Business Priorities of Chinese Cyber Range Providers Go Hand in Hand with State Cyber Capability Development

China’s cyber range market booms, fueled by the state’s demand for developing capable cyber talent and improving the effectiveness of “attack and defense live-fire capability”

This post is co-authored by the Natto Team and Eugenio Benincasa, a senior researcher at the Center for Security Studies at the Swiss Federal Institute of Technology Zurich (ETH Zurich). The report by Benincasa and Dakota Cary, Strategic Advisory Consultant at SentinelOne, titled “Capture The (Red) Flag: An Inside Look into China’s Hacking Contest Ecosystem,” is published by the Atlantic Council in October. The report examines over 120 hacking contests in China since 2004 and delves into the key elements of China’s hacking contest ecosystem, such as growth enablers, competition hosts, and cyber range providers, while highlighting specific contests associated with China’s government security agencies.

In September 2024, the FBI announced the seizure of a botnet operated by Integrity Technology (Integrity Tech), a Chinese information technology company linked to cyber threat group Flax Typhoon, which targeted critical infrastructure globally, including in the U.S. and Taiwan. The Integrity Tech case provides valuable insight into the Chinese high-tech ecosystem and its relation to state offensive activity. For example, in a September 25 post Natto Thoughts showed Integrity Tech's connections to i-SOON, a Chinese firm whose leaked February 2024 files revealed its role in state-sponsored cyber operations.¹ The September 25 Natto Thoughts posting also fleshed out  the alignment of Integrity Tech’s business development with the activities of linked Chinese state threat group Flax Typhoon. Among other things, we discovered that Integrity Tech claimed to be “a leader in cyber security testing and evaluation, cyber range and talent development,” and that its core business is the cyber range series of products.

What’s with Cyber Ranges?

Not only did Integrity Tech assert itself as a top player in the market of cyber range products, but over at i-SOON, private chats between executives also suggested that cyber ranges were trending. Given the ties of both companies with Chinese state offensive operations, these make us wonder what has been going on with Chinese cyber ranges.

So, who are the major cyber range players?  What does the current cyber range ecosystem look like in China? What are the ultimate goals to develop a robust cyber range market? And most importantly, what are the implications of the fact that companies like Integrity Tech offer cyber range products and services and are also involved in state-sponsored cyber operations? This post aims to address these questions.

China’s Cyber Range Development Sparked by US Lead, Now Goes Beyond Education and Training Goals to Span Attack and Defense Preparation

Cyber ranges (网络靶场) “are interactive and simulated platforms that replicate networks, systems, tools, and applications,” according to the US National Institute of Standards and Technology (NIST). NIST recognizes that cyber ranges have “a crucial role to play in facilitating and promoting cybersecurity education, training, and certification.” The development of cyber ranges in China has closely followed that of the United States. The US Defense Advanced Research Projects Agency (DARPA) announced the development of the National Cyber Range (NCR) in May 2008. As early as 2009, China began to outline the country’s cyber range development. That year, the Chinese Academy of Sciences Institute of Computing launched the cyber range technology and prototype verification. The institute developed likely one of the earliest cyber ranges - the “Tianji Cyber Range” (天玑网络靶场) – and other testing cyber ranges used for researching electronic information countermeasures and simulation technology and testing related security products.  Since then, China has grown a robust market for cyber range providers in the cyber security industry. For example, Security Bull’s “2024 China Cybersecurity Industry Panorama” (see below) listed 29 companies in the category of top cyber range providers, including not only companies that specialize in cyber range products and services, but also companies that offer cyber ranges as just one of many security offerings. (A previous Natto Thoughts posting characterized this report and drew on it for a profile of companies in the web application scanning and monitoring sub-category).

Security Bull’s Top Cyber Range Provider List; source: SECRESS.

Although NIST indicates cyber ranges play a crucial role in cybersecurity education and training, applications of cyber ranges in China have gone above and beyond.  In the report “A Survey of China’s Cyber Ranges” published in September 2022 by the Center for Security and Emerging Technology (CSET) in the US, researcher Dakota Cary observed the following applications of cyber ranges in China:

• Training on new tools and techniques in a controlled environment.

