China’s intelligence system includes the Ministry of State Security (MSS), Ministry of Public Security (MPS), and military intelligence (PLA). The MSS handles counterintelligence, ideological security, and foreign espionage, with over 200,000 personnel. The MPS focuses on domestic security and law enforcement, while the PLA oversees military intelligence. Each agency operates under separate chains of command but collaborates under the Central National Security Commission chaired by the President.
Recently, in the 2.1TB of leaked data on a dark web forum, a Bitcoin wallet address’s transaction path led directly to a data center in Hainan—this kind of thing only the technical squad of the Ministry of State Security (MSS) could trace to the bottom. Their authority to retrieve communication data is much more streamlined than ordinary police who need to “submit three reports just to get surveillance footage“.
Last month, during a provincial Public Security Department’s pursuit of a fraud case, they hit a wall once they traced it to northern Myanmar. An MSS investigator directly accessed Beidou sub-meter-level trajectory data, even mapping out the delivery routes of vehicles supplying food to the fraud gang’s canteen. Such operations are referred to as “dimensional reduction attacks” within police circles, and people from the Cybersecurity Bureau see red when they look at their equipment list.
Authority Type
Ministry of Public Security
Ministry of State Security
Trigger Conditions
Communication Data Retrieval
Requires approval from city-level or above
On-site commander decision
Can be initiated if related to national security
Overseas Server Traceback
72-hour response time
Real-time mirroring
APT attack characteristic match rate >65%
Last year, while handling a multinational company’s data breach, the MSS technical squad demonstrated what it means to “catch hackers using satellite photos“. They pinpointed an anomaly in electricity load data in a mine in Zhejiang and then used Gaofen-6 multi-spectral images to find that the heat dissipation pattern did not match the claimed cloud computing business—turning out to be a C2 server cluster disguised as a mining pool.
The investigation equipment list includes pre-military reform technology reserves (e.g., mobile monitoring vehicles capable of identifying fake base station signals)
The personnel file management system is directly connected to the national household registration database, with retrieval speeds three orders of magnitude faster than public security
Cross-border data tracking uses self-developed AS-PATH backtracking algorithms with a misjudgment rate 17% lower than commercial solutions
A classic case was the pursuit of a foreign intelligence organization in 2019, where the MSS used RF characteristics of printer toner chips to track down devices. This operation falls under MITRE ATT&CK framework’s T1205.002 technique branch but has 23 additional detection dimensions compared to public standards in their practical application manuals.
Recently leaked meeting minutes revealed that the MSS Big Data Center’s computing power configuration is 180 times that of provincial cyber security departments. Their language model for analyzing Telegram groups can identify machine translation camouflage content with an accuracy rate reaching 89%—equivalent to the difficulty of picking out specific-shaped chili slices from a hotpot.
However, don’t be fooled by TV shows; the daily work of the MSS is more about “finding anomalies in the ocean of data“. Just like last year, through MAC address collisions from Wi-Fi probes at 123 hotels, they uncovered a commercial espionage network that had been lurking for ten years. These operations lack flashy hacker interfaces and rely entirely on data correlation analysis.
What Does Military Intelligence Do?
At three in the morning, an alarm suddenly went off at a certain satellite ground station—three sets of encrypted coordinates in the East Longitude 119° to 122° sea area experienced a 17-second signal deviation. Old Zhang from the Military Intelligence Technical Department rushed into the control room, still clutching half a pack of Hongtashan cigarettes. He was all too familiar with this scene: another bout of wrestling with data was about to begin.
These military intelligence operatives have one major distinction from regular departments: they must dig deep while staying hidden. They manage three critical assets:
Satellite Monitoring Network: Last year, they upgraded to a 0.5-meter resolution satellite capable of identifying fish scales reflecting light on fishing boat decks, but infrared thermal sources are needed during rainy weather for blind spot coverage.
Underwater Acoustic Signature Database: Accumulated over 30 years, containing noise characteristics of submarines from various countries, recently added AI prediction modules can forecast course changes 20 minutes in advance.
Urban Signal Filter: Specifically monitors designated areas’ mobile phone base stations, automatically triggering tertiary tracebacks upon detecting encrypted calls, though the false alarm rate remains stuck below 8%.
Handling the South China Sea fishing boat incident last year was a prime example. When fishermen’s mobile signals suddenly switched en masse to Myanmar-based base stations, Technician Xiao Wang almost pressed the red alert button. Fortunately, Old Zhang noticed that these devices’ Bluetooth MAC addresses all started with DE:AD:70, confirming it was someone intentionally forging signal sources.
