The China Backed Firewall in Myanmar

The military junta in Myanmar have ramped up their surveillance capability and scalability through costly purchase of technological solutions to suppress and threaten internet freedom and anonymity. Experts and investigators have indicated that the employed technology is heavily associated with the “Great Firewall of China”. In this reporting, we have sourced a wide range of available information as a threat implication repository around this Firewall technology.

We discuss our report in the following structure:

1. The great firewall 

2. What is Geedge Network?

3. Who manages the network? 

4. Geedge Network’s products

5. Capability of the firewall

6. Mitigation strategies

The Firewall

Internet freedom after the 2021 coup has been deteriorating in Myanmar. The newly revealed information around the firewall system, part of the junta’s surveillance ecosystem, directly threatens users’ privacy, freedom of expression and access to information. Freedom House’s 2024 Freedom on the Net report ranked Myanmar equally with China and its oppressive and restricted internet space.

The firewall in Myanmar is found to bear similarities with the Great Firewall of China. Justice of Myanmar found that Geedge Network and its commercial firewall system enable the junta to control and surveil 33.4 million internet users in Myanmar. InterSecLab, Justice for Myanmar, Amnesity International, Paper Trail Media, The Globe and Mail, the Tor Project, DER STANDARD and Follow the Money studied and investigated over 100 million pages of leaked information from Geedge Network and Mesalab and revealed and shed further lights into the commercialized tool of oppression sold to 5 countries. The 5 purchasers of this surveillance technology is composed of Myanmar, Kazakhstan, Ethiopia, Pakistan and another unnamed country.

The suite of technology is collectively addressed as TSG(Tiangue Secure Gateway) composing different equipment, hardwares and operating systems. TSG is a national level firewall solution package. This technology facilitates and enables mass surveillance of internet traffic, block of apps, as well as inspection of encrypted traffic connections. InterSecLab indicated that the most applicable stack of technology is ‘Cyber Narrator’, a graphic user interface and a network intelligence tool.  

Reports on the analysis of the leaked documents indicated that the buyer governments use this technology for different purposes. InterSecLab claimed that there are no differentiation as to the modules and function of this technology. ‘Geedge Network’ sells their product in “All in one packaging”. We assume that this means, every individual purchaser of this technology has access to all functionalities and have the same capabilities detailed in the later sections.

Geedge Network

Geedge Network was established in 2018 by Fang Binxing (⽅滨兴) who is regarded as the father of the great firewall, whom the leaked document also indicated as the culprit of Myanmar project. Geedge also collaborated closely with ‘Massive and Effective Stream Analysis'(Mesalab), a research branch of ‘Chinese Academy of Sciences’. Mesalab focuses on applied research of network and information security. InterSecLab has found evidence indicating that ‘Geedge Network’ regularly share data from buyer countries with Mesalab and its students for further analysis and Mesalab, in return, provides censorship and surveillance solution development. 

Geedge Network is also part of the China’s Belt and Road Initiative (BRI) focusing on the Digital Silk Road component. CCP’s expansion of influence in public and private owned entities also expands and facilitates Chinese mandated digital surveillance and sovereignty in foreign countries. Countries included in the BRI initiative, as well as others, are targeted with technology and equipment export, human resource, policy advocacy and capacity building. Myanmar officially onboarded on the BRI initiative in 2017.

InterSecLab indicated that ‘Geedge Network’ piloted an export version of the technology and Kazakhstan bought this technology first in 2019. The company’s project timeline documents also indicated that ‘Geedge Network’ ‌ also implemented provisional Firewall systems in 2022. This means that the current firewall system from China is, to some extent, similar to the firewall system installed in Myanmar. Myanmar’s internet space is deteriorating to the level of the notoriously controlled environment in China.

Who Manages the Firewall

Geedge Network started conducting ground surveys and technical demonstrations from 2022 June to November. The system became operational with the block of over 50 VPN applications by the end of May 2024. Contract documents indicated that Geedge Network sold equipment and software stack to the Ministry of Transport and Communication, MOTC. The stack included TSG centralized framework, operating system and Network Zodiac and Cyber Narrator for monitoring and operation.

The National Cyber Security Center (NCSC), under the authority of MOTC, is indicated to liaison directly with Geedge Network. The NCSC reports to the Information Technology and Cyber Security Department (ITCSD) under MOTC and has the Myanmar Cyber Emergency Response Team (mmCERT) and Security Operation Center (SOC) under its command.

