Jul 30, 2025Ravie LakshmananEndpoint Safety / Cyber Espionage
Chinese language firms linked to the state-sponsored hacking group often known as Silk Storm (aka Hafnium) have been recognized as behind over a dozen know-how patents, shedding mild on the shadowy cyber contracting ecosystem and its offensive capabilities.
The patents cowl forensics and intrusion instruments that allow encrypted endpoint knowledge assortment, Apple machine forensics, and distant entry to routers and sensible dwelling gadgets, SentinelOne stated in a brand new report shared with The Hacker Information.
“This new perception into the Hafnium-affiliated companies’ capabilities highlights an essential deficiency within the menace actor attribution area: menace actor monitoring sometimes hyperlinks campaigns and clusters of exercise to a named actor,” Dakota Cary, China-focused strategic advisor for SentinelLabs, stated.
“Our analysis demonstrates the power in figuring out not solely the people behind assaults, however the firms they work for, the capabilities these firms have, and the way these capabilities fortify the initiatives of the state entities who contract with these companies.”
The findings construct upon the U.S. Division of Justice’s (DoJ) July 2025 indictment of Xu Zewei and Zhang Yu, who, engaged on behalf of China’s Ministry of State Safety (MSS), are accused of orchestrating the widespread exploitation marketing campaign in 2021 geared toward Microsoft Alternate Server utilizing then-zero-days dubbed ProxyLogon.
Courtroom paperwork alleged that Zewei labored for a corporation named Shanghai Powerock Community Co. Ltd., whereas Yu was employed at Shanghai Firetech Info Science and Expertise Firm, Ltd. Each people are stated to have operated beneath the discretion of the Shanghai State Safety Bureau (SSSB).
Apparently, Natto Ideas reported that Powerock deregistered its enterprise on April 7, 2021, a bit of over a month after Microsoft pointed fingers at China for the zero-day exploitation exercise. Zewei would then go on to affix Chaitin Tech, one other distinguished cybersecurity agency, solely to alter jobs once more and start working as an IT supervisor at Shanghai GTA Semiconductor Ltd.
It is price mentioning right here at this stage that Yin Kecheng, a hacker tied to Silk Storm, is alleged to have been employed at a 3rd Chinese language agency named Shanghai Heiying Info Expertise Firm, Restricted, which was established by Zhou Shuai, a Chinese language patriotic hacker and purported knowledge dealer.
“Shanghai Firetech labored on particular tasking handed down from MSS officers,” Cary defined. “Shanghai Firetech and co-conspirators earned an on-going, trusting relationship with the MSS’s premier regional workplace, the SSSB.”
“This ‘directed’ nature of the connection between the SSSB and these two firms contours the tiered system of offensive hacking outfits in China.”
Additional investigation into the net of connections between the people and their firms has uncovered patents filed by Shanghai Firetech and Shanghai Siling Commerce Consulting Heart, a agency collectively based by Yu and Yin Wenji, CEO of Shanghai Firetech to gather “proof” from Apple gadgets, routers, and defensive tools.
There’s additionally proof to counsel that Shanghai Firetech can be engaged in growing options that would allow shut entry operations in opposition to people of curiosity.
“The number of instruments beneath the management of Shanghai Firetech exceeds these attributed to Hafnium and Silk Storm publicly,” Cary stated. “The capabilities could have been bought to different regional MSS workplaces, and thus not attributed to Hafnium, regardless of being owned by the identical company construction.”
