Beijing Zhidao Chuangyu Information Technology Co., Ltd. Breach Incident Score: Analysis & Impact (KNO5392653111425)

In this Rankiteo incident briefing, we review the Beijing Zhidao Chuangyu Information Technology Co., Ltd. breach identified under incident ID KNO5392653111425.

The analysis begins with a detailed overview of Beijing Zhidao Chuangyu Information Technology Co., Ltd.'s information like the linkedin page: https://www.linkedin.com/company/knownsec, the number of followers: 237, the industry type: Computer and Network Security and the number of employees: 179 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 756 and after the incident was 621 with a difference of -135 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Beijing Zhidao Chuangyu Information Technology Co., Ltd. and their customers.

On 02 November 2025, Knownsec (Chuangyu) disclosed Data Leak, Espionage and Cyber Weapon Exposure issues under the banner "Major Data Leak at Chinese Security Firm Knownsec (Chuangyu)".

A significant data leak at Knownsec (Chuangyu), a major Chinese cybersecurity firm, exposed over 12,000 secret files on GitHub around November 2, 2025.

The disruption is felt across the environment, and exposing 95GB of Indian immigration records, 3TB of South Korean call logs (LG U Plus) and 459GB of Taiwanese transport data, with nearly 12,000+ files (total volume: ~3.5TB+) records at risk.

In response, moved swiftly to contain the threat with measures like Files removed from GitHub and No official confirmation of further actions, and stakeholders are being briefed through Chinese Foreign Ministry denial of breach knowledge and No refutation of state-associated cyber intelligence work.

The case underscores how Ongoing (unofficial; Chinese government denies breach but acknowledges state-linked cyber activities), teams are taking away lessons such as Private cybersecurity firms can be deeply entangled in state-sponsored operations, creating significant risks if breached, GitHub and public repositories require stricter monitoring for sensitive data leaks and Advanced hacking tools (e.g., RATs, spyware, malicious hardware) pose evolving threats beyond traditional malware, and recommending next steps like Implement zero-trust architectures and continuous network monitoring, Enhance insider threat detection and access controls for sensitive projects and Conduct regular audits of third-party code repositories for exposed secrets.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (85%), with evidence including gitHub repository misconfiguration (2025 leak), and files exposed on GitHub and Trusted Relationship (T1199) with moderate to high confidence (80%), with evidence including potential insider (2023 theft), and knownsec backed by Tencent since 2015. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with high confidence (90%), with evidence including 12,000+ secret files exposed on GitHub, and code repositories in leaked data. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), with evidence including 95GB of Indian immigration records, 3TB of South Korean call logs, and 459GB of Taiwanese transport data, Automated Collection (T1119) with high confidence (90%), with evidence including remote Access Trojans (RATs), and android spyware for apps like Telegram, and Command-Line Interface: Malicious Power Bank (T1059.007) with moderate to high confidence (75%), supported by evidence indicating malicious power bank designed to exfiltrate data while charging. Under the Exfiltration tactic, the analysis identified Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol: Exfiltration to Cloud Storage (T1048.003) with high confidence (95%), with evidence including confirmed exfiltration via GitHub, and 12,000+ files (~3.5TB+) exposed, Exfiltration Over C2 Channel (T1041) with moderate to high confidence (85%), with evidence including remote Access Trojans (RATs), and android spyware for Telegram, and Exfiltration Over Physical Medium: Hardware (Malicious Power Bank) (T1052.001) with moderate to high confidence (80%), supported by evidence indicating malicious power bank designed to exfiltrate data. Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information (T1027) with moderate to high confidence (85%), with evidence including hacking tool binaries in leaked files, and state-sponsored cyber espionage tools and Hide Artifacts: Email Hiding Rules (T1564.008) with moderate to high confidence (70%), supported by evidence indicating lists of 80 foreign organizations targeted hidden in files. Under the Command and Control tactic, the analysis identified Ingress Tool Transfer (T1105) with high confidence (90%), with evidence including remote Access Trojans (RATs), and android malware targeting messaging apps and Proxy: External Proxy (T1090.004) with moderate to high confidence (75%), with evidence including gitHub used as exfiltration vector, and state-level threats bypassing firewalls. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with lower confidence (30%), supported by evidence indicating no direct evidence, but Top Secret (cyber weapons) exposure implies potential and Endpoint Denial of Service: Application Exhaustion Flood (T1499.002) with lower confidence (40%), supported by evidence indicating hacking tools (RATs, spyware) *could* enable DoS, but not explicitly confirmed. Under the Reconnaissance tactic, the analysis identified Gather Victim Host Information (T1592) with high confidence (95%), with evidence including details of attacks on 20+ countries, and list of 80 foreign organizations targeted and Active Scanning: Vulnerability Scanning (T1595.002) with moderate to high confidence (80%), with evidence including attack methodologies exposed in leak, and critical infrastructure targets. Under the Lateral Movement tactic, the analysis identified Remote Services: Windows Remote Management (T1021.006) with moderate to high confidence (70%), supported by evidence indicating remote Access Trojans (RATs) imply lateral movement capabilities. Under the Persistence tactic, the analysis identified Create or Modify System Process: Windows Service (T1543.003) with moderate to high confidence (80%), supported by evidence indicating rATs and spyware typically install as services for persistence and Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) with moderate to high confidence (75%), supported by evidence indicating malicious power bank suggests hardware-level persistence mechanisms. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.