Recently, there has been a massive leak of classified documents related to the core technology of the Great Firewall of China, revealing that Chinese companies have established comprehensive network surveillance systems in several countries in South Asia, West Asia, and Africa, as well as participating in the construction of regional firewalls within China. A comprehensive network control network is taking shape from provincial to national levels and from domestic to overseas locations, with the scale of its technological deployment and monitoring capabilities shocking the international community.
The leak originated from the important technical force behind the Great Firewall, Geedge Networks Ltd., and the Processing Architecture Group MESA Laboratory of the Second Research Institute of the Chinese Academy of Information Engineering.
Further analysis of this largest-ever document leak in the history of the Communist Party’s Great Firewall reveals the detailed overseas technical deployment of Geedge Networks Ltd., as well as the key role the company plays in the construction of regional firewalls within China.
According to the leaked documents, Geedge Networks Ltd. has provided technical services to at least five countries: Myanmar, Pakistan, Ethiopia, Kazakhstan, and one undisclosed country identified only by the code A24. These countries are labeled with codes in the leaked materials, with the codes mostly composed of the initial letters of the country name followed by two-year figures.
In Myanmar, Geedge Networks Ltd., founded by the man known as the “Father of the Great Firewall of China,” Fang Binxing, has the most comprehensive deployment.
The leaked documents show that the company’s hardware is installed in all internet service provider (ISP) data centers in Myanmar, including the four major ISPs: MyTel, Ooredoo, MPT, and ATOM, as well as smaller providers like Frontiir, Global Technology Group, and Golden TMH Telecom.
It is worth noting that the Myanmar ISP Frontiir had previously denied involvement in any monitoring projects. However, the leaked documents clearly show that Geedge Networks Ltd. equipment is indeed deployed in all ISP facilities in Myanmar, including Frontiir’s. The documents also include all ISP link testing reports, showing website connectivity test information conducted on different dates in 2024 to assess the effectiveness of network censorship by each ISP.
Myanmar’s “VPN blocklist” is longer than in other client countries, with the documents detailing the process of setting up “high priority application” blocking rules covering 55 applications, including messaging apps like Signal and WhatsApp.
Geedge Networks Ltd. also developed a specialized tool, Psiphon3-SLOK, to enumerate Psiphon endpoints, which perfectly matches changes observed in Psiphon connections when Geedge entered Myanmar in May 2024.
In Pakistan, Geedge Networks Ltd. took over from the Canadian company Sandvine, which was sanctioned by the United States for “enabling human rights abuses” in 2023. The leaked documents show that Geedge not only utilized existing Sandvine installed equipment but also provided new technology to drive Pakistan’s “Web Monitoring System 2.0.”
Amnesty International refers to the firewall operated by Geedge Networks Ltd. as “WMS 2.0” to distinguish it from the earlier version, WMS. A senior executive at a major Pakistani ISP’s description aligned closely with Geedge’s marketing materials, stating that the new WMS is deployed not only at the national internet gateways but also in the local data centers of mobile service providers and ISPs.
Geedge Networks Ltd.’s Sanity Directory has the capability to attribute network behavior to specific SIM cards. This function is particularly sensitive in Pakistan because since 2015, all new SIM cards issued to mobile users must be registered to a specific user and tied to biometrics registered through the national database and registration authority.
In Ethiopia, Geedge Networks Ltd. collaborated with the local telecommunications operator Safaricom to deploy monitoring equipment in its regional data centers. The leaked documents reveal an important detail: the direct correlation between switching from mirror mode to online mode and the government’s preparations for implementing internet shutdowns.
During the nationwide anti-government protests in Ethiopia in February 2023, a Geedge Networks Ltd. work order indicated that its experts were called in to handle issues related to social media platforms like YouTube, Twitter (now called X), which coincided with reports of these platforms being blocked at the time.
The leaked document log shows that out of 18 changes to online mode in Ethiopia, two occurred before the internet shutdown in February 2023.
As Geedge Networks Ltd.’s first client, the government of Kazakhstan has been using the company’s technology since 2019. Geedge’s TSG (Security Gateway) product is capable of executing TLS man-in-the-middle attacks, presenting this capability as a key selling point when the company initially engaged with the Kazakhstan government.
A “man-in-the-middle attack” is when an attacker secretly intercepts and may potentially alter communications between parties without their knowledge. TLS man-in-the-middle attacks target the initialization phase of encrypted sessions.
A picture from October 16, 2020, lists IP addresses of a national center and 17 other cities running three Geedge Networks Ltd. products: Bifang (central management), Galaxy (TSG-Galaxy’s early name), and Nezha (Network Zodiac’s former name).
Of note, the leaked documents reveal Geedge Networks Ltd.’s in-depth research on circumvention technology. The company purchases VPN accounts and operates a cluster of mobile devices with VPN applications installed for studying their network behavior.
Using reverse engineering techniques, Geedge Networks Ltd. creates blocking rules through static and dynamic analysis. Static analysis involves decompiling application source code to find APIs that return server lists; dynamic analysis simultaneously runs VPN applications to analyze their network traffic patterns, identifying patterns that can be used for blocking.
The company has established an application network fingerprint database called AppSketch, containing a vast amount of specific application fingerprint information. A screenshot of a control panel lists a numbered selection of VPN names, including CyberGhost VPN, Hotspot VPN, Opera VPN, totaling 4,081.
