Attack on the Chinese Supercomputing Centre: When the Attacker Becomes the Target
An actor operating under the name “FlamingChina” claims to have obtained more than 10 petabytes of data from China’s National Supercomputing Centre in Tianjin, including military simulations, weapons system schematics and classified research materials. Regardless of whether the declared volume is real or overstated, the incident raises a question that reaches beyond geopolitics: how are the sovereign computing capacities of states protected, and why are supercomputers becoming a strategic target?
What is known about the incident
In early February 2026, posts appeared on the BreachForums forum, and subsequently on a Telegram channel, from an actor using the handle FlamingChina, offering for sale a large data package allegedly originating from the National Supercomputing Centre in Tianjin (NSCC Tianjin). The centre, established in 2009, operates the Tianhe-1A supercomputer developed by the National University of Defence Technology and serves more than six thousand clients from the defence, scientific and industrial sectors. It is among the institutions that the U.S. Department of Commerce placed on the Entity List precisely because of their role in the modernisation of the Chinese military.
The case attracted media attention only on 8 April 2026, when CNN published its own investigative report featuring statements from named experts. The actor is offering preview samples for approximately 3,000 US dollars in the Monero cryptocurrency, with the complete dataset priced at hundreds of thousands of dollars. According to their own claims, they gained access through a compromised VPN domain and exfiltrated the data gradually over a period of roughly six months via a network of distributed nodes.
What experts have confirmed and what remains open
Dakota Cary of SentinelOne, who has long specialised in Chinese cyber activity, assessed the published samples as credible. He told CNN that the sample content is consistent with what one would expect from a supercomputing centre serving the defence and scientific sectors. At the same time, he pointed out that the exfiltration method itself was not technically exceptional – it reflected a failure of network architecture, the absence of segmentation and shared access credentials, rather than a sophisticated attack.
On the other side stand fundamental doubts. The actor FlamingChina has no prior history, which is unusual in the cybersecurity community. The claimed volume of 10 petabytes is, from a technical standpoint, at the edge of plausibility, as the mere storage and transfer of such a quantity of data poses an extreme logistical challenge. Some analysts therefore acknowledge that the actual scope of the leak may be significantly smaller, although still strategically significant. Major reputable cybersecurity outlets have so far not published standalone technical analyses of the incident, and the Chinese side has neither officially confirmed nor denied it.
For the purposes of strategic assessment, the case should therefore be approached with caution. Whether this concerns a leak of 10 petabytes or a considerably smaller volume, the essence remains the same: an unknown actor appears to have had access to the environment of a national computing centre for six months without being detected.
A geopolitical inversion
From an international security perspective, the incident represents a remarkable reversal of the prevailing narrative. In recent years, the discussion of Chinese cyber activity has focused mainly on offensive operations attributed to actors such as Volt Typhoon or Salt Typhoon, which were said to target U.S. critical infrastructure. This time, China itself has found itself on the receiving end – and in one of the most sensitive areas of its technological ecosystem.
This reversal has broader significance. It shows that no country, regardless of the scale of investment in its own computing and defence capacities, is immune to such incidents. Sovereign computing capacities – such as supercomputers, research HPC clusters and infrastructure for training large artificial intelligence models – are becoming strategic targets comparable to traditional elements of critical infrastructure. Their compromise can have a direct impact on defence programmes, scientific research and economic competitiveness.
A European precedent that tends to be forgotten
Although the Tianjin incident may appear to be an exotic case from a distant region, European critical infrastructure has its own experience with attacks on supercomputers. In May 2020, approximately twelve high-performance computing centres in Germany, the United Kingdom and Switzerland were compromised, including the ARCHER system in Edinburgh, Hawk in Stuttgart, JURECA and JUWELS in Jülich, the Leibniz Supercomputing Centre in Garching and CSCS in Switzerland. The attackers used stolen SSH credentials, with the first intrusions dating back to January 2020 – months before they were discovered.
The parallel between the two incidents is striking. In both cases, the entry point was not a sophisticated zero-day vulnerability, but rather basic shortcomings in identity management, credential handling and network segmentation. And in both cases, it took months for the attacker’s presence in the system to be detected. It is precisely this ability of an attacker to remain invisible for extended periods within sensitive infrastructure that constitutes the key lesson from the perspective of critical infrastructure protection.
A regulatory gap in the protection of computing capacities
The European framework for the protection of critical infrastructure – the NIS 2 Directive and the CER Directive, which was transposed into Slovak law by Act No. 367/2024 Coll. on Critical Infrastructure – covers sectors such as energy, transport, healthcare, digital infrastructure, financial services and public administration. High-performance computing systems and research infrastructure, however, do not have their own standalone category within these frameworks. They fall partly under digital infrastructure and partly under research, yet their strategic importance for defence, science and the development of artificial intelligence remains covered only indirectly.
At the same time, 2026 is a pivotal year for Slovakia. State administration bodies are required to identify critical entities under Act No. 367/2024 Coll. by no later than 17 July 2026. In parallel, the National Cybersecurity Strategy for 2026 to 2030 is being fully implemented. This is precisely the right moment to reconsider whether the current categories of critical infrastructure adequately reflect the strategic importance of sovereign computing capacities – and whether these elements do not require more explicit inclusion in the regulatory framework.
“The Tianjin incident is important for us not because it took place in China, but because of what it reveals about the nature of today’s threats. If an unknown actor can operate for months inside the environment of a national computing centre without being detected, this is a warning for every operator of sensitive infrastructure, regardless of geography. Sovereign computing capacities are becoming a strategic asset to which we must pay the same attention as to energy grids or telecommunications hubs,” says Tibor Straka, President of the Critical Infrastructure Association of the Slovak Republic.
Lessons for the Slovak context
The analysis of the information available to date yields several conclusions that are also relevant for Slovak critical infrastructure entities.
First, the fundamental security principles – network segmentation, rigorous credential management and monitoring of unusual data activity – remain the first line of defence even against the most advanced adversaries. Major incidents rarely begin with zero-day vulnerabilities; far more often, they exploit neglected identity and network hygiene.
Second, the ability to detect is just as important as the ability to prevent. The six-month presence of an attacker in a sensitive environment illustrates that it is not enough to invest only in the perimeter; continuous monitoring of internal operations and the ability to recognise anomalies in good time are equally crucial. The shift from formal documentation to the demonstrable functionality of security measures, brought about by the transposition of the NIS 2 Directive, is a fundamental step in this direction.
Third, research and computing institutions, often perceived as academic environments with an open culture are, in today’s geopolitical context, becoming strategic targets. Slovak university computing centres, research institutions and HPC capacities of the Slovak Academy of Sciences should form part of the discussion on how to approach the protection of sovereign computing capacities within the framework of the new obligations arising from Act No. 367/2024 Coll.
The Critical Infrastructure Association of the Slovak Republic (AKI SR) provides a space for expert discussion of these topics, connects entities from the public and private sectors, and offers its members access to expert knowledge in the implementation of new regulatory requirements. Particularly at a time when the cybersecurity of critical infrastructure is shifting from formal preparation to demonstrable practice, such an exchange of experience and cross-sectoral coordination is indispensable.
The Tianjin incident is still awaiting full verification. Regardless of its final contours, however, it already fulfils one important function today: it reminds us that the strategic elements of modern society are also found in places that traditional frameworks for the protection of critical infrastructure have not yet explicitly identified.
