Attack on the Chinese Supercomputing Centre: When the Attacker Becomes the Target

13. apríla 2026

An actor operating under the name “FlamingChina” claims to have obtained more than 10 petabytes of data from China’s National Supercomputing Centre in Tianjin, including military simulations, weapons system schematics and classified research materials. Regardless of whether the declared volume is real or overstated, the incident raises a question that reaches beyond geopolitics: how are the sovereign computing capacities of states protected, and why are supercomputers becoming a strategic target?



What is known about the incident


In early February 2026, posts appeared on the BreachForums forum, and subsequently on a Telegram channel, from an actor using the handle FlamingChina, offering for sale a large data package allegedly originating from the National Supercomputing Centre in Tianjin (NSCC Tianjin). The centre, established in 2009, operates the Tianhe-1A supercomputer developed by the National University of Defence Technology and serves more than six thousand clients from the defence, scientific and industrial sectors. It is among the institutions that the U.S. Department of Commerce placed on the Entity List precisely because of their role in the modernisation of the Chinese military.


The case attracted media attention only on 8 April 2026, when CNN published its own investigative report featuring statements from named experts. The actor is offering preview samples for approximately 3,000 US dollars in the Monero cryptocurrency, with the complete dataset priced at hundreds of thousands of dollars. According to their own claims, they gained access through a compromised VPN domain and exfiltrated the data gradually over a period of roughly six months via a network of distributed nodes.


What experts have confirmed and what remains open


Dakota Cary of SentinelOne, who has long specialised in Chinese cyber activity, assessed the published samples as credible. He told CNN that the sample content is consistent with what one would expect from a supercomputing centre serving the defence and scientific sectors. At the same time, he pointed out that the exfiltration method itself was not technically exceptional – it reflected a failure of network architecture, the absence of segmentation and shared access credentials, rather than a sophisticated attack.


On the other side stand fundamental doubts. The actor FlamingChina has no prior history, which is unusual in the cybersecurity community. The claimed volume of 10 petabytes is, from a technical standpoint, at the edge of plausibility, as the mere storage and transfer of such a quantity of data poses an extreme logistical challenge. Some analysts therefore acknowledge that the actual scope of the leak may be significantly smaller, although still strategically significant. Major reputable cybersecurity outlets have so far not published standalone technical analyses of the incident, and the Chinese side has neither officially confirmed nor denied it.


For the purposes of strategic assessment, the case should therefore be approached with caution. Whether this concerns a leak of 10 petabytes or a considerably smaller volume, the essence remains the same: an unknown actor appears to have had access to the environment of a national computing centre for six months without being detected.


A geopolitical inversion


From an international security perspective, the incident represents a remarkable reversal of the prevailing narrative. In recent years, the discussion of Chinese cyber activity has focused mainly on offensive operations attributed to actors such as Volt Typhoon or Salt Typhoon, which were said to target U.S. critical infrastructure. This time, China itself has found itself on the receiving end – and in one of the most sensitive areas of its technological ecosystem.


This reversal has broader significance. It shows that no country, regardless of the scale of investment in its own computing and defence capacities, is immune to such incidents. Sovereign computing capacities – such as supercomputers, research HPC clusters and infrastructure for training large artificial intelligence models – are becoming strategic targets comparable to traditional elements of critical infrastructure. Their compromise can have a direct impact on defence programmes, scientific research and economic competitiveness.


A European precedent that tends to be forgotten


Although the Tianjin incident may appear to be an exotic case from a distant region, European critical infrastructure has its own experience with attacks on supercomputers. In May 2020, approximately twelve high-performance computing centres in Germany, the United Kingdom and Switzerland were compromised, including the ARCHER system in Edinburgh, Hawk in Stuttgart, JURECA and JUWELS in Jülich, the Leibniz Supercomputing Centre in Garching and CSCS in Switzerland. The attackers used stolen SSH credentials, with the first intrusions dating back to January 2020 – months before they were discovered.