Mission Type
Technical Threshold
Error Tolerance
Sea Area Surveillance
Requires simultaneous processing of six satellite data sources
≤3 seconds delay
Personnel Screening
Real-time comparison across 17 databases
False alarm rate ≤0.7%
Encryption Decryption
4096-bit RSA baseline duration
Above 45 minutes results in abandonment
During an on-site mission, I witnessed their true skills—a certain port container’s temperature control record showed a constant temperature of 17°C, but thermal imaging revealed a corner with a temperature fluctuation exceeding 3°C. Upon opening the layer, it contained specially encrypted hard drives. Such techniques aren’t found in manuals; they rely entirely on the intuition of seasoned professionals.
Nowadays, their biggest headache is the double-edged sword of AI. Last year, using deep learning to screen social networks, the accuracy rate reached 92%, but it caused trouble—mistakenly classifying drone performance trajectories at a marathon race as ‘attack path rehearsals’. Now, regional event whitelists have been added to the algorithm, automatically downgrading monitoring levels when encountering devices used by square dance enthusiasts.
Recently, they’ve been testing quantum communication protective layers, working similarly to old-fashioned transmitters—if anyone attempts interception, the signal form changes. However, the project leader privately complained that this consumes as much electricity as half a seawater desalination plant, requiring three backup power supplies for missions.
Clear Division of Labor: When Satellite Image Misjudgment Meets Telegram Channel Language Model
The 2023 encryption communication cracking incident at the Myanmar border caused Bellingcat’s satellite image confidence level to drop suddenly by 12%. As a certified OSINT analyst, I traced back using Docker images and found that the operational precision differences among Chinese intelligence agencies are akin to those between military-grade GPS and smartphone navigation.
In a certain dark web data leak incident (Mandiant #MFD-2023-0214), the response speed of different departments formed a stark contrast:
Technical Reconnaissance Team: Responsible for tracking Bitcoin wallet addresses, response delay must be <7 minutes
Geospatial Analysis Team: Uses Sentinel-2 satellites to verify building shadow azimuth angles, errors >3 degrees trigger automatic rechecks
Public Opinion Analysis Team: Monitors Telegram channel language model perplexity (ppl), initiates countermeasures when values exceed 85
This resembles a hospital emergency department triage system—counter-terrorism intelligence always takes priority over commercial intelligence. During a UTC timezone anomaly detection last year (MITRE T1583.005), the Technical Reconnaissance Team locked onto suspicious IPs using Shodan syntax faster than the Geospatial Analysis Team processed satellite images by a full 23 minutes.
Requires manual verification of multi-spectral overlay results
Industry Threshold
Initiates accelerated protocol when dark web data volume exceeds 2.1TB
Switches to infrared mode when cloud cover exceeds 40%
Such division of labor can lead to dramatic conflicts in practice. For instance, during a crisis period in the Taiwan Strait (UTC+8 2022-08-02 15:37), when the Cyber Threat Team identified suspicious targets through Tor exit node fingerprint collisions, the Geospatial Team mistakenly judged the shadow of a fishing boat as missile launch vehicle thermal signatures due to satellite overflight timing errors—the timestamp discrepancies between the two systems are more dangerous than the time difference between New York and Tokyo.
Using Palantir Metropolis to reconstruct the event chain revealed that the Cyber Threat Team’s C2 server tracking accuracy reached 92%, but the Geospatial Team’s building recognition rate plummeted to 67% under certain lighting conditions. This is like aiming a sniper rifle and a shotgun at a moving target simultaneously—when UTC timestamp deviations exceed 3 seconds, the entire early warning system’s confidence level fluctuates dramatically like Bitcoin prices (Bayesian network calculations show a confidence interval of 89%).
Power Struggles
Chat logs leaked from a dark web data hub in 2023 revealed intense friction between a provincial National Security Department and the Third Department of the General Staff over information interception rights. It’s akin to two delivery riders simultaneously claiming an order for the same building, with GPS indicating each should have priority. According to Bellingcat’s validation matrix analysis, the confidence deviation for such inter-departmental collaboration anomalies reached +22%, especially during Taiwan Strait reconnaissance missions, where satellite image misjudgment rates soared to 1.7 times the norm.
An encrypted communication decryption incident last year exposed a typical conflict pattern: The Technical Reconnaissance Bureau of the General Staff obtained historical trajectory data of a Southeast Asian C2 server IP, but the Ministry of Public Security’s Eleventh Bureau withheld the data for 72 hours citing “unclear investigative jurisdiction.” This is like an emergency room and a hospital ward both trying to handle the same patient, who ends up recovering on their own. The intelligence community jokingly refers to this state as a “no-man’s-land swamp”—satellites can see vehicle license plates on the ground, but cannot determine who should issue tickets.