• Practicing attacking and defending industrial control systems.

• Evaluating product cybersecurity—smart cars, Internet of Things (IoT) devices,

  etc.

• Evaluating the efficacy of cybersecurity/antivirus products. Such evaluations can determine whether the products will detect new attack methodologies or malware. These evaluations can also help attackers evade a target’s defenses. China’s military has been observed purchasing such systems.

• Recreating networks to allow defenders to practice defending those systems

  and attackers to practice attacking targeted systems.

• Planning attacks using attack graphs, which recreate a network and determine

  which pathways to a target are least likely to pique the interest of defenders. Some researchers are using an AI technique, reinforcement learning, to determine and optimize these attack paths.

• Replicating smart-city networks for defenders to practice protecting internet connected infrastructure and surveillance systems.

The observed cyber range applications described above suggest a strong emphasis on developing practical capabilities for attacking and defending systems. Cyber ranges provide simulated network environments, collect and store network performance data, which can be used to gain insights into network configurations, vulnerabilities, and defenses, potentially aiding real-world targeting strategies. Adversaries can leverage these simulations to refine their techniques, reverse-engineer attacks, and develop exploits while analyzing defender responses to craft strategies that bypass security measures.

China’s Leading Cyber Range Providers

China’s cyber range market is a rapidly growing segment within the broader cybersecurity industry. As mentioned above, Security Bull published its “2024 China Cybersecurity Industry Panorama” in April, listing 29 leading cyber range providers. In addition, an industry think tank called CyberSecurity (CS) Reviews (数说安全) also released a "2024 China Cybersecurity Market Panorama" (2024年中国网络安全市场全景图) report. CS Reviews is an industry think tank and a subsidiary of Chinese cybersecurity consulting firm Genius Cyber Tech (赛博英杰), which was founded by a former Chinese Ministry of Public Security cyber security expert Tan Xiaosheng. The CS Reviews report highlighted key players in China's cybersecurity market, with a focus on stable R&D investment and independent innovation.  Among these, the report identified 16 leading companies in the cyber range space (see below).

CS Reviews’ Leading Attack and Defense Live Training Platforms/Cyber Ranges;  Source: SECRSS

The companies identified vary in size and the scope of their products and services. Large firms such as 360 Group, Qi An Xin, and NSFOCUS have broad involvement across the cybersecurity industry, while others, including Integrity Tech (永信至诚, Yongxin ZhiCheng), Saining Network Security (赛宁网安, CyberPeace), ELEX (博智安全), and Range Soft (软极网络), have a more specialized focus on cyber ranges. These cyber range companies provide diverse offerings in different markets, such as Internet of Vehicles, Industrial Control System (ICS) security, Capture the Flag (CTF) competition technical support, Internet of Things, and communication systems. The report also included a specific list of top providers of cyber range for ICS systems (see below). Most of the companies featured in both lists have ties to Chinese government security agencies, involving investments, financial relationships, and partnerships for submitting newly discovered software vulnerabilities to China's intelligence agency, the Ministry of State Security (MSS), for potential offensive use.

CS Reviews’ Leading Industry Control System Cyber Range Providers; Source: SECRSS

A separate report released in the same month by the Roar Security Industry Research Institute, titled "Roar 2024 Network Security Industry Atlas" (嘶吼2024网络安全产业图谱), offers a specific ranking of top 10 cyber range providers, based on technical strength and market share. Unfortunately, the full report wasn’t readily available for download, and the websites of many companies on the list provided only partial information from the rankings, obscuring the full data and showcasing only their own accomplishments. However, the top-ranked company ELEX (博智安全) provided a clear view of the entire ranking (see below).

Roar 2024 Top10 Cyber Range Providers Source: Elex (博智安全)

Comparing these three lists of leading cyber range providers, we noticed that several companies appeared in all three. To further understand the operations of cyber range providers, we chose to take a close look at three prominent companies that appear in all three lists: Integrity Tech, ELEX, and Saining (Cyber Peace).

Integrity Tech, ELEX, and Saining

Profiling the three leading cyber range providers, we discovered several features in common.