Source:  Justice for Myanmar : Silk Road of Surveillance

Organogram representing the hierarchy under Ministry of Transport and Communication

Monitoring and filtering (censorship) systems are installed across 13 respective regional data centers and gateways. The documents also revealed that there are 2 national datacenters (at Yangon and Naypyidaw) and 28 regional data centers that are installed across Mandalay, Tachileik, Kyaing Tong, Muse and Myawaddy and others, all of which are equipped with Geedge Network’s firewall technologies. Similarly the technology is incorporated with operators and internet service providers such as ATOM (formerly Telenor Myanmar), Mytel၊ Myanma Posts and Telecommunications(MPT)၊ U9 (formerly Ooredoo Myanmar), Frontiir(Myanmar Net)၊ StreamNet၊ Golden TMH Telecom၊ Internet Maekhong Network (IM-Net), Myanmar Broadband Telecom(MBT), Myanmar Telecommunication Network(MTN)၊ Campana၊ Global Technology Group and China Unicom. 

The leaked documents revealed that the traffic from the regional datacenters route to the national datacenters at Yangon and Naypyidaw under the command of the National Cyber Security Center (NCSC). The documents, according to InterSecLab’s investigation, revealed that while regional datacenters are managed by respective ISP providers, Geedge network directly access and manage national datacenters. 

The network topology documents also indicate that Geedge Network’s employees maintain direct remote access to their equipment and infrastructure. Additionally, since Geedge regularly shares traffic data with Mesalab students for product and solution development, this poses a direct threat to digital sovereignty of Myanmar internet as well. We also assume that the security incident that resulted in the leak of over 100 thousands documents indicates lack of proper security measures with Geedge Network. We question the security, confidentiality and integrity of myanmar user’s data in their hands against malicious actors as well.

Geedge Network and its Products

Cyber Narrator is the operator level integrated dashboard and graphic user interface for (Security Information and Event Management,SIEM) & Online Analytical Processing, OLAP). The Cyber Narrator serves as a user-friendly interface that facilitates access to Geedge Network’s suite of products and services to non-technical users easily. This technology allows governments and administrators to easily employ advanced techniques and features. Cyber Narrator also logs and tracks each individual subscriber’s internet activity and approximate location through triangulation of Cell ID’s in real time.

Cyber Narrator enables authorities to monitor, track and identify groups of subscribers in locations such as protest areas with detailed intelligence such as number of sim card subscribers in a set parameter/vicinity as well as detailed flagging of “visiting” subscribers who are not usually based in the area. TSG Galaxy serves as an data repository feeding from the customer countries and the repository enables detailed analysis of network intelligence and connection metadata with Deep Packet Inspection (DPI) technology. InterSecLab also highlighted that Geedge Network employees have access to the TSG Galaxy repository.

Source :  InterSecLab : The Internet Coup

Cyber Narrator’s spatial map: Visualizing internet user density and volume by categorizing audiences into visitors and locals.

In addition to Cyber Narrator and its data repository counterpart, TSG Galaxy, Geedge Network also has also developed a technology called Websketch as an inhouse comprehensive internet intelligence indexing engine to identify the proliferation/use of blocked services and websites in the network. The technology can ‘sniff’ and identify connected devices (WebCams, routers and servers, etc.) and their IP addresses. And as it can recognize use of blocked services, it can also identify the use of circumvention technology to bypass their imposed censorship - this helps the administrators to identify ‘loopholes’ and add additional rules to the firewall to curb the circumvention efforts. The suite of technology composed of Cyber Narrator and Tiangue Secure Gateway not only monitor the traffic in real-time, but also enable retention of historical data and usage logs. Which means that, TSG can even show visitors/users of a blocked website/services even before the block is implemented.

Source :  InterSecLab : The Internet Coup

The logic model and topography among Geedge’s products

Capabilities of The Firewall

Tiangue Secure Gateway (TSG) is the collective suite of the product of Geedge Network. The firewall is equipped to the brim with circumvention and monitoring technology for inspection(DPI), restriction/termination of internet connection, identifying and censoring circumvention technology, monitoring and ‘scoring’ of subscribers based on their activity, and even targeting users with malware.

Source : InterSecLab : The Internet Coup

Diagram depicting the traffic of TSG Firewall

The firewall also mandates national level firewall policy.

