<![CDATA[Natto Thoughts: State Actors]]>https://www.nattothoughts.com/s/mss-mps-and-plahttps://substackcdn.com/image/fetch/$s_!t3eQ!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffd0e4005-414e-4e49-9a9a-3b89d3e533f5_629x629.pngNatto Thoughts: State Actorshttps://www.nattothoughts.com/s/mss-mps-and-plaSubstackWed, 27 May 2026 10:29:06 GMT<![CDATA[China’s National Research Center for Information Technology Security: Is It Part of the PLA Cyberspace Force?]]>https://www.nattothoughts.com/p/chinas-national-research-center-forhttps://www.nattothoughts.com/p/chinas-national-research-center-forWed, 25 Feb 2026 15:02:37 GMTOver the years, the Natto Team has published a substantial amount of research on the role of China’s private sector in building the country’s cyber capabilities. The private sector, particularly the cybersecurity industry, has become an indispensable resource for the Chinese government in conducting advanced technological cybersecurity research, supporting offensive cyber operations, and defending the country’s critical infrastructure. However, we recognize that no matter how important the private sector’s role is, the government and military must have their own affiliated entities to conduct cybersecurity research and development, respond to cyber incidents, protect critical infrastructure, perform security testing and product evaluation, and carry out cyber operations. Glimpses of their activity come to light, such as the 2020 US indictment of members of the PLA 54th Research Institute for the “brazen criminal heist” of information from US credit reporting agency Equifax.1 What more can we learn about entities directly affiliated with government agencies like the Ministry of State Security (MSS) or the People’s Liberation Army (PLA)? What capabilities do they possess that contribute to China’s emergence as “Cyber Superpower”?

NITSC website banner. Source: NITSC

In this post, the Natto Team explores an example of a Chinese government and military-affiliated entity—the National Research Center for Information Technology Security (NITSC) (国家信息技术安全研究中心). We examine its organizational structure, affiliations, and capabilities, then reveal its military connections. Lastly, we present questions for further research.

Subscribe now

Read more

]]><![CDATA[Provincial Tasking, Cross-Provincial Execution: A Case-Based Look at How China Scales Cyber Operations ]]>https://www.nattothoughts.com/p/provincial-tasking-cross-provincialhttps://www.nattothoughts.com/p/provincial-tasking-cross-provincialWed, 28 Jan 2026 15:02:08 GMTIn a previous piece, we argued that provincial Ministry of State Security (MSS) bureaus function as key organizational nodes in China’s cyber operations – acting as operational nerve centers with their own internal priorities, resources, and institutional logics.1 But this decentralization does not mean that cyber operations are siloed at the provincial level.

Disclosures from a 2024 leak, together with a March 2025 U.S. indictment involving Anxun (i-SOON) Information Technology Co., Ltd (安洵信息技术有限公司), which has been linked to Chinese state-sponsored cyber campaigns, indicate that a single commercial actor can be tasked by, actively seek contract opportunities from, or perform work for, a large number of provincial MSS and Ministry of Public Security (MPS) bureaus. This case provides rare visibility into how a single firm can support multiple, distinct provincial mandates and supply the operational capacity through which intrusions are carried out at near-national scale.

Building on this, this piece examines how companies allegedly linked to APT activity – concentrated in a small number of provinces – enable cross-provincial operational scaling, even as provincial bureaus remain the primary source of tasking and authority. It begins by briefly distinguishing legitimate businesses from front companies, then traces how earlier cyber operations were likely predominantly organized around provincially bounded, bureau-executed models centered on front companies.2 Next, it shows how market maturity enabled greater collaboration between government agencies and legitimate firms, and concludes by examining why these firms are concentrated in a handful of provinces.

Natto Thoughts is a reader-supported publication. To receive new posts and support the Natto Team’s work, consider becoming a free or paid subscriber.

Read more

]]><![CDATA[The Many Arms of the MSS: Why Provincial Bureaus Matter in China’s Cyber Operations]]>https://www.nattothoughts.com/p/the-many-arms-of-the-mss-why-provincialhttps://www.nattothoughts.com/p/the-many-arms-of-the-mss-why-provincialTue, 16 Dec 2025 17:01:34 GMT

To defend systems, one must first pinpoint the source of malicious activity. Most cyber threat intelligence (CTI) firms focus on tactical and operational attribution: tactical attribution identifies and clusters technical details such as malware used, attack methods, or indicators of compromise, while operational attribution uses characteristics of activity clusters to infer group profiles and assigns labels like “APT” or “UNC.”1 Strategic attribution goes further by identifying the real-world individuals or entities behind an intrusion.

Some CTI experts debate the conditions under which strategic attribution is appropriate, while others highlight the technical challenges of identifying threat actors, the political motivations behind public disclosure, and the legal standards required to assign responsibility. The Natto Team and other researchers believe that – compared to “cluster-based” tactical and operational attribution – the strategic identification of real-world individuals and o…

Read more

]]>