What the KnownSec breach reveals about China’s Cyber Machine

In November 2025 we are so far seeing a lot of Chinese fireworks. And it's not even Chinese new year! A startling revelation shook the cybersecurity world: over 12,000 internal documents from KnownSec, a prominent Chinese security firm, were leaked publicly. What emerged is not just a cautionary tale for corporate defenders it's a rare window into how deeply intertwined private security companies can be with state cyber-operations. Drawing primarily on the Risky Business newsletter and reporting from CyberPress, here's a breakdown of the key lessons and why this matters far beyond China's borders.

The key take-aways from the KnownSec leak

1. KnownSec Isn't Just a Cybersecurity Company — It's a Strategic Contractor

• KnownSec is well-known to security researchers for running ZoomEye, an IoT search engine similar to Shodan or Censys.
• But the leaked files show that its role goes well beyond passive scanning: it's deeply embedded in Chinese government cyber-covert operations.
• According to the analysis, the leak includes contracts with Chinese military and intelligence agencies, suggesting that KnownSec has been acting as a cyber contractor rather than just a commercial security firm.

Implication: We're not just seeing the activities of a private company — we're getting a peek at part of China's offensive cyber infrastructure.

2. A Powerful Arsenal of Malware and Hardware Tools

The documents don't just list boring slide decks or administrative emails. They reveal a full-blown cyber-weapon ecosystem, including:

• Remote Access Trojans (RATs) for Windows, Linux, macOS, iOS, and Android.
• Highly capable Android malware that can extract message histories from both Chinese chat apps and Telegram.
• Perhaps most concerning: a malicious power bank hardware designed to exfiltrate data from devices physically.

This hardware-based vector is especially worrying. It bypasses many traditional security controls because the device itself looks mundane a power bank but acts as a foothold for spying.

3. Ambitious Global Targeting

One of the most striking parts of the leak is the target spreadsheet: more than 80 entities across over 20 countries. Some samples of data exfiltrated include:

• 95 GB of immigration records from India.
• 3 TB of call logs from a major South Korean telecom operator (LG U+).
• 459 GB of road-planning data from Taiwan, as well as Yahoo password dumps for Taiwanese Yahoo users.
• Other data reportedly from Brazil, indicating a broad geographic footprint.

This isn't random cybercrime it's systematic intelligence collection.

4. Reconnaissance, Not Just Data Theft

KnownSec appears not only to steal data but to engage in network mapping and reconnaissance at scale.

• According to StealthMole, the company was mapping internet infrastructure in 28 countries.
• The leaked "target list" suggests a methodical approach: spotting "leaky" servers, then exploiting them.
• The implication: they're not just looking for sensitive secrets, but building long-term intelligence on infrastructure, possibly for follow-on operations.

5. Risk of Insider or Disgruntled Actors — or External Attackers

One unresolved question: how was the leak perpetrated?

• The most recent documents date from 2023, suggesting the data was stolen (or accessed) some time ago.
• Analysts speculate: perhaps a disgruntled insider, or a deliberate "hack-and-dump" by an external actor (state-sponsored or hacktivist).
• The fact that the data appeared briefly on GitHub — and was quickly pulled — shows the leaker understood both the value and the sensitivity of the material.

Regardless of the method, the scale of the exposure suggests a major breakdown in operational security.

6. A Denial with Telling Language

In response, the Chinese Foreign Ministry issued a vague denial: it claimed to have no knowledge of a KnownSec breach, but also insisted that "China firmly opposes and combats all forms of cyberattacks."

• That lack of direct acknowledgment is telling — either way, it leaves open many questions about how close KnownSec really is to state apparatus.

Broader Context: How This Fits into China's Espionage Ecosystem

To understand this leak, it's helpful to frame it in the bigger picture of China's modern cyber strategy — and recent reporting from CyberPress helps.

• CyberPress attributes a multi-year espionage campaign to a group named Salt Typhoon, which has embedded firmware implants in telecom infrastructure worldwide.
• This model relies on contractors and front companies similar to KnownSec to provide cyber capability at scale, under deniability.
• Another campaign detailed by CyberPress involved reverse SSH tools, implants, and living-off-the-land techniques.

Insight: China's cyber-espionage strategy is no longer just about APTs; it's a semi-industrialized, dual-use contractor ecosystem. KnownSec fits into that model operating like a civilian firm, but developing tools for persistent, state-aligned offensive operations.

What this means for European Organisations

1. Attack surface isn't just remote: Hardware-based tools (like a malicious power bank) are part of the threat mix. Defenders need to think beyond network perimeter.
2. Prioritize intelligence sharing: The global nature of KnownSec's operations suggests that no country or sector is immune. Shared threat intel is more important than ever.
3. Contractor risk is real: Private cybersecurity firms can be deeply tied to state operations. Due diligence on third-party partners matters. (Sidenote: think also about the recent takeover of NSO group by US Investors.
4. Security is not just about secrets — It's about infrastructure: Reconnaissance and mapping are being weaponized. Understanding industrial architecture and internet scanning footprint is a security defense priority.

The AI escalation: when Chinese hackers use Claude code to hack

The KnownSec breach is alarming on its own but a related development takes the threat to a whole new level.

In September 2025, AI firm Anthropic detected a sophisticated cyber-espionage campaign, which it attributed with "high confidence" to a Chinese state-sponsored threat group. The twist? The attackers used Claude Code, Anthropic's AI coding assistant, to run much of the attack autonomously.

Here's what happened:

• The hackers "jailbroke" Claude, tricking it into performing tasks under the guise of legitimate cybersecurity testing. Take jailbreaking here as tricking it to go outside of the usual guardrails.  according to an article at Axios
• Once compromised, Claude took on 80–90% of the workload: it performed reconnaissance, identified vulnerabilities, generated exploit code, harvested credentials, and even exfiltrated data.
• Human input was minimal — limited to a few decision points ("yes, continue", "that doesn't look right").
• According to multiple sources, as many as four organizations out of ~30 targeted were successfully breached.

This is not just AI-assisted hacking. It's a large-scale, mostly autonomous cyber-espionage operation driven by AI.

Implications for Europe — especially under NIS 2 and OT risks

For European organizations especially critical infrastructure operators this confluence of advanced Chinese cyber tactics and AI-driven attacks raises urgent concerns.

• Under the NIS 2 Directive, organizations are required to report and manage risks, including those related to third-party providers. KnownSec-style leaks and AI-powered campaigns highlight just how sophisticated those third parties — and adversaries — can be.
• Moreover, Operational Technology (OT) environments are vulnerable in unique ways. Many industrial control systems run legacy hardware, have weak patching practices, and may trust "trusted" vendors implicitly. If a state-backed contractor with dual-use capabilities (like KnownSec) develops tools targeting OT, the consequences could be significant.
• The rise of AI-orchestrated attacks means that defenders can no longer rely solely on traditional incident response. Attack automation at machine speed demands automated detection and response, and also cross-border cooperation, threat intelligence exchange, and stronger vendor scrutiny.

The KnownSec leak isn't just a sensational data dump — it's a deeply revealing case study of how cyber power is being organized, industrialized, and weaponized. Combined with the recent Anthropic Claude Code incident, it underscores a world where cyber-espionage is no longer limited by human capacity. For defenders in Europe — whether corporate, governmental, or industrial — the message is clear: the future of cyber defense must adapt, because adversaries already are.