<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[Natto Thoughts: Contractors & Cutouts]]></title><description><![CDATA[This section examines the commercial firms involved in state-directed cyber operations, whether as cutouts providing deniability or as legitimate businesses facilitating or conducting intrusions – and what their exposure reveals about how China sources, tasks, and scales offensive cyber capacity.]]></description><link>https://www.nattothoughts.com/s/contractors-and-cutouts</link><image><url>https://substackcdn.com/image/fetch/$s_!t3eQ!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffd0e4005-414e-4e49-9a9a-3b89d3e533f5_629x629.png</url><title>Natto Thoughts: Contractors &amp; Cutouts</title><link>https://www.nattothoughts.com/s/contractors-and-cutouts</link></image><generator>Substack</generator><lastBuildDate>Sun, 12 Jul 2026 03:17:54 GMT</lastBuildDate><atom:link href="https://www.nattothoughts.com/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[Natto Thoughts]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[nattothoughts@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[nattothoughts@substack.com]]></itunes:email><itunes:name><![CDATA[Natto Team]]></itunes:name></itunes:owner><itunes:author><![CDATA[Natto Team]]></itunes:author><googleplay:owner><![CDATA[nattothoughts@substack.com]]></googleplay:owner><googleplay:email><![CDATA[nattothoughts@substack.com]]></googleplay:email><googleplay:author><![CDATA[Natto Team]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[How China's Cyber Operations – and the Contractors Behind Them – Target Critics Abroad ]]></title><description><![CDATA[State agencies and an ecosystem of private contractors use cyber capabilities and social engineering to locate, monitor, and harass critics living outside China]]></description><link>https://www.nattothoughts.com/p/how-chinas-cyber-operations-and-the-610</link><guid isPermaLink="false">https://www.nattothoughts.com/p/how-chinas-cyber-operations-and-the-610</guid><dc:creator><![CDATA[Eugenio Benincasa]]></dc:creator><pubDate>Wed, 03 Jun 2026 13:56:13 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!QEGj!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8eb44d39-34f4-482b-98dd-14d91c34d99b_8746x5602.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>In February 2026, Italian investigators <a href="https://archive.ph/J9Jcc#selection-1383.42-1383.276">uncovered</a> a breach of Italy&#8217;s Interior Ministry network in which China-linked hackers reportedly stole personnel data relating to roughly 5,000 officers from the country&#8217;s &#8220;Divisione Investigazioni Generali e Operazioni Speciali&#8221; (DIGOS), the police unit responsible for monitoring extremist threats and protecting sensitive foreign communities. According to Italian law enforcement, rather than a conventional intelligence-gathering operation, the breach <a href="https://archive.ph/J9Jcc#selection-1383.42-1383.276">was designed</a> to locate Chinese nationals the Chinese Communist Party (CCP) considered politically threatening.</p><p>The CCP has long treated political criticism as a threat to be managed regardless of geography. As Chinese diaspora communities have expanded across North America, Europe, and Australia, so too have its efforts to extend elements of its domestic security apparatus abroad, a practice widely described as &#8220;transnational repression.&#8221; Freedom House, a US-based non-governmental organization (NGO) that monitors political freedoms globally, <a href="https://freedomhouse.org/article/tnr-watch-beijing-expands-hunt-exiled-dissident-cash-bounties">found</a> that the PRC was responsible for 253 of 854 documented physical incidents of transnational repression between 2014 and 2022 &#8211; more than any other government in the world. In 2023, U.S. authorities <a href="https://www.justice.gov/archives/opa/pr/40-officers-china-s-national-police-charged-transnational-repression-schemes-targeting-us">charged</a> several individuals alleged to be officers of Beijing&#8217;s Ministry of Public Security (MPS) assigned to an elite task force called the &#8220;912 Special Project Working Group,&#8221; in connection with operations targeting dissidents and diaspora communities living in the U.S.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a></p><p>The primary targets are those the CCP regards as existential threats to its legitimacy: Uyghurs, Tibetans, practitioners of the Falun Gong spiritual movement, Hong Kong pro-democracy activists, and survivors of the 1989 protests and massacre in Beijing&#8217;s Tiananmen Square.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-2" href="#footnote-2" target="_self">2</a> The net extends to journalists, legal scholars, former officials, and anyone who, from the CCP&#8217;s perspective, threatens the Party&#8217;s narrative control or security at home. Traditionally, this repression <a href="https://www.icij.org/investigations/china-targets/china-transnational-repression-dissent-around-world/">has relied</a> on surveillance, proxy networks, pressure on relatives in China, covert agents, and the misuse of international law enforcement tools. In 2022, Safeguard Defenders, a Pan-Asian human rights NGO, <a href="https://safeguarddefenders.com/en/blog/110-overseas-230000-chinese-persuaded-return">documented</a> a network of covert overseas Chinese &#8220;police service stations&#8221; operating in different countries through front organizations and community associations.