• These three companies are all listed as the top cyber range providers for industrial control systems, according to the SC Reviews China Cybersecurity Market Panorama.

• They are also Tier 2 vulnerability suppliers of China’s National Vulnerability Database of Information Security (CNNVD), overseen by the MSS. In September 2024, ELEX claimed to win the title of “Outstanding Contribution Unit for Original Vulnerability Reporting.” (For more on CNNVD’s tiers of vulnerability suppliers see “Matrix Cup: Cultivating Top Hacking Talent, Keeping Close Hold on Results” and on CNNVD’s network of support companies, see “Who Has the Best Scanning Tools in China?”)

• In addition, interestingly, Integrity Tech and Saining Network heavily invested in CTF contests and are the largest cyber range providers for China’s main CTF contests, according to CTF data collected by Cary and Benincasa for their Capture the (red) Flag report. (ELEX products have not been widely adopted for CTFs).

Integrity Tech

Founded in 2010, Integrity Tech is a leading cybersecurity training company in China. According to the report "China Cybersecurity Hands-On Training Exercise Test Platform Market Share, 2021: High and Fast" (中国网络安全实训演练测试平台市场份额，2021：高歌猛进, 快速发展), Integrity Tech holds the top position in the cybersecurity training market, capturing a 20.4% share. As part of its diverse range of products, including honeypot systems and monitoring platforms, the company claims to excel in providing cyber range solutions. As stated on its website, Integrity Tech has the capability to simulate a network environment with over 100,000 nodes, simulating systems of more than 10 industries and supporting nearly 20,000 users in online drills simultaneously. Additionally, the company is a prominent provider of cyber range services for CTF competitions.

Cary and Benincasa's Capture the (red) Flag report reveals Integrity Tech’s key role in China's talent identification and development through its technical support to numerous prestigious Chinese CTF contests; it operates the cyber ranges of at least 26 of China’s 54 primary annual CTF hacking contests. These competitions are among the most prestigious in the country, known for their complexity, payouts, participation rates, and geographic scope. Competitions like the Wangding Cup and Qiang Wang Cup, affiliated with the Ministry of Public Security (MPS) and the People’s Liberation Army (PLA) respectively, focus on IoT devices and vulnerability mining, reflecting the targets and activities for which Integrity Tech has been accused in the U.S. advisory. The Capture the (red) Flag report provides a detailed overview of each of these competitions.

Integrity Tech’s primary cyber range platforms, the “Spring and Autumn” (春秋) cyber range product series and the “Digital Wind Tunnel” (数字风洞), likely enhance its capabilities through engagement with numerous CTFs and industry training. This is significant given the company’s close ties to government security agencies. In a news item about Integrity Tech’s company profile right after the company was listed on Shanghai Stock Market in February 2022, China’s IPO (initial public offering) information website IPO123.cn reported Integrity Tech’s Ker Research Lab (KR Lab) has been ranked as a top-tier provider of national-level cybersecurity attack and defense live exercises. (hxxp://www.ipo123[.]cn/html/Special/bjyxzckj/Index.html)

Although the current version of the Integrity Tech website has removed references to KR Lab, replacing it with mentions of five unspecified security labs, KR Lab resurfaced in a September 2024 FBI Search and Seizure Warrant related to the “Sparrow” application online repository, which was used to control a malicious botnet. Canada-based security researcher Guillaume Corneau-Tremblay investigated further and discovered Integrity Tech’s close ties with law enforcement agencies and its leadership in developing a "large-scale network range" in collaboration with PLA units that have participated in previous cyber operations against the U.S. Additionally, the company is recognized as a known vulnerability supplier to the MSS.

ELEX

Founded in 2009 in Nanjing, Jiangsu Province, ELEX Security Technology Limited (EXEL) specializes in two main product lines: the Cyber Range Product Line, which integrates defensive strategies, red-blue team confrontations, test verifications, combat drills, operational assessments, and practical training; and the Industrial Internet Security Product Line, offering security solutions for critical national infrastructure sectors, including electric power, petroleum, petrochemicals, rail transit, chemicals, and intelligent manufacturing.

