Prolific Chinese state-sponsored hackers are backed by Chinese companies developing offensive tooling for them, a new report from SentinelOne’s SentinelLabs shows.
Looking at the recently unsealed indictment against Xu Zewei and Zhang Yu, two Chinese nationals accused of being part of the APT tracked as Silk Typhoon (also known as Hafnium), SentinelLabs has uncovered connections with several Chinese firms that build offensive technology.
Silk Typhoon is known for targeting defense, healthcare, higher education, legal services, and non-governmental organizations, including for last year’s attack on the US Department of the Treasury, and global IT supply chain hacks.
Prior to Xu and Zhang, the US indicted two other hackers connected to the APT, namely Yin Kecheng and Zhou Shuai, who are linked through Zhou’s Shanghai-based firm iSoon and have been associated with cyber operations attributed to various Chinese threat actors, including Silk Typhoon.
Other Chinese companies linked to the hackers, the indictments revealed, include Shanghai Heiying Information Technology Company, Shanghai Powerock Network Company, and Shanghai Firetech Information Science and Technology Company.
These companies, SentinelLabs notes, performed various work and tasks on behalf of China’s Ministry of State Security (MSS), the same as Chengdu404, iSoon’s main competitor and at one point one of China’s most prolific APTs. Another front company for MSS activities is Wuhan Xiao Rui Zhi (Wuhan XRZ), established in 2010.
SentinelLabs’ report shows that the relations between the hackers, their companies, and the Chinese government, is not one way, pointing out the possibility that the Shanghai State Security Bureau (SSSB) might have aided with the exploitation of the ProxyLogon zero-days in Exchange Server in 2021.
Silk Typhoon started exploiting the bugs in January 2021, around the same time that security researcher OrangeTsai shared publicly that he had discovered a pre-authentication remote code execution (RCE) vulnerability in Exchange Server.
It was speculated that the APT hacked the devices of Microsoft employees working with inbound bug reports, or that OrangeTsai’s devices were compromised and the exploit stolen. However, a Guangdong security agency was seen passing malware to hackers, and the SSSB might have done the same.
“But the Zhang and Xu’s close relationship with the SSSB raises the possibility that the Bureau collected OrangeTsai’s research themselves, either through an insider at Microsoft, a close-access operation against OrangeTsai, or some other collection method, and then passed the vulnerabilities to Xu and Zhang,” SentinelLabs says.
In March 2021, only three days after warning that Silk Typhoon was exploiting the Exchange zero-days dubbed ProxyLogon, Microsