Chinese language firms linked to the state-sponsored hacking group generally known as Silk Storm (aka Hafnium) have been recognized as behind over a dozen expertise patents, shedding mild on the shadowy cyber contracting ecosystem and its offensive capabilities.
The patents cowl forensics and intrusion instruments that allow encrypted endpoint information assortment, Apple gadget forensics, and distant entry to routers and good residence units, SentinelOne stated in a brand new report shared with The Hacker Information.
“This new perception into the Hafnium-affiliated corporations’ capabilities highlights an necessary deficiency within the menace actor attribution area: menace actor monitoring sometimes hyperlinks campaigns and clusters of exercise to a named actor,” Dakota Cary, China-focused strategic advisor for SentinelLabs, stated.
“Our analysis demonstrates the power in figuring out not solely the people behind assaults, however the firms they work for, the capabilities these firms have, and the way these capabilities fortify the initiatives of the state entities who contract with these corporations.”
The findings construct upon the U.S. Division of Justice’s (DoJ) July 2025 indictment of Xu Zewei and Zhang Yu, who, engaged on behalf of China’s Ministry of State Safety (MSS), are accused of orchestrating the widespread exploitation marketing campaign in 2021 geared toward Microsoft Change Server utilizing then-zero-days dubbed ProxyLogon.
Courtroom paperwork alleged that Zewei labored for an organization named Shanghai Powerock Community Co. Ltd., whereas Yu was employed at Shanghai Firetech Info Science and Expertise Firm, Ltd. Each people are stated to have operated underneath the discretion of the Shanghai State Safety Bureau (SSSB).
Apparently, Natto Ideas reported that Powerock deregistered its enterprise on April 7, 2021, a little bit over a month after Microsoft pointed fingers at China for the zero-day exploitation exercise. Zewei would then go on to be part of Chaitin Tech, one other distinguished cybersecurity agency, solely to vary jobs once more and start working as an IT supervisor at Shanghai GTA Semiconductor Ltd.
It is value mentioning right here at this stage that Yin Kecheng, a hacker tied to Silk Storm, is alleged to have been employed at a 3rd Chinese language agency named Shanghai Heiying Info Expertise Firm, Restricted, which was established by Zhou Shuai, a Chinese language patriotic hacker and purported information dealer.
“Shanghai Firetech labored on particular tasking handed down from MSS officers,” Cary defined. “Shanghai Firetech and co-conspirators earned an on-going, trusting relationship with the MSS’s premier regional workplace, the SSSB.”
“This ‘directed’ nature of the connection between the SSSB and these two firms contours the tiered system of offensive hacking outfits in China.”
Additional investigation into the online of connections between the people and their firms has uncovered patents filed by Shanghai Firetech and Shanghai Siling Commerce Consulting Middle, a agency collectively based by Yu and Yin Wenji, CEO of Shanghai Firetech to gather “proof” from Apple units, routers, and defensive tools.
There’s additionally proof to recommend that Shanghai Firetech can also be engaged in growing options that would allow shut entry operations in opposition to people of curiosity.
“The number of instruments underneath the management of Shanghai Firetech exceeds these attributed to Hafnium and Silk Storm publicly,” Cary stated. “The capabilities could have been offered to different regional MSS workplaces, and thus not attributed to Hafnium, regardless of being owned by the identical company construction.”