</p><p>Physical distance was once a meaningful form of protection. Dissidents who fled beyond China&#8217;s borders could not be easily watched, pressured, or silenced without significant investment in human networks and physical infrastructure. Cyber capabilities have steadily worn away that protection, across the full range of repressive activity: identifying and locating targets, building profiles, infiltrating communities, spreading disinformation, disrupting platforms, and applying pressure on individuals and their networks. Much of this can now be conducted remotely, at scale, and with limited visibility. This piece examines how, tracing both the Chinese government&#8217;s covert efforts to locate and monitor targets and its more overt campaigns of harassment and intimidation, while highlighting the ecosystem of private contractors and tools that underpin these activities.</p><p><strong>The appendix at the end of the piece lists selected China-linked APT groups, their identified transnational repression targets, and known associated private contractors.</strong></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.nattothoughts.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Natto Thoughts is a reader-supported publication. To receive new posts and support the Natto Team&#8217;s work, consider becoming a free or paid subscriber.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>
      <p>
          <a href="https://www.nattothoughts.com/p/how-chinas-cyber-operations-and-the-610">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[Sichuan Silence Information Technology: Great Sounds are Often Inaudible ]]></title><description><![CDATA[Formerly very public, Sichuan Silence has gone quiet since 2020; but as part of a circle of Chengdu-based jack-of-all-trades infosec companies, it serves the state in cyber-enabled operations]]></description><link>https://www.nattothoughts.com/p/sichuan-silence-information-technology</link><guid isPermaLink="false">https://www.nattothoughts.com/p/sichuan-silence-information-technology</guid><dc:creator><![CDATA[Natto Team]]></dc:creator><pubDate>Wed, 04 Dec 2024 17:03:04 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!pjQm!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fea61eb73-143f-4fa3-980f-492c84efb975_1149x670.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<pre><code><em>Update 12/10/2024: On December 10, 2024, the US Department of the Treasury&#8217;s Office of Foreign Assets Control (OFAC) <a href="https://home.treasury.gov/news/press-releases/jy2742">sanctioned</a> Sichuan Silence Information Technology company, and one of its employees, Guan Tianfeng, for involvement in compromise of firewall products and attempted ransomware attacks; the US Department of Justice unsealed <a href="https://www.justice.gov/opa/media/1379631/dl">an indictment</a> on Guan; and the State Department announced a Rewards for Justice <a href="https://www.fbi.gov/wanted/cyber/guan-tianfeng">reward</a> of up to $10 million for information on Guan, Sichuan Silence, associated individuals or entities, or their malicious cyber activity .</em></code></pre><p>For five long years, Sophos, a United Kingdom (UK)-based information security company, battled Chinese nation-state threat actors who lobbed &#8220;botnets, novel exploits, and bespoke malware&#8221; against the company&#8217;s firewalls and other perimeter devices. Sophos described this battle in its October 2024 &#8220;<a href="https://www.sophos.com/en-us/content/pacific-rim">Pacific Rim&#8221; report series</a>. Many in the industry <a href="https://infosec.exchange/@catc0n/113449354872803714">applauded</a> Sophos for &#8220;being so forthcoming about attacks targeting their own products.&#8221; Ot&#8230;</p>
      <p>
          <a href="https://www.nattothoughts.com/p/sichuan-silence-information-technology">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[Flax Typhoon-Linked Company Integrity Technology: a Competitor, Business Partner and Client of i-SOON]]></title><description><![CDATA[First i-SOON, then Integrity Tech: How many more Chinese information security companies lie behind Chinese state cyber threat campaigns?]]></description><link>https://www.nattothoughts.com/p/flax-typhoon-linked-company-integrity</link><guid isPermaLink="false">https://www.nattothoughts.com/p/flax-typhoon-linked-company-integrity</guid><dc:creator><![CDATA[Natto Team]]></dc:creator><pubDate>Wed, 25 Sep 2024 16:02:50 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/cdf3a15f-ce4e-40f9-b6a4-8f11c5906f04_918x152.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>On September 18, 2024, US and allied government agencies released a <a href="https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/1/CSA-PRC-LINKED-ACTORS-BOTNET.PDF">Joint Cyber Security Advisory (joint advisory)</a> announcing the exposure and takedown of a China-linked botnet that had used thousands of compromised routers and Internet of Things (IoT) devices for malicious cyber activity.