SentinelOne thwarts China-linked cyber assault, uncovers international system infiltrations worldwide
In a recent report published by SentinelOne, it has been revealed that China-linked hackers have been targeting a wide range of government and critical infrastructure organizations worldwide. The hacking attempts were first discovered by SentinelOne on Monday.
The hackers, associated with the state-sponsored group Silk Typhoon (also known as Hafnium), employ a range of specific tactics and tools involving sophisticated spyware and forensic technologies. These tools, developed by front companies tied to China's Ministry of State Security (MSS), include patented technologies for intrusive data collection such as acquiring encrypted endpoint data, mobile device forensics, and traffic interception from network devices.
One of the key tactics identified is the exploitation of zero-day vulnerabilities. In early 2021, Silk Typhoon notably exploited zero-day bugs in Microsoft Exchange Server, enabling widespread intrusion into thousands of global organizations, including security firms like SentinelOne.
The hackers also use patented spyware by front companies like Shanghai Powerock Network Co. Ltd. and Shanghai Firetech Information Science and Technology Company. These front firms, linked to indicted hackers Xu Zewei and Zhang Yu respectively, have registered over 10 patents for offensive cyber tools which allow covert collection of encrypted endpoint data and remote access to devices.
The patented tools facilitate encrypted endpoint data exfiltration, forensic analysis on mobile and Apple devices, and network traffic monitoring, highlighting advanced capabilities in targeted surveillance and espionage. There is evidence that some tools from these companies enable "close access operations," meaning direct physical or network proximity targeting individuals of interest to enable collection without alerting them.
The hackers' close relationships with Chinese government entities like the SSSB suggest coordinated efforts, possibly including insider access or direct harvesting of vulnerability research from security researchers or vendors, amplifying the efficiency and scale of their attacks.
SentinelOne's report also highlights the PurpleHaze and ShadowPad activity, a tactic that suggests the involvement of UNC5174, a contractor for China's Ministry of State Security that specializes in initial access and vulnerability exploitation. The attempts to breach security firm SentinelOne and a South Asian government agency were unsuccessful.
The operatives who breached a European media firm used infrastructure associated with China and chained together two Ivanti vulnerabilities - CVE-2024-8963 and CVE-2024-8190. The PurpleHaze and ShadowPad activity clusters span multiple intrusions into different targets between July 2024 and March 2025.
CISA had previously warned about threat actors chaining together these two Ivanti flaws in January. The victimology includes a South Asian government entity, a European media organization, and over 70 organizations across various sectors.
SentinelOne's report focuses on two clusters of activity: one in October 2024 and another in early 2025. Hackers connected to SentinelOne's internet-facing server for reconnaissance in October 2024. The European media firm attack involved similar tools, including the GOREshell backdoor and open-source tools provided by The Hacker's Choice (THC).
SentinelOne is highlighting these incidents to raise awareness of how often hackers target security vendors. The company has high confidence that China was responsible for the PurpleHaze and ShadowPad activity.
Read also:
- Developing Apps in the Future: Key Insights for You
- Progress in Assistance: A Leap in User Aid
- Unveiling Digital Miscreants: The Identities of Cyber Criminals Targeting Russian Businesses and Strategies to Escape their Digital Traps
- Inquiring Gamers: What deceptive gaming practices are becoming increasingly prevalent?
