Chinese Firms Linked to Silk Typhoon Filed 15+ Patents for Cyber Espionage Tools
Summary:
In July 2025, the DoJ indicted two Chinese hackers, Xu Zewei and Zhang Yu, for their work on behalf of China's Ministry of State Security, revealing new details about the PRC's contracting ecosystem. The indictment linked these individuals and their firms, Shanghai Powerock Network Company and Shanghai Firetech Information Science and Technology Company, to the Hafnium (aka Silk Typhoon) state-sponsored adversary, known for its prolific attacks against defense contractors, think tanks, higher education, and infectious disease research institutions, including a significant 2021 campaign exploiting several Microsoft Exchange Server zero-day vulnerabilities. The DOJ indictments reinforce the complexity and interconnectedness of the current operations. Research into these connections uncovered offensive tooling owned by Hafnium-associated companies, including a patent for Apple remote file recovery software, which has not been previously observed in any Silk Typhoon activity.
The report also highlights the tiered relationships between Chinese state-sponsored hackers and their customers, with firms like Shanghai Firetech working on specific tasks directly from MSS, in contrast to lower-tier groups like i-Soon, which focus on activity like opportunistic procurement of initial access. The widespread exploitation of the MES vulnerabilities, particularly ProxyLogon, led to a rare joint condemnation of PRC actions by the U.S., U.K., and E.U. in July 2021, which significantly impacted Chinese foreign policy and prompted a coordinated public opinion campaign against U.S. hacking operations. Further indictments in early 2025 of Yin Kecheng and Zhou Shuai, also linked to Silk Typhoon/Hafnium, further elucidated the intricate web of companies and individuals supporting state-sponsored cyber operations, including Zhou Shuai's role as a broker through iSoon. The findings from SentinelOne attempt to highlight a deficiency in traditional threat actor attribution, which often focuses solely on campaign activity rather than identifying the individuals, their companies, and the full scope of their capabilities.
Security Officer Comments:
The recent DOJ indictments of Xu Zewei and Zhang Yu, alongside prior actions against Yin Kecheng and Zhou Shuai, have helped provide critical new insights into the operational infrastructure and contracting model of China's state-sponsored cyber espionage attacks, particularly concerning Hafnium/Silk Typhoon activity. It's becoming increasingly clear that what we've traditionally tracked as somewhat separate APT groups are complex ecosystems of interconnected companies and individuals operating under direct guidance from the MSS, as many suspect. This tiered contracting approach for China’s state-affiliated cybercriminal ecosystem, from "bottom-feeder" brokers like i-Soon to closely directed firms like Shanghai Firetech, evidences the complexity of truly correct attribution.
The revelation of previously unknown offensive tooling, such as Shanghai Firetech's patent for Apple device forensics, highlights a major gap in our understanding of current attribution models.. It suggests that capabilities owned by a single corporate structure might be deployed under different campaign names or against diverse targets, depending on which part of MSS is contracting their services. The possibility that the MSS provided Hafnium with zero-day vulnerabilities, potentially through insider access or direct compromise of researchers like OrangeTsai, underscores the sophistication of their intelligence collection methods and their ability to rapidly operationalize new exploits.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
https://thehackernews.com/2025/07/chinese-firms-linked-to-silk-typhoon.html
https://www.sentinelone.com/labs/chinas-covert-capabilities-silk-spun-from-hafnium/
In July 2025, the DoJ indicted two Chinese hackers, Xu Zewei and Zhang Yu, for their work on behalf of China's Ministry of State Security, revealing new details about the PRC's contracting ecosystem. The indictment linked these individuals and their firms, Shanghai Powerock Network Company and Shanghai Firetech Information Science and Technology Company, to the Hafnium (aka Silk Typhoon) state-sponsored adversary, known for its prolific attacks against defense contractors, think tanks, higher education, and infectious disease research institutions, including a significant 2021 campaign exploiting several Microsoft Exchange Server zero-day vulnerabilities. The DOJ indictments reinforce the complexity and interconnectedness of the current operations. Research into these connections uncovered offensive tooling owned by Hafnium-associated companies, including a patent for Apple remote file recovery software, which has not been previously observed in any Silk Typhoon activity.
The report also highlights the tiered relationships between Chinese state-sponsored hackers and their customers, with firms like Shanghai Firetech working on specific tasks directly from MSS, in contrast to lower-tier groups like i-Soon, which focus on activity like opportunistic procurement of initial access. The widespread exploitation of the MES vulnerabilities, particularly ProxyLogon, led to a rare joint condemnation of PRC actions by the U.S., U.K., and E.U. in July 2021, which significantly impacted Chinese foreign policy and prompted a coordinated public opinion campaign against U.S. hacking operations. Further indictments in early 2025 of Yin Kecheng and Zhou Shuai, also linked to Silk Typhoon/Hafnium, further elucidated the intricate web of companies and individuals supporting state-sponsored cyber operations, including Zhou Shuai's role as a broker through iSoon. The findings from SentinelOne attempt to highlight a deficiency in traditional threat actor attribution, which often focuses solely on campaign activity rather than identifying the individuals, their companies, and the full scope of their capabilities.
Security Officer Comments:
The recent DOJ indictments of Xu Zewei and Zhang Yu, alongside prior actions against Yin Kecheng and Zhou Shuai, have helped provide critical new insights into the operational infrastructure and contracting model of China's state-sponsored cyber espionage attacks, particularly concerning Hafnium/Silk Typhoon activity. It's becoming increasingly clear that what we've traditionally tracked as somewhat separate APT groups are complex ecosystems of interconnected companies and individuals operating under direct guidance from the MSS, as many suspect. This tiered contracting approach for China’s state-affiliated cybercriminal ecosystem, from "bottom-feeder" brokers like i-Soon to closely directed firms like Shanghai Firetech, evidences the complexity of truly correct attribution.
The revelation of previously unknown offensive tooling, such as Shanghai Firetech's patent for Apple device forensics, highlights a major gap in our understanding of current attribution models.. It suggests that capabilities owned by a single corporate structure might be deployed under different campaign names or against diverse targets, depending on which part of MSS is contracting their services. The possibility that the MSS provided Hafnium with zero-day vulnerabilities, potentially through insider access or direct compromise of researchers like OrangeTsai, underscores the sophistication of their intelligence collection methods and their ability to rapidly operationalize new exploits.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://thehackernews.com/2025/07/chinese-firms-linked-to-silk-typhoon.html
https://www.sentinelone.com/labs/chinas-covert-capabilities-silk-spun-from-hafnium/