More alarmingly, Geedge Networks Ltd.’s system can discover new VPN endpoints by observing the past known behavior of VPN users. Once an individual is identified as a known VPN user, the system can track their internet usage and classify any future unknown high-bandwidth traffic as suspicious, thereby identifying and blocking previously unidentified services.
In addition to overseas projects, the leaked documents also reveal Geedge Networks Ltd.’s involvement in the construction of regional (provincial-level) firewalls within China, marking the emergence of a provincial-level firewall model as a supplement to the national-level Great Firewall of China.
The Xinjiang project (code J24) is one of Geedge Networks Ltd.’s most important domestic projects. The leaked materials include a speech record from June 22, 2024, at the Xinjiang Branch of the Chinese Academy of Sciences, stating that the Geedge project aims to “make the regional center a front-line force in counter-terrorism, especially in suppressing circumvention.”
The speech record mentions that the country’s (firewall) is evolving from centralized to distributed, and the Xinjiang regional center aims to “become a replicable or modelable provincial-level (firewall) construction template.” This indicates that the regional firewall in Xinjiang will serve as a template for national deployment in China.
The requirements for the deployment in Xinjiang demonstrate strong and intrusive monitoring demands. Geedge Networks Ltd. hopes to support functions in Cyber Narrator for the deduction and analysis of user internet behaviors, lifestyle patterns, and relationships, as well as the ability to build relationship diagrams based on communication targets and classify groups based on the applications or websites used by the users.
The system also plans to include the ability to check connections to specific mobile base station users, perform location triangulation through base stations, detect mass gatherings in certain areas, create geofences, trigger alerts when specific individuals enter designated areas, and query historical location information to track past activities.
The documents show that Geedge Networks Ltd. conducted a similar provincial-level firewall pilot project in Fujian in 2022. The Fujian project is referred to as the “Fujian Project,” but details are relatively limited.
In Jiangsu, Geedge Networks Ltd. collaborated with the Jiangsu Public Security Bureau purportedly to combat online fraud. Communication records show that the public security department was cautious about allowing Geedge to build a big data cluster and preferred the company to deploy its tools on existing infrastructure. The “Jiangsu Anti-Fraud Project” was transferred to production mode on March 15, 2024.
The leaked documents reveal the impressive range of Geedge Networks Ltd.’s technical capabilities. In addition to traditional deep packet inspection and blocking functions, the company’s TSG system also has the ability to inject and modify traffic, which can be used for blocking purposes or infecting users with malware.
The system can dynamically modify HTTP sessions, achieving techniques such as spoofing redirect responses, modifying headers, injecting scripts, replacing text, and overlaying response bodies. The online injection capability of TSG allows the insertion of malicious code in files transmitted over the network, enabling “real-time” modifications of various file formats, including HTML, CSS, JavaScript, as well as Android APK, Windows EXE, macOS DMG images, and Linux RPM packages.
More alarmingly, Geedge Networks Ltd. developed a system called “DLL Active Defense,” which is essentially a platform for launching DDoS attacks against websites considered politically undesirable. By leveraging the online injection capability of TSG, the system effectively “recruits” unknowing user devices to participate in the attacks, forming a zombie network.
The leaked documents reveal a worrying fact: customer data stored in TSG Galaxy is accessible to Geedge Networks Ltd. employees, as well as to students and researchers at MESA Laboratory. The data shows that snapshots of real customer data are sometimes shared with the closely associated Chinese Academy of Sciences Mesa Lab for research purposes.
Furthermore, Geedge Networks Ltd. employees have the ability to create Wi-Fi networks within their offices, allowing any device to remotely connect to customer networks. This feature allows them to verify the effectiveness of blocking mechanisms in real-world scenarios but also poses significant security risks.
The four countries mentioned earlier – Myanmar, Pakistan, Ethiopia, and Kazakhstan – where Geedge Networks Ltd. provides technical services have signed agreements related to the Belt and Road Initiative with China, which has been criticized by the West as “debt-trap diplomacy.” Except for Ethiopia, the leaders of the other three countries have recently attended China’s September 3 military parade.
It is worth noting that Nepalese Prime Minister Khadga Prasad Oli also attended China’s military parade on September 3 and met with Chinese Communist Party leader Xi Jinping during his visit to China, emphasizing deepening bilateral relations and advancing Belt and Road cooperation.
On September 4, the Nepalese government blocked 26 social media platforms including Facebook, Instagram, YouTube, and X, citing the need to “combat fake accounts.” This move led to public protests, condemning the government for implementing internet censorship.
The protests escalated into street demonstrations from September 8, with public dissatisfaction extending to government corruption and economic hardships, intensifying clashes between police and civilians. On September 9, Prime Minister Oli and several key ministers announced their resignations, leading to the collapse of the Communist Party regime that had been in power continuously for 10 years. On September 12, former Chief Justice Sushila Karki was appointed interim prime minister in preparation for the parliamentary elections in March 2026.
This unprecedented document leak not only exposes the internal operations of the Great Firewall’s technology but also reveals the complete system of exporting Chinese network censorship technology overseas. From technological development to overseas deployment, from combating circumvention tools to constructing regional firewalls, Chinese entities including Geedge Networks Ltd. have built a global network surveillance network.
John Moolenaar, Chairman of the Subcommittee on China of the U.S. House of Representatives, previously published an article in Newsweek criticizing the Chinese Communist Party for using the Great Firewall to implement social control, block platforms like Facebook and X, disrupt information flow, and export surveillance technology to authoritarian states. He called for the dismantling of the Great Firewall, an end to censorship and restrictions on speech, and enabling the Chinese people to access the truth.