Elex’s cyber range solutions extend across various industries, such as wind power, solar energy, gas, smart manufacturing, telecommunications, and education, as well as offering “state secret protection sector cyber range solutions” for government agencies. While it emphasizes its commitment to the education sector through platforms designed for cybersecurity competitions - such as its collaboration with Zhejiang University to establish a hacking contest - it seems that these platforms have not been widely adopted within China’s CTF ecosystem.

A third product category on the company’s website, labeled Innovative Products, highlights offerings related to both domestic and foreign intelligence and the handling of classified information. ELEX's slogan, "Forging Spears and Shields for National Security" (为国家安全锻矛铸盾), combined with this product line, suggests that China’s MPS and MSS bureaus are likely among the company’s key customers and that ELEX tailors products and services to suit government needs.² 

ELEX also has a partnership with Qi An Xin—one of China's largest cybersecurity companies, serving over 90% of central government departments, state-owned enterprises, and major banks. In 2021, Qi An Xin reportedly showed strong interest in ELEX’s Cyber Range and Innovative Products business lines during a visit to ELEX’s premises by the company's former CEO, Wu Yunkun, and his delegation. The ELEX website also reports a December 2023 partnership to drive innovation in the state secret protection sector, though specifics of the collaboration remain limited.

ELEX’s strong emphasis on national security and its partnerships with top-tier players deeply integrated into China’s offensive cyber ecosystem demonstrate the significant demand for cyber ranges and how these tools can be leveraged to enhance China’s offensive capabilities.

Saining Network Security

Saining Network Security (Saining), also known as Cyber Peace (赛宁网安), was established in Nanjing, Jiangsu Province in 2013. According to the "China Cybersecurity Hands-On Training Exercise Test Platform Market Share, 2021: High and Fast" report, Saining ranked third in the cybersecurity training market in China with a 15.2% share. Specifically, Saining is a leading cyber range provider. Its cyber range products include live practice cyber ranges, live training platforms, industrial control system cyber ranges, vulnerability replication cyber ranges, IoT cyber ranges, connected vehicle cyber ranges and CTF platforms. According to a 2021 article by Sohu.com, Saining is aiming to become “the world’s number one brand of cyber shooting ranges.” According to the company’s own website, its products have received recognition from military customers in 2018, although the specific military organizations involved are not explicitly mentioned.

Overall, according to data collected by Cary and Benincasa in their Capture the (Red) Flag report on China's CTF ecosystem, Saining Network is the second-largest provider of cyber ranges for China's 54 major annual CTF hacking contests, following Integrity Tech. Among these contests, Saining is best known for sponsoring and organizing XCTF (hxxps://adworld.xctf.org[.]cn/league/list), China’s first Attack-Defense CTF competition, founded by the Blue Lotus CTF team of Tsinghua University in 2014. XCTF has grown into the country’s largest CTF event, with competitions held nationwide each year. According to XCTF's website, it is the largest contest brand in Asia and the second largest globally, likely behind DEF CON CTF.

The XCTF League functions more like a tournament than a single event, comprising a series of selection rounds over several months leading up to the final stage.  As a key platform for identifying and developing top-tier cybersecurity talent, the 2024 XCTF qualifying rounds drew significant participation, with 2,987 teams and over 11,000 contestants. Ultimately, 24 domestic and international teams qualified for the finals, according to a report by China’s National University of Defense Technology, making it a key platform for identifying and developing top-tier cybersecurity talent. The Capture the (Red) Flag report reveals Saining Network connections with the MSS, noting that the XCTF competition is co-organized annually by the China Institute for Innovation and Development Strategy (CIIDS, 国家创新与发展战略研究会) (hxxps://adworld.xctf.org[.]cn/league/list?rwNmOdr=1719301811043). While CIIDS describes itself as a non-profit organization, it maintains strong ties to the MSS and is run by former MSS officers drawn from front organizations, as detailed by Alex Joske in his book Spies and Lies.