The parallel between the two incidents is striking. In both cases, the entry point was not a sophisticated zero-day vulnerability, but rather basic shortcomings in identity management, credential handling and network segmentation. And in both cases, it took months for the attacker’s presence in the system to be detected. It is precisely this ability of an attacker to remain invisible for extended periods within sensitive infrastructure that constitutes the key lesson from the perspective of critical infrastructure protection.


A regulatory gap in the protection of computing capacities


The European framework for the protection of critical infrastructure – the NIS 2 Directive and the CER Directive, which was transposed into Slovak law by Act No. 367/2024 Coll. on Critical Infrastructure – covers sectors such as energy, transport, healthcare, digital infrastructure, financial services and public administration. High-performance computing systems and research infrastructure, however, do not have their own standalone category within these frameworks. They fall partly under digital infrastructure and partly under research, yet their strategic importance for defence, science and the development of artificial intelligence remains covered only indirectly.


At the same time, 2026 is a pivotal year for Slovakia. State administration bodies are required to identify critical entities under Act No. 367/2024 Coll. by no later than 17 July 2026. In parallel, the National Cybersecurity Strategy for 2026 to 2030 is being fully implemented. This is precisely the right moment to reconsider whether the current categories of critical infrastructure adequately reflect the strategic importance of sovereign computing capacities – and whether these elements do not require more explicit inclusion in the regulatory framework.


“The Tianjin incident is important for us not because it took place in China, but because of what it reveals about the nature of today’s threats. If an unknown actor can operate for months inside the environment of a national computing centre without being detected, this is a warning for every operator of sensitive infrastructure, regardless of geography. Sovereign computing capacities are becoming a strategic asset to which we must pay the same attention as to energy grids or telecommunications hubs,” says Tibor Straka, President of the Critical Infrastructure Association of the Slovak Republic.


Lessons for the Slovak context


The analysis of the information available to date yields several conclusions that are also relevant for Slovak critical infrastructure entities.


First, the fundamental security principles – network segmentation, rigorous credential management and monitoring of unusual data activity – remain the first line of defence even against the most advanced adversaries. Major incidents rarely begin with zero-day vulnerabilities; far more often, they exploit neglected identity and network hygiene.


Second, the ability to detect is just as important as the ability to prevent. The six-month presence of an attacker in a sensitive environment illustrates that it is not enough to invest only in the perimeter; continuous monitoring of internal operations and the ability to recognise anomalies in good time are equally crucial. The shift from formal documentation to the demonstrable functionality of security measures, brought about by the transposition of the NIS 2 Directive, is a fundamental step in this direction.


Third, research and computing institutions, often perceived as academic environments with an open culture  are, in today’s geopolitical context, becoming strategic targets. Slovak university computing centres, research institutions and HPC capacities of the Slovak Academy of Sciences should form part of the discussion on how to approach the protection of sovereign computing capacities within the framework of the new obligations arising from Act No. 367/2024 Coll.


The Critical Infrastructure Association of the Slovak Republic (AKI SR) provides a space for expert discussion of these topics, connects entities from the public and private sectors, and offers its members access to expert knowledge in the implementation of new regulatory requirements. Particularly at a time when the cybersecurity of critical infrastructure is shifting from formal preparation to demonstrable practice, such an exchange of experience and cross-sectoral coordination is indispensable.


The Tianjin incident is still awaiting full verification. Regardless of its final contours, however, it already fulfils one important function today: it reminds us that the strategic elements of modern society are also found in places that traditional frameworks for the protection of critical infrastructure have not yet explicitly identified.

When data centres consume the energy of an entire city: A new challenge for Slovakia's critical infrastructure

27. mája 2026
Until a few years ago, data centres were mostly perceived as the technical backbone of the internet, cloud services and corporate servers. Today, however, the situation is changing dramatically. The rapid development of artificial intelligence, massive generative AI models and the accelerating digitalisation of states mean that data centres are becoming among the largest new consumers of electricity in Europe.