&nbsp;The joint advisory stated that a Chinese information security company, Integrity Technology Group (Integrity Tech) &#8220;has controlled and managed a botnet active since mid-2021&#8230;.As of June 2024, the botnet consisted of over 260,000 devices,&#8221; with victim devices observed in North America, South America, Europe, Africa, Southeast Asia and Australia. The attribution section of the joint advisory stated that Integrity Technology has &#8220;links to the PRC government&#8221; and that the intrusions and activity linked to the botnet are &#8220;consistent with the tactics, techniques, and infrastructure associated with the cyber threat group known publicly as Flax Typhoon, RedJuliett, and Ethereal Panda.&#8221; In <a href="https://www.justice.gov/d9/2024-09/redacted_24-mj-1484_signed_search_and_seizure_warrant_for_disclosure.pdf">an unsealed US sea&#8230;</a></p>
      <p>
          <a href="https://www.nattothoughts.com/p/flax-typhoon-linked-company-integrity">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[Front Company or Real Business in China’s Cyber Operations]]></title><description><![CDATA[Distinguishing whether entities are front companies or real businesses can help us understand the strategy, scalability, and persistency of Chinese state-sponsored cyber operations.]]></description><link>https://www.nattothoughts.com/p/front-company-or-real-business-in</link><guid isPermaLink="false">https://www.nattothoughts.com/p/front-company-or-real-business-in</guid><dc:creator><![CDATA[Natto Team]]></dc:creator><pubDate>Wed, 22 May 2024 16:00:57 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!CdD2!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51780e54-7cf2-43b0-957a-62ee5584d4cf_901x493.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>The Natto Team&#8217;s <a href="https://nattothoughts.substack.com/p/intrusion-truth-methods-how-can-they">previous pos</a>t about Intrusion Truth questioned the pattern Intrusion Truth identified in Chinese Ministry of State Security (MSS) cyber operations. Intrusion Truth <a href="https://intrusiontruth.wordpress.com/2019/07/15/is-there-a-pattern/">described</a> the pattern thus: &#8220;a regional office of the MSS (Ministry of State Security) creates a company, hires a team of hackers and attacks Western targets.&#8221; In this telling, the MSS creates a company which is commonly known as a front company. However, the <a href="https://nattothoughts.substack.com/p/i-soon-kicking-off-the-year-of-the">i-SOON leaks</a> confirm Natto Team&#8217;s previous assessments that the pattern is more nuanced. The MSS not only creates companies that are purely front companies, but also works with existing companies such as i-SOON, which are real businesses. The Natto Team assesses it is important to distinguish whether entities involved in cyber operations are front companies or real businesses.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> This nuance can help understanding the strategy, scalability, and persistency of China&#8217;s state-sponsored cyber operations.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!CdD2!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51780e54-7cf2-43b0-957a-62ee5584d4cf_901x493.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!CdD2!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51780e54-7cf2-43b0-957a-62ee5584d4cf_901x493.png 424w, https://substackcdn.com/image/fetch/$s_!CdD2!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51780e54-7cf2-43b0-957a-62ee5584d4cf_901x493.png 848w, https://substackcdn.com/image/fetch/$s_!CdD2!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51780e54-7cf2-43b0-957a-62ee5584d4cf_901x493.png 1272w, https://substackcdn.com/image/fetch/$s_!CdD2!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51780e54-7cf2-43b0-957a-62ee5584d4cf_901x493.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!CdD2!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51780e54-7cf2-43b0-957a-62ee5584d4cf_901x493.png" width="901" height="493" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/51780e54-7cf2-43b0-957a-62ee5584d4cf_901x493.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:493,&quot;width&quot;:901,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:319416,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!CdD2!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51780e54-7cf2-43b0-957a-62ee5584d4cf_901x493.png 424w, https://substackcdn.com/image/fetch/$s_!CdD2!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51780e54-7cf2-43b0-957a-62ee5584d4cf_901x493.png 848w, https://substackcdn.com/image/fetch/$s_!CdD2!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51780e54-7cf2-43b0-957a-62ee5584d4cf_901x493.png 1272w, https://substackcdn.com/image/fetch/$s_!CdD2!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51780e54-7cf2-43b0-957a-62ee5584d4cf_901x493.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption"><em>Source: Natto Thoughts</em></figcaption></figure></div><h1>Front Company Definition</h1><p>According &#8230;</p>
      <p>
          <a href="https://www.nattothoughts.com/p/front-company-or-real-business-in">
              Read more
          </a>
      </p>
   ]]></content:encoded></item></channel></rss>