Chinese Grid Operators Maintain Offensive Cyber Programs
T.A. Talbert
Executive Summary:
State Grid Corporation of China (SGCC) and China Southern Power Grid (CSG) have established standing cyber teams that they describe as “red and blue team special forces.” They are part of an ecosystem in the People’s Republic of China (PRC) that sets Chinese national cybersecurity standards, runs their own grid attack simulation facilities, and publishes research on tool development to attack the industrial control systems that run Western power grids.
Simulated attacks used for internal cybersecurity development have included testing against Western systems, the results of which could be used to support PRC state-backed attacks.
The PRC’s doctrine of military–civil fusion and requirements around cyber vulnerability reporting ensures that the Ministry of State Security, Ministry of Industry and Information Technology, and other government organs have access to these vulnerabilities.
In the coming weeks, the People’s Republic of China (PRC) Ministry of Public Security (MPS) is expected to convene an annual work meeting for the “Clean Net/Protect the Net” (净网/护网) program, a framework for national-level “live fire” (实战) cybersecurity attack and defense exercises. At last year’s meeting, the MPS directed public security institutions to “strengthen critical information infrastructure protection and security testing of key systems” (加强关键信息基础设施保护、重要系统安全检测) (State Council, June 23, 2025; DJCP, 2021). One of the country’s largest cybersecurity vendors, QiAnXin (QAX; 奇安信), has described the exercises as a routine part of cybersecurity protection for government and corporate clients, “especially for critical information infrastructure” (尤其是关基行业) (QAX, April 30, 2025). [1]
The “Protect the Net” program is an annual reminder that the institutions building the PRC’s offensive cyber capabilities extend beyond the People’s Liberation Army (PLA) and the named hacking groups that dominate Western threat reporting. [2] Reviews of the PLA and academic policy articles have demonstrated that advocacy for greater offensive capabilities against the U.S. power grid is tolerated and published—even those including modeled attacks on the United States (China Brief, July 10, 2023; Langerovà, March 30, 2025). [3]
Offensive cyber programs within the PRC’s two state-owned grid operators present evidence of persistent attempts to advance offensive capabilities. The State Grid Corporation of China (SGCC; 国家电网) and China Southern Power Grid (CSG; 中国南方电网) each staff what they describe as “red and blue army ‘special forces’” (红、蓝军“特种部队”) (People’s Daily Online, January 20, 2025). [4] These teams work to secure their systems against Western protocols. This could translate into state-controlled tools that enable the disruption of energy grids in the West (Zhang et al., 2024). [5]
Programs Suggest Offensive Cyber Activities
PRC grid operators are institutionalizing adversary techniques in order to replicate them. Through participating in national cyber exercises, procuring red and blue team services, drafting industry standards, and developing wargaming platforms, these firms’ behavior far exceeds baseline requirements for ensuring baseline defensive cyber capabilities.
CSG’s red and blue team “special forces” are deployed to national-level offensive/defensive exercises and major cybersecurity protection efforts (People’s Daily Online, January 20, 2025). CSG and SGCC personnel have won several cybersecurity awards, including the Wangding Cup (网鼎杯), the Ministry of Public Security’s flagship cybersecurity competition that tasks competitors with vulnerability exploitation, capture the flag activities, and attack-defense scenarios (MPS, 2023; Wangding Cup, 2024; People’s Daily Online, January 20, 2025).
Official coverage characterizes grid operator’ activities as purely “defensive” but this is not supported by their activities in the cybersecurity field. A January 2024 paper by researchers from a CSG subsidiary developed a method for generating attack data against Modbus, an industrial control systems protocol that dominates U.S. and European grid supervisory control and data acquisition (SCADA) systems (Zhang et al., 2024). [6] Testing attacks against foreign protocols rather than Chinese ones is indicative of offensive intentions. Penetration testing, vulnerability discovery, and ICS protocol exploitation are target-agnostic, so a cybersecurity team breaching SGCC’s or CSG’s SCADA systems is also capable of breaching those in the United States.
Earlier evidence also supports this thesis. A 2018 article that profiled SGCC’s red and blue teams analogized them to the PLA Zhurihe military training base’s (朱日和训练基地) “blue forces” (蓝军)—the elite force that simulates foreign militaries attacking PLA units in war games. Between January–May 2018, the teams reportedly discovered 1,323 vulnerabilities, submitted multiple original vulnerability proofs to national vulnerability databases, and developed more than ten security tools for offensive/defensive simulation platforms (Grid Headlines, June 24, 2018). Analyses by researchers with affiliations to SGCC or CSG subsidiaries have focused on power outages in overseas energy grids, including in the United Kingdom, California, and the European Union (Fan et al, 2020; Hu et al., 2020; Sun et al., July 2021).
SGCC and CSG repeatedly procure red and blue team services. An April 2024 procurement document from Guangdong Power Grid Company (广东电网), a CSG subsidiary, details roughly $175,000 (out of $6.5 million) dedicated specifically to “cybersecurity offensive and defensive capability enhancement technical support” (网络安全攻防能力技术提升技术支持) and the rest of the budget for “cybersecurity management technical services” (网络安全管理技术服务) that includes “red team assessment technical services” (红队评估技术服务) (CSG Supply Chain Service Platform, April 25, 2024). [7] Similar records appear across SGCC and CSG portals from 2020–2025, covering procurement for provincial and headquarters-level units at both operators, suggesting this is a systemic budget posture rather than an isolated case. A 2023 SGCC headquarters sole-source contract, for instance, procures “technical support” (红蓝队技术支撑) for both red and blue teams as separately budgeted services from named SGCC subsidiaries State Grid Smart Grid Research Institute (国网智能电网研究院) and State Grid Siji Cyber Security Technology (国网思极网安科技), respectively (SGCC Electronic Commerce Platform, August 11, 2023). [8] These budgets treat red and blue team technical support as standing institutional functions linked to the broader State Grid ecosystem.
SGCC and CSG are influential in setting national standards. The two grid operators are co-drafters of GB/T 36572-2018, the national standard governing SCADA cybersecurity for grid systems (National Public Service Platform for Standards Information , accessed May 3, 2025). Another CSG subsidiary has helped draft two further industry standards, T/CSAC 001-2023 and T/CSAC 002-2023, which cover the security and capability evaluations issued by the Cyber Security Association of China (CASC; 中国网络空间安全协会), a Cyberspace Administration of China (CAC)-affiliated body. These standards effectively require power sector personnel to develop familiarity with the same techniques used in offensive nation-state operations, essentially blurring the lines between defensive readiness and offensive capacity-building. For instance, T/CSAC 001-2023 requires that cyber range testing programs be designed and evaluated in reference to the framework major U.S. cybersecurity firms and government agencies use to characterize nation-state cyber operations, MITRE ATT&CK (National Library of Standards, accessed May 18).
CSG has also developed a grid cyber range platform to rehearse offensive cyber operations against grid infrastructure. Exhibited at the September 2024 National Cybersecurity Awareness Week in Guangzhou, the platform has three subsystems for “power cybersecurity offensive/defensive wargaming” (攻防推演), “attack event simulation,” and “path awareness wargaming”—features not found in compliance-focused defense platforms (China Energy News Network, September 10, 2024).
Military–Civil Fusion Applies to State-Owned Grid Operators
Under the PRC’s military–civil fusion development strategy, the state can requisition capabilities of state-owned enterprises (SOEs) for security and military purposes when required. According to a December 2025 report, the April 2024 PLA reforms that dissolved the Strategic Support Force and created the Cyberspace Force reorganized the military side of this architecture for clearer military–civilian integration (China Brief, April 9, 2024, [a], [b], April 25, 2025; Recorded Future, December 2025). The PRC’s legal and regulatory frameworks, including the Cybersecurity Lawamended in late 2025 and the 15th Five-Year Plan released in March 2026, also expand network operators’ obligations to support state security objectives (NPC, December 29, 2025; Xinhua, March 16). The PLA Cyberspace Force or other tasking authorities would likely draw on the SGCC and CSG’s red and blue teams for grid-relevant offensive operations against foreign critical infrastructure.
SGCC and CSG personnel contribute to state efforts to compile network vulnerabilities, which is part of this integrated effort. The Regulations on the Management of Network Product Security Vulnerabilities (网络产品安全漏洞管理规定) require vulnerability researchers to report findings to the Ministry of Industry and Information Technology (MIIT) within two days and prohibit foreign disclosure. The China National Vulnerability Database (国家信息安全漏洞库), meanwhile, is run by an organization under the Ministry of State Security (MSS), the China Information Technology Evaluation Center (中国信息安全测评中心), which rewards compliant participants with monetary prizes and preferential government contracts (Recorded Future, May 17, 2017; CAC, July 13, 2017). These personnel also participate in state-organized hacking competitions including the Tianfu Cup, Matrix Cup, and Qiangwang Cup that serve as recruitment and training venues for cybersecurity personnel (Recorded Future, December 2025).
Conclusion
The threat from PRC offensive cyber capabilities goes beyond the PLA and state-sponsored hacking groups. The evidence from SGCC and CSG’s own publications, procurement records, and competition rosters suggests that these state-owned energy grid companies have their own programs for offensive and defensive cyber capabilities. Their personnel, standards-setting, and testing environments are helping to develop tools that the state could wield and direct against adversaries. This makes these firms components of the PRC’s offensive cyber ecosystem, not simply as defensively oriented safeguards for the PRC’s domestic critical infrastructure. This is worth remembering as the “Protect the Net” activities begin this summer.
This article originally appeared in China Brief. Check it out here!
T.A. Talbert is a Research Analyst at 2430 Group specializing in critical infrastructure, geopolitics, and open source research methodologies.
Notes
[1] Cybersecurity industry reports link “Protect the Net” with annual attack and defense exercises. As the DJCP source and other cybersecurity industry sites describe, the national activities usually take place starting in July and August but sometimes shift with geopolitical events.
[2] For instance, a recent joint advisory from cybersecurity agencies across 11 countries warned that PRC actors use covert networks of compromised devices to “pre-position offensive cyber capabilities on critical national infrastructure” but did not name the PRC institutions that build the underlying capabilities (CISA, April 23).
[3] Langerovà, Erika. “Analysing 20 Years of China’s Power Grid Hacking Research.” Czech Technical University(2025).
[4] In Western cybersecurity, “Red teams” simulate the attacker and “Blue teams” simulate the defender; Chinese government agencies and major firms reverse this, calling defenders “red” and attackers “blue,” though the Western convention still dominates Chinese security blogs and everyday discourse, making the labels ambiguous in some Chinese-language sources.
[5] Zhang, Jiafa, Hong Zou, Zifeng Zeng, Weijie Xu, and Jiawei Jiang. “Feasibility of Using Seq-GAN Model in Vulnerability Detection of Industrial Control Protocols.” Cyber Security Issues and Solutions 13, no. 3 (2024): 393-416. https://doi.org/10.13052/jcsm2245-1439.1333.
[6] Zhang et al., supra [4].
[7] This document is not available online but has been reviewed by the editors.
[8] This document is not available online but has been reviewed by the editors.