An analysis of a data leak from a Chinese cybersecurity company TopSec has revealed that it likely offers censorship-as-a-service solutions to prospective customers, including a state-owned enterprise in the country.
Founded in 1995, TopSec ostensibly offers services such as Endpoint Detection and Response (EDR) and vulnerability scanning. But it’s also providing “boutique” solutions in order to align with government initiatives and intelligence requirements, SentinelOne researchers Alex Delamotte and Aleksandar Milenkoski said in a report shared with The Hacker News.
The data leak contains infrastructure details and work logs from employees, as well as references to web content monitoring services used to enforce censorship for public and private sector customers.
It’s believed that the company provided bespoke monitoring services to a state-owned enterprise hit by a corruption scandal, indicating that such platforms are being used to monitor and control public opinion as necessary.
Present among the data leak is a contract for a “Cloud Monitoring Service Project” announced by the Shanghai Public Security Bureau in September 2024.
The project, the document reveals, involves continuous monitoring of websites within the Bureau’s jurisdiction with the goal of identifying security issues and content changes, and providing incident alerts.
Specifically, the platform has been designed to look for the presence of hidden links in web content, along with those containing sensitive words related to political criticism, violence, or pornography.
While the exact goals are unclear, it’s suspected that such alerts could be used by customers to take follow-on actions, such as issuing warnings, deleting content, or restricting access when sensitive words are detected. That said, Shanghai Anheng Smart City Security Technology Co. Ltd. won the contract, per public documents analyzed by SentinelOne.
The cybersecurity firm said the leak was detected after it analyzed a text file that was uploaded to the VirusTotal platform on January 24, 2025. The manner in which the data was leaked remains unclear.
“The main file we analyzed contains numerous work logs, which are a description of the work performed by a TopSec employee and the amount of time the task took, often accompanied by scripts, commands, or data related to the task,” the researchers noted.
“In addition to work logs, the leak contains many commands and playbooks used to administrate TopSec’s services via multiple common DevOps and infrastructure technologies that are used worldwide, including Ansible, Docker, ElasticSearch, Gitlab, Kafka, Kibana, Kubernetes, and Redis.”
Also found are references to another framework named Sparta (or Sparda) that’s supposedly designed to handle sensitive word processing by receiving content from downstream web applications via GraphQL APIs, once again suggestive of censorship keyword monitoring.
“These leaks yield insight into the complex ecosystem of relationships between government entities and China’s private sector cybersecurity companies,” the researchers said.
“While many countries have significant overlap between government requirements and private sector cybersecurity firms, the ties between these entities in China are much deeper and represent the state’s grasp on managing public opinion through online enforcement.”