Cyber Ranges as a Training Tool to Improve “Attack and Defense Live-Fire Capability” and State’s Effectiveness in Cyber Operations

The booming of China’s market in cyber range products and services reflects the country’s urgent need to cultivate cyber talents, particularly talents with “live-fire” capability. What is a cybersecurity talent with live-fire capabilities? As the Natto Team previously reported, in 2022 the Chinese Ministry of Education published a “White Paper on the Live-fire Capabilities of Cybersecurity Talents: Attack and Defense Live-Fire Capability Edition”(网络安全人才实战能力白皮书-攻防实战能力篇) (English translation here ). The White Paper defined four types of cybersecurity talent live-fire capabilities: "attack and defense live-fire capabilities," "vulnerability mining capabilities,” "engineering development capabilities," and "combat effectiveness evaluation capabilities." As to the particular attack and defense live-fire capabilities, the White Paper stated that the capabilities refer to:

-        the ability to use cybersecurity technologies and tools to carry out security monitoring and analysis,

-        risk assessment,

-        penetration test event research and judgment [i.e. evaluation],

-        security operations and maintenance, and

-        emergency response in real business environments.

As the White Paper stated, “by 2027, China’s cybersecurity talent gap will reach 3.27 million, while the scale of talent training in colleges and universities is only 30,000 per year.” In the meantime, China has “a serious shortage of cybersecurity talents who have live-fire capabilities and understand attack methods and attack pathways.” Cyber ranges provide platforms and controlled environments for training and refining these live-fire capabilities of cyber talent. Cyber range businesses in China likely continue to grow and help the country to mend the talent gap with practical attack and defense capability – talent that is equally critical for bolstering state-sponsored cyber operations.

The US government’s exposure of Integrity Tech cast light on Chinese companies’ support of offensive state Chinese cyber activity. One aspect of that support is Integrity Tech’s cyber ranges, as the Natto Team discussed in our previous post and as the further research in the present analysis shows. Integrity Tech alerts us that cyber range providers likely play a significant role in improving the effectiveness of state-sponsored cyber operations. As we see from all three leading cyber range providers discussed here, they actively participated in government-sponsored CTF contests and tailored products and services to suit government needs, such as with ELEX’s “innovative products.” The three top companies also competed for government contracts and even became directly involved in state-sponsored cyber operations, such as in Integrity Tech’s Flax Typhoon activity. Cyber range providers’ infrastructure, expertise, and partnerships are definitely on demand in state-sponsored cyber operations. The development of the cyber range market in China has seen the trend toward specialized, sector targeted, innovation-led, and diversified products and services. This new development is likely leading the capability improvement of China’s cyber force as well as the effectiveness of cyber operations.

1

For more i-SOON related analysis see Natto Thoughts reports: i-SOON: Another Company in the APT41 Network ; i-SOON: Kicking off the Year of the Dragon with Good Luck … or Not ; i-SOON: “Significant Superpower” or Just Getting the Job Done?”; i-SOON Operations: A View from Kazakhstan; i-SOON Leak: Unanswered Questions and What Now?

2

These products include: 1). The Public Opinion Control System (博智舆情阵地管控系统) aims to analyze and address public sentiment on foreign social media, create a network of human-like accounts, and manage user comments on major platforms like Facebook, Twitter, and YouTube; 2). The Computer Terminal Secrecy Inspection System (博智计算机终端保密检查系统) is designed for inspections by state secret protection bureaus and self-checks by agencies with classification requirements, monitoring classified and non-classified computers for unauthorized Internet connections and improper handling of classified information; 3).The WeChat Secrecy Information Check System (博智微信保密检查系统) is specifically designed to address the limitations of traditional methods in detecting leaks of classified information on WeChat, China’s most popular messaging app. It monitors WeChat usage on computers to identify the transmission of classified and sensitive files and the sharing of sensitive information in chat records.

Comments

[Bob Bragg]

Hmmm, MPS and MSS are very similar—even the uniforms are almost identical—but does that carry over to cyber? Does the PLA have a national cyber force? Who are they? Why are there so many companies in Nanjing? What is unique about that area? What PLA troops are present? Do those units work with the MPS and/or MSS? What units are co-located? What companies are on those compounds? It's all so simple these are just basic questions.

[Raytracer02496]

I hope PLA outmoggs ameriKKKans and the west when it comes to cybersec