Keď dátové centrá spotrebujú energiu celého mesta: Nová výzva pre kritickú infraštruktúru Slovenska

27. mája 2026
Ešte pred niekoľkými rokmi boli dátové centrá vnímané najmä ako technické zázemie internetu, cloudových služieb a firemných serverov. Dnes sa však situácia dramaticky mení. Prudký rozvoj umelej inteligencie, masívne modely generatívnej AI a rastúca digitalizácia štátov spôsobujú, že dátové centrá sa stávajú jedným z najväčších nových odberateľov elektrickej energie v Európe. 

Introducing the Critical Infrastructure Sectors: Postal Services

25. mája 2026
The Critical Infrastructure Association of the Slovak Republic continues its series of articles introducing both the public and the professional community to the individual sectors of critical infrastructure as defined by Act No. 367/2025 Coll. on Critical Infrastructure and on Amendments to Certain Acts. Following sectors such as energy, transport and finance, we now turn to a sector that is part of the daily life of citizens as well as the functioning of the state – postal services.

Predstavujeme sektory kritickej infraštruktúry: Poštové služby

25. mája 2026
Asociácia kritickej infraštruktúry Slovenskej republiky pokračuje v sérii článkov, ktorými verejnosti aj odbornej obci predstavuje jednotlivé sektory kritickej infraštruktúry definované zákonom č. 367/2025 Z. z. o kritickej infraštruktúre a o zmene a doplnení niektorých zákonov. Po sektoroch ako energetika, doprava či financie sa tentoraz venujeme sektoru, ktorý je súčasťou každodenného života občanov aj fungovania štátu – poštovým službám.

The biggest security risk may not be inside your company: supply chains and post-quantum cryptography are changing the rules for protecting critical infrastructure

21. mája 2026
Until recently, the security of critical infrastructure was associated mainly with the protection of physical facilities, energy sources, or state systems. Today, however, it is increasingly clear that the real vulnerability often lies outside the organisation itself: in its supply chains, technology partners, and external services.

Najväčšie bezpečnostné riziko nemusí byť vo vašej firme: dodávateľské reťazce a postkvantová kryptografia menia pravidlá ochrany kritickej infraštruktúry

21. mája 2026
Ešte donedávna sa bezpečnosť kritickej infraštruktúry spájala najmä s ochranou fyzických objektov, energetických zdrojov či štátnych systémov. Dnes však čoraz jasnejšie vidíme, že skutočná zraniteľnosť sa často nachádza mimo samotnej organizácie: v jej dodávateľských reťazcoch, technologických partneroch a externých službách.

Umelá inteligencia v rukách útočníkov: nová generácia hrozieb pre kritickú infraštruktúru

18. mája 2026
V januári 2024 zamestnanec finančnej spoločnosti v Hongkongu uskutočnil prevod v hodnote 25 miliónov amerických dolárov. Urobil tak po videokonferencii s finančným riaditeľom a kolegami z centrály, ktorá pôsobila úplne autenticky. Na konferencii však bol jediný skutočný človek on sám. Ostatní účastníci boli deepfake repliky vygenerované generatívnou umelou inteligenciou na základe verejne dostupných záznamov. Tento prípad, zdokumentovaný hongkonskou políciou, neoznámil príchod novej hrozby. Oznámil, že hrozba je už tu a funguje v produkčnom režime.

Two Members of AKI SR Are Taking Slovak Research into Space: The COSMOS-SECURE Project Will Bring Post-Quantum Secure Voice Communication for Space Missions

13. mája 2026
The Critical Infrastructure Association of the Slovak Republic is proud to present the success of two of its members, Decent Cybersecurity s. r. o. and FREQUENTIS Solutions & Services s. r. o., which have jointly secured funding for the four-year research and development project COSMOS-SECURE. The project, with total eligible expenditures of EUR 4,144,273.37 and a requested non-repayable financial contribution of EUR 2,981,048.65, focuses on an area that, until recently, belonged mainly to major space agencies: secure voice communication between ground stations, satellites, and spacecraft crews in an era when quantum computers are beginning to challenge the existing foundations of cryptography.

