pacific region should assume they are active targets and review their security postures accordingly
- Network segmentation between OT and IT environments is critical — the leaked targets specifically reference operational technology systems
- Threat intelligence sharing between affected nations needs to accelerate
- The offensive-only nature of the training suggests China's cyber doctrine prioritizes first-strike capabilities over resilience