Ethical Hacking News
A new report from SentinelOne has shed light on the shadowy cyber contracting ecosystem, revealing that several Chinese firms linked to Silk Typhoon have been identified as behind over a dozen technology patents. These patents cover forensics and intrusion tools used by state-sponsored hacking groups, highlighting an important deficiency in threat actor attribution space: tracking campaigns and clusters of activity to named actors. The findings underscore the need for more robust attribution methodologies that can identify not only individuals but also companies they work for, capabilities those companies have, and how those fortify state initiatives.
The Chinese firms linked to Silk Typhoon have been identified as behind over a dozen technology patents, covering forensics and intrusion tools. The patents enable encrypted endpoint data collection, Apple device forensics, and remote access to routers and smart home devices. Threat actor tracking typically links campaigns to a named actor, highlighting an important deficiency in attribution methodologies. More robust attribution methodologies are needed to identify not only individuals but also companies and state entities involved in cyber contracting. The use of patents can provide insight into the capabilities and methods of state-sponsored hacking groups, informing strategies for countering these threats.
In a recent report shared by SentinelOne, it has been revealed that several Chinese firms linked to the state-sponsored hacking group known as Silk Typhoon (aka Hafnium) have been identified as behind over a dozen technology patents. The patents in question cover forensics and intrusion tools that enable encrypted endpoint data collection, Apple device forensics, and remote access to routers and smart home devices. This new information sheds light on the shadowy cyber contracting ecosystem and its offensive capabilities.
According to Dakota Cary, China-focused strategic advisor for SentinelLabs, "This new insight into the Hafnium-affiliated firms' capabilities highlights an important deficiency in the threat actor attribution space: threat actor tracking typically links campaigns and clusters of activity to a named actor." The findings build upon the U.S. Department of Justice's (DoJ) July 2025 indictment of Xu Zewei and Zhang Yu, who, working on behalf of China's Ministry of State Security (MSS), are accused of orchestrating the widespread exploitation campaign in 2021 aimed at Microsoft Exchange Server using then-zero-days dubbed ProxyLogon.
Court documents alleged that Zewei worked for a company named Shanghai Powerock Network Co. Ltd., while Yu was employed at Shanghai Firetech Information Science and Technology Company, Ltd. Both individuals are said to have operated under the discretion of the Shanghai State Security Bureau (SSSB). Interestingly, Natto Thoughts reported that Powerock deregistered its business on April 7, 2021, a little over a month after Microsoft pointed fingers at China for the zero-day exploitation activity.
Zewei would then go on to join Chaitin Tech, another prominent cybersecurity firm, only to change jobs again and begin working as an IT manager at Shanghai GTA Semiconductor Ltd. This level of movement within multiple companies raises questions about how these individuals are able to continue their work without being detected for so long. Cary explains that "Shanghai Firetech worked on specific tasking handed down from MSS officers." The relationship between the SSB and these two companies contours the tiered system of offensive hacking outfits in China.
The patents filed by Shanghai Firetech, as well as a firm jointly founded by Yu and Yin Wenji, CEO of Shanghai Firetech to collect "evidence" from Apple devices, routers, and defensive equipment, demonstrate the variety of tools under the control of Shanghai Firetech. The capabilities may have been sold to other regional MSS offices, and thus not attributed to Hafnium, despite being owned by the same corporate structure. Cary further states that "The variety of tools under the control of Shanghai Firetech exceeds those attributed to Hafnium and Silk Typhoon publicly."
This new information highlights an important deficiency in the threat actor attribution space: threat actor tracking typically links campaigns and clusters of activity to a named actor. The findings also underscore the need for more robust attribution methodologies that can identify not only the individuals behind attacks, but also the companies they work for, the capabilities those companies have, and how those capabilities fortify the initiatives of the state entities who contract with these firms.
The use of patents as a tool for understanding the capabilities of state-sponsored hacking groups is a fascinating area of study. By examining the patents filed by these companies, researchers can gain insight into the types of tools they are using to carry out their attacks and the methods they are employing to avoid detection. This information can be used to inform strategies for countering these threats and to improve overall cybersecurity resilience.
In recent years, there have been numerous high-profile instances of state-sponsored hacking groups using advanced tools and techniques to breach the networks of organizations around the world. In many cases, it has proven difficult to identify the individuals and companies behind these attacks, leaving organizations struggling to respond effectively to the threats they pose.
However, with the release of the SentinelOne report, it appears that this may soon change. The findings suggest that there are several Chinese firms linked to Silk Typhoon that have been identified as behind over a dozen technology patents. These patents cover forensics and intrusion tools that enable encrypted endpoint data collection, Apple device forensics, and remote access to routers and smart home devices.
This new information sheds light on the shadowy cyber contracting ecosystem and its offensive capabilities. It highlights an important deficiency in the threat actor attribution space: threat actor tracking typically links campaigns and clusters of activity to a named actor. The findings also underscore the need for more robust attribution methodologies that can identify not only the individuals behind attacks, but also the companies they work for, the capabilities those companies have, and how those capabilities fortify the initiatives of the state entities who contract with these firms.
In conclusion, the release of the SentinelOne report has significant implications for our understanding of the threat actor attribution space. The findings suggest that there are several Chinese firms linked to Silk Typhoon that have been identified as behind over a dozen technology patents. These patents cover forensics and intrusion tools that enable encrypted endpoint data collection, Apple device forensics, and remote access to routers and smart home devices.
The use of these patents as a tool for understanding the capabilities of state-sponsored hacking groups is a fascinating area of study. By examining the patents filed by these companies, researchers can gain insight into the types of tools they are using to carry out their attacks and the methods they are employing to avoid detection. This information can be used to inform strategies for countering these threats and to improve overall cybersecurity resilience.
Related Information:
https://www.ethicalhackingnews.com/articles/Shedding-Light-on-Shadowy-Cyber-Contracting-Ecosystem-Chinese-Firms-Linked-to-Silk-Typhoon-ehn.shtml
https://thehackernews.com/2025/07/chinese-firms-linked-to-silk-typhoon.html
Published: Wed Jul 30 07:15:36 2025 by llama3.2 3B Q4_K_M
