In a previous piece, we argued that provincial Ministry of State Security (MSS) bureaus function as key organizational nodes in China’s cyber operations – acting as operational nerve centers with their own internal priorities, resources, and institutional logics.1 But this decentralization does not mean that cyber operations are siloed at the provincial level.

Disclosures from a 2024 leak, together with a March 2025 U.S. indictment involving Anxun (i-SOON) Information Technology Co., Ltd (安洵信息技术有限公司), which has been linked to Chinese state-sponsored cyber campaigns, indicate that a single commercial actor can be tasked by, actively seek contract opportunities from, or perform work for, a large number of provincial MSS and Ministry of Public Security (MPS) bureaus. This case provides rare visibility into how a single firm can support multiple, distinct provincial mandates and supply the operational capacity through which intrusions are carried out at near-national scale.

Building on this, this piece examines how companies allegedly linked to APT activity – concentrated in a small number of provinces – enable cross-provincial operational scaling, even as provincial bureaus remain the primary source of tasking and authority. It begins by briefly distinguishing legitimate businesses from front companies, then traces how earlier cyber operations were likely predominantly organized around provincially bounded, bureau-executed models centered on front companies.2 Next, it shows how market maturity enabled greater collaboration between government agencies and legitimate firms, and concludes by examining why these firms are concentrated in a handful of provinces.