Dvaja členovia AKI SR posúvajú slovenský výskum do vesmíru: projekt COSMOS-SECURE prinesie postkvantovú bezpečnú hlasovú komunikáciu pre vesmírne misie

13. mája 2026
Asociácia kritickej infraštruktúry Slovenskej republiky s hrdosťou predstavuje úspech dvoch svojich členov, spoločností Decent Cybersecurity s. r. o. a FREQUENTIS Solutions & Services s. r. o., ktoré spoločne získali financovanie pre štvorročný výskumno-vývojový projekt COSMOS-SECURE. Projekt s celkovými oprávnenými výdavkami vo výške 4 144 273,37 € a požadovanou výškou nenávratného finančného príspevku 2 981 048,65 € sa zameriava na to, čo bolo donedávna doménou veľkých vesmírnych agentúr: bezpečnú hlasovú komunikáciu medzi pozemnými strediskami, satelitmi a posádkami vesmírnych lodí v ére, keď kvantové počítače začínajú spochybňovať existujúce kryptografické základy.

July 2026 will decide: Slovakia identifies the list of critical entities

12. mája 2026
The Slovak Republic is in the final phase of a process that is fundamentally changing the approach to the protection of critical infrastructure. In accordance with Act No. 367/2024 Coll. on Critical Infrastructure, the list of entities that will be officially identified as critical for the functioning of the state is to be completed in July 2026. This step represents one of the most important milestones in the implementation of the new regulatory framework, the aim of which is to increase the resilience of key systems to crises, cyber threats and service outages. A new framework of responsibility Inclusion among the critical entities will not be of a merely formal nature. For the organisations concerned, it will mean the introduction of precisely defined obligations in the area of risk management, security measures, incident management and the very continuity of the provision of essential services within the meaning of the Act. For many entities, this represents a fundamental change in the approach to security, which will require systematic preparation even before the actual inclusion in the list. Growing interest of companies in the regulation Already in this period it is evident that potentially affected entities are beginning to intensively follow the development of the legislation and of the implementing rules being prepared. The reason is the need to set up internal processes in good time, so that the transition to the new regime can take place without major operational complications. The growing demanding nature of the requirements is at the same time increasing the demand for expert guidance and methodological support. The role of the Critical Infrastructure Association of the Slovak Republic In this context, the Critical Infrastructure Association of the Slovak Republic (AKI SR) plays a significant role, as it has long been creating a professional platform for cooperation between the state sector, regulators and operators of essential services across all sectors of critical infrastructure, such as for example energy, transport, healthcare or digital infrastructure. As Tibor Straka, President of AKI SR, states: “The process of identifying critical entities is not merely a legislative obligation. It is the moment that determines how resilient the state will be in real crisis situations.” The Association points out in this connection that the period before the final inclusion in the list is the most important one for organisations from the point of view of preparation and adaptation. Room for timely preparation Companies that may be part of the list of critical entities currently have a unique opportunity to prepare for the new obligations systematically and well in advance. In this area, AKI SR provides expert support, methodological guidance and a platform for the sharing of experience between the individual sectors. Cooperation as the foundation of resilience The implementation of the new system for the protection of critical infrastructure will be successful only if it is built on close cooperation between the public and the private sector. In this respect, AKI SR is developing a systematic dialogue with the central bodies of state administration that exercise state administration in the individual segments of critical infrastructure. With many of them, the Association has concluded memoranda of cooperation, which makes possible a more effective interconnection of expert capacities, the exchange of information and coordination in addressing key security topics. In the process, AKI SR thus acts as a natural communication and expert bridge between the regulator and the entities of critical infrastructure, while helping to connect legislative requirements with their practical implementation in the individual sectors. A new stage in the protection of critical systems The finalisation of the list of critical entities in July 2026 represents a fundamental step in the modernisation of the system for strengthening the resilience of critical infrastructure in Slovakia. The new legislative framework sets clearer rules, but at the same time significantly raises the demands placed on the preparedness of the organisations concerned. The outcome of the entire process will depend on how well it is possible to align the regulation with the reality of the operation of critical entities.