{"id":4201,"date":"2025-08-01T03:25:49","date_gmt":"2025-08-01T03:25:49","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4201"},"modified":"2025-08-01T03:25:49","modified_gmt":"2025-08-01T03:25:49","slug":"sentinellabs-uncovers-chinas-hidden-cyber-espionage-arsenal","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4201","title":{"rendered":"SentinelLabs uncovers China\u2019s hidden cyber-espionage arsenal"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A number of patents have been granted to companies in the People\u2019s Republic of China (PRC) involving \u201chighly intrusive forensics and data collection technologies\u201d that allow everything from the acquisition of encrypted endpoint data and mobile forensics to collecting traffic from network devices, says a report from SentinelLabs, a division of security vendor SentinelOne.<\/p>\n

Dakota Cary<\/a>, the report\u2019s author, said Thursday in an email to CSOonline<\/em> that the most important pieces of new information gleaned from the findings are that \u201cChina\u2019s contracting ecosystem forces many companies and individuals to collaborate on intrusions. This means many China-based Advanced Persistent Threats (APTs) may actually contain many different companies with many different clients.\u201d<\/p>\n

The nation\u2019s diverse private sector offensive ecosystem, he said, \u201csupports a wide array of intrusion capabilities. Mapping observed tooling back to a cluster may not actually represent the true organization structure of the attackers.\u201d<\/p>\n

In his 15-page report<\/a>, he noted that, earlier this month, the US Department of Justice (DoJ) released an indictment<\/a> of two hackers, Xu Zewei and Zhang Yu, accused of working on behalf of China\u2019s Ministry of State Security (MSS), that, he said, \u201csheds new light on the PRC\u2019s contracting ecosystem. The indictment outlined that Xu and Zhang worked for two firms previously unattributed in the public domain to the Hafnium (aka Silk Typhoon) threat actor group.\u201d<\/p>\n

Xu, who was arrested on July 3 in Italy and is facing extradition to the US, was involved with a company called Shanghai Powerock, while Zhang, who remains at large, was with Shanghai Firetech.<\/p>\n

Tiered system of hacking outfits<\/h2>\n

Cary stated in the report, \u201cthe DoJ maintains that [the pair] worked at the \u2018direction\u2019 of the Shanghai State Security Bureau (SSSB) \u2026 This \u2018directed\u2019 nature of the relationship between the SSSB, and these two companies contours the tiered system of offensive hacking outfits in China.\u201d<\/p>\n

In addition, the DoJ indictment noted, \u201cthe announcement of charges against Xu is the latest<\/a> describing the PRC\u2019s use of an extensive network of private companies and contractors in China to hack and steal information in a manner that obscured the PRC government\u2019s involvement.\u201d<\/p>\n

Cary said that SentinelLabs has identified 10+ patents filed in the PRC that were registered by companies named in US indictments as working on behalf of the Hafnium threat actor group.<\/p>\n

These, he said, include \u201cremote automated evidence collection software, Apple computer comprehensive evidence collection software, router intelligent evidence collection software, and computer scene rapid evidence collection software.\u201d<\/p>\n

Shanghai Firetech, said Cary, conducts offensive hacking at the direction of the SSSB. \u00a0\u201cThe company also has patents on a variety of offensive tools that suggest the capability to monitor individuals\u2019 homes, like intelligent home appliances analysis platform, long-range household computer network intelligentized control software, and intelligent home appliances evidence collection software which could support surveillance of individuals abroad. Other intelligence agencies, like the CIA, are known to have similar capabilities,\u201d he wrote.<\/p>\n

Luke McNamara<\/a>, deputy chief analyst of the Google Threat Intelligence Group, said the report findings \u201calign with what we understand about the nature of state-sponsored cyber espionage in China, and further showcase the role these enterprises play in enabling the larger ecosystem of threat activity from China attributed operations, with increasing volume and scale.\u201d<\/p>\n

The puzzle of the patents<\/h2>\n

John Annand<\/a>, digital Infrastructure practice lead at Info-Tech Research Group, said, \u201ca weapon system is a weapon system, regardless of the means or material of fabrication. Are we really so surprised that some entity other than the Western military industrial complex would patent technology whose predominant purpose would be viewed (at least by them) as vital to their self-defense interests?\u201d<\/p>\n

As nation-states advance their own agendas (political, commercial, or other) by alternate means, he said, \u201cit is incumbent on global leaders to adjust their approach to protect the commercial and political interests of their own citizens.\u201d<\/p>\n

However, the filing of the patents puzzled David Shipley<\/a>, head of Canadian security awareness training provider Beauceron Security. \u201cHonestly, I don\u2019t get it,\u201d he said. \u201cIt just feels so dumb. The entire point of a patent system is to encourage innovation by requiring inventors to disclose the unique elements of an invention, it encourages others to develop better processes, designs and tools.\u201d<\/p>\n

Shipley said, \u201cin essence, by patenting their approaches, the companies are giving a blueprint of their ideas to others. As well, they\u2019re showing their hand to platform providers in enough detail so they can fix those issues.\u00a0If they were worried about intellectual property protection, keeping these a trade secret would have seemed to be smarter IP strategy.\u00a0But as folks in our biz often say, \u2018Operational Security (OpSec) is hard.\u2019 Even more so when you patent and publish your hacks.\u201d\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A number of patents have been granted to companies in the People\u2019s Republic of China (PRC) involving \u201chighly intrusive forensics and data collection technologies\u201d that allow everything from the acquisition of encrypted endpoint data and mobile forensics to collecting traffic from network devices, says a report from SentinelLabs, a division of security vendor SentinelOne. Dakota […]<\/p>\n","protected":false},"author":0,"featured_media":4202,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4201","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4201"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4201"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4201\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4202"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4201"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4201"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4201"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}