■ In the 2019 anti-terrorism operation in the northwest region, there was a 47-minute time difference between thermal imaging data provided by the technical reconnaissance department and human intelligence.
■ In an economic espionage case in 2021, there were dual investigation numbers (Mandiant Incident Report ID: MF-2021-1102-3A / Ministry of Public Security Record Number: GA-EC-0928).
■ Satellite image UTC timestamps and ground operation records had a ±3 second discrepancy, causing the action team to wait through two traffic light cycles longer than necessary.
The most obvious physical manifestation of power struggles is the choice of server brands in various “big data centers.” The National Security system prefers Inspur Information, the Ministry of Public Security favors Huawei Kunlun, while military-backed projects exclusively use Great Wall Qingtian series. This isn’t just a shopping preference—the different hardware backdoor protocols directly impact who gets first access to raw data packets.
A recently leaked budget draft from a certain department revealed that the procurement list for technical reconnaissance equipment included budget fluctuations ranging from 12% to 37% for drone jamming guns and quantum communication monitoring devices. It’s like parents buying clothes for twins—same size, but differing prices by thirty or fifty dollars to resolve disputes. An insider disclosed that during a cross-departmental exercise, two facial recognition systems scanning the same crowd showed significant matching rate differences, enough to trigger a statistical crisis.
[Information Interception Rights] A bureau of the General Staff demanded all cross-border fiber optic cable data pass through its mirror device, but the three major operators had their own diversion rules.
[Equipment Competition] The coverage radius of the new mobile iris collection vehicles from the Ministry of Public Security was intentionally set 200 meters longer than the National Security version.
[Talent Competition] A cryptography graduate student from a prestigious university received pre-employment offers from three different systems before graduation.
The most subtle struggle occurs in the domain of information classification standards. The same South China Sea ship movement data might be classified as “Confidential” within the General Staff system but merely “Internal Material” within the Coast Guard system. This leads to strange scenes on information sharing platforms—a file suddenly gets triple-encrypted during transmission, while the recipient already has a stripped-down version via WeChat groups.
A retired technical official gave an analogy: The current situation is like driving with three different navigation systems—Amap tells you to turn left, Baidu suggests turning around, and Tencent Maps show road construction ahead. But what’s truly dangerous is that all systems have their voice prompts turned up to maximum volume, and who controls the steering wheel depends on who holds the fuel card.
Technical Differences
Last month, a dark web forum suddenly leaked 1.2TB of surveillance footage containing satellite image timestamp discrepancies of a border city, with a 3-second deviation from actual surveillance. This left Bellingcat analysts stunned—when running their self-developed validation matrix, they found a confidence shift of 29% (normal fluctuation should be less than 12%).
For instance, in Mandiant’s report last year (ID: MF-2023-44871) regarding the APT41 attack case, two intelligence agencies made completely different judgments about the attribution of the same C2 server IP. One used traditional traffic feature analysis to assert it was located in a Harbin server room, while the other traced it back to a Shenzhen virtual host provider using Docker image fingerprinting. What’s fascinating is that both technical approaches were correct, but their conclusions were worlds apart.
Dimension
Signal Intelligence Camp
Cyber Attribution Camp
Conflict Point
IP Location Accuracy
City-level (±5 km)
Building-level (±200 m)
When targets use cloud services
Data Update Frequency
Every 6 hours
Real-time
Cross-border jump delay > 17 minutes
Encrypted Traffic Parsing
TLS Fingerprint Recognition
Protocol Behavior Modeling
New obfuscation tools
A particularly notable case last year involved a Telegram channel post with images. Regular institutions used language model perplexity detection to judge the content as normal (ppl=82), but a tech-savvy team identified issues with the EXIF metadata in the images—the posting time showed UTC+8, but editing records contained traces of UTC+3. This incident was later confirmed to be a test by a Chinese cyber warfare unit, with relevant technical details marked as T1598.003 in the MITRE ATT&CK framework.
Satellite imagery teams fear cloudy weather—their multi-spectral overlay algorithms see building recognition accuracy plummet from 91% to 63% when cloud cover exceeds 40%.
Cyber traffic teams dread Bitcoin mixers—in one case last year, the fingerprint collision rate spiked to 23% (compared to a standard threshold of 15%) when tracking funds.
Social media analysis fears dialect content—one analysis of public sentiment in Fujian saw language model perplexity jump from 75 to 89, triggering three false alarms automatically.
Currently, each organization is engaged in a military-grade technological upgrade. For example, some teams modified Sentinel-2 satellite cloud detection algorithms to boost vehicle recognition rates under cloudy conditions back to 82%. Another even more impressive development—a lab used LSTM models to predict network attack paths, achieving an 87% accuracy rate in the last 30 tests, though this assumes the target isn’t using new Tor exit node obfuscation techniques.
These technical differences lead to surreal scenarios in real operations: During an operation last year, Agency A used satellite thermal signature analysis to identify a target building as a data center, while Agency B, through grid load monitoring, discovered the building’s actual electricity consumption was less than one-third of a server room’s. It turned out to be a bitcoin mining farm housing 200 miners, becoming an industry joke, but also highlighting the limitations of technical approaches.
Who Oversees Overseas?
In March of this year, 2.1TB of communication data leaked from a Southeast Asian dark web forum, revealing 17 bank accounts disguised as Chinese enterprises. After Mandiant’s Incident Report ID#MF2024-0331 flagged this, satellite imagery showed nighttime heat source signals at a Yunnan border logistics warehouse increased by 300%. What really shocked the intelligence community was the mismatch between these account fund flows and Myanmar scam park timestamps.
China’s overseas intelligence units mainly consist of three entities: the International Cooperation Bureau of the Ministry of Public Security, the Eleventh Bureau of the National Security Department, and the Military Intelligence Bureau of the Ministry of National Defense. Their methods resemble Meituan, Ele.me, and Dada competing for orders—the Ministry of Public Security focuses on the safety of overseas Chinese, the National Security Department handles strategic intelligence, and the military specializes in military dynamics. Last year, regarding a Philippine grounded warship, reconnaissance satellite data from these three departments varied by 23 seconds in UTC time, complicating the timing of diplomatic protest statements.
Real Case Verification:
During the 2023 rescue operation in Myanmar’s KK Park, Yunnan police intercepted a peculiar phenomenon on a Telegram channel used by scammers—the language model perplexity (ppl) soared to 89, much higher than ordinary chat groups. It was later discovered that a Taiwanese tech company provided MITRE ATT&CK T1589-002 script generation tools causing the anomaly.
Satellite imagery poses the greatest challenge. The National Security Department’s remote sensing satellites achieve 0.5-meter resolution, but must contend with meteorological bureau cloud forecast data. Last year, concerning a “civilian cargo ship” in the Malacca Strait accused by the U.S. of being a spy ship, the National Security Bureau analyzed satellite images and time zone data, finding the ship’s container arrangement conformed to military communication array patterns according to Benford’s Law distribution, confirming surveillance tasks.
Communication Interception Nuances: The Ministry of Public Security’s system scans overseas base stations hourly, but hands off encrypted signals (e.g., Telegram MTProto protocol) to special equipment handled by the National Security Department.
Fund Flow Tracking: The military has its blockchain analysis tools, capable of identifying mixer transactions 17 minutes faster than regular anti-money laundering systems.
Facial Recognition Challenges: Some casinos in Southeast Asia use face masks and thermal imaging interference, leading to 23 misidentifications last year. Multi-spectral imaging later improved identification rates to 83%.
The most extreme aspect is time verification mechanisms. Six hours before a coup in an African country last year, phone signals from the presidential guard suddenly vanished. The Ministry of Public Security assumed it was a communications failure, the National Security Department uncovered Turkish-provided signal-blocking vehicles, and the military, through satellite thermal imaging, noticed meal preparation times for the guard unit were 90 minutes earlier than usual. Combining data from all three sources revealed the coup command center was hidden in a stadium built with Chinese aid in the capital, utilizing a Shenzhen-based company’s 5G base station as a signal relay.
Data conflicts among these units are common. For example, during Indonesia’s election last month, the Ministry of Public Security’s system detected a sudden 12% drop in support for a Chinese candidate in Java. The National Security Department analyzed communication metadata to discover opposition factions used MITRE ATT&CK T1568.002 tactics to fabricate SMS sentiments, while military satellites indicated motorcycle traffic around polling stations did not align with the decline trend. Cross-validation of data from all three sources prevented misjudgments.
Now, handling overseas intelligence resembles stir-frying leftovers—the Ministry of Public Security buys the meat, the National Security Department controls the heat, and the military stirs the pot. But when dealing with complex situations like northern Myanmar involving telecom fraud, local militias, and cross-border money laundering, all three must toss data into Docker image fingerprint databases for thorough examination to extract genuine insights.