Deep Packet Inspection

The firewall comes equipped with the technology for inspection of internet packets and “scoring” of subscribers based on their behavior of internet use. IntersecLab’s examination revealed that through this use of technology, the government can gain better visibility/inspection capability over various transport and application layer protocols such as HTTP ၊ DNS ၊ Email ၊ TLS ၊ QUIC and SIP, compared to ordinary environments. Through analysis of call metadata, the firewall provides visibility of subscriber’s phone numbers. The technology can also monitor and analyze TLS traffic through device level compromise resulting in the physical installation of Certificate Authority - CA in subscriber’s devices, or through DPI analysis of traffic metadata and machine learning techniques combined. Without TLS security in place, DPI can monitor and intercept HTTP header signatures, passwords, email addresses,  attachment files and the content of the email as well as real-time injection, manipulation of malicious scripts and files.

Identifying, Throttling and Block of VPN and Circumvention Technology

IntersecLab also found that Geedge Network uses DPI technology to actively identify and block circumvention protocols and tools such as Wireguard and OpenVPN or as requested by buyer country. Since use of circumvention and similar technology result in higher encrypted traffic bandwidth, the tool enables operators to detect and monitor these encrypted traffics through flagging, logging and blocking them ultimately.

To ensure the effectiveness of the block of circumvention technology, Geedge Network deploy its mobile farm for testing VPN tools in a highly controlled environment. Geedge is also able to duplicate remote wifi networks, thereby simulating any subscriber’s network to test the effectiveness of the block in targeted environments. The firewall also has DCSP (Differentiated Services Code Point) mapping feature to allow prioritizing of internet services and can also throttle services that are deemed undesirable.

Appsketch is one the components of the tech suite and is regarded as a repository of blocking/allowing apps, services, subscribers and traffic signatures. This enables the junta to allow specific groups of subscribers and companies/organizations to access with lesser restrictions while the majority rules and user experience differs. This is also inline with the Cyber Security Law of Myanmar. Moreover, Intersec Lab also revealed that Geedge Network is also developing a new addition to this technology, with the name AppSketch Works, which would enable them to test any application in any testing environment and the system would learn to block it on their firewall. This would enable more streamed line access for the buyer countries to directly implement censorship rules. 

Profiling of Subscribers

SAN - short for Sanity Directory is the behavioral analytic and profiling (scoring) component of the firewall assembly. SAN has the capability to record and profile VPN users. It flags suspicious and bandwidth heavy traffic as potential VPN traffic. Through this, SAN facilitates detection of VPN behavior change as well and identifies new circumvention solutions.

Users with low enough scoring can be restricted in terms of bandwidth allocation, termination or be prompted for re-verification with ID and/or verification through facial recognition. The SAN also tracks and identifies public IP addresses that are connected from a high number of users. It also overwrites and resolves DNS requests to public DNS resolvers to local DNS servers. The firewall also has the ability to monitor, track and block users connected to mobile tethering. 

Malware Injection

Firewall is also equipped with a function to conduct realtime injection of malicious programs to subscriber’s devices. Users, when using insecure connections, can be targeted with realtime injection of javascript and css code scripts to the website they visit as well as replacement of the downloaded files with malicious ones. Its functions support realtime packaging of the malicious files in the form of HTML၊ CSS၊ JavaScript၊ Android APK File၊ Windows EXE File၊ macOS DMG Disk Image၊ Linux RPM Package or more common files such as JPG, PNG, PDF, JSON, XML, ZIP and RAR files.

Whereas cyber narrator identifies insecure websites (without TLS/HTTPS security) the users visit and can analyze and produce effective attack vectors based on the user behavior. 

Facilitation of DDOS Attack

As is the custom with Firewall packages, the TSG also comes with a suite called DLL Active Defence for DDoS (distributed denial of service) attacks. However, the DDL active defence also comes with functions to conduct DDoS attacks as per the request of the buyers. InterSecLab indicated that the function can enable Geedge network to turn their fleet of subscribers into botnets and carry out DDoS attacks without the users ever realizing.

Mitigation Techniques

We assess this as significant escalation of the threat landscape with indication of longer term privacy violation for users residing in buyer countries. Basic security awareness such as HTTPS and TLS protection, constant assessment of their individual risk model and anonymity practices and switch to non government aligned services are some of the mitigation measures to navigate safely in this highly surveilled and hostile environment. Whereas technologists and privacy advocates are also developing technologies to better circumvent this, the public should remain vigilant about the risks and tools they can use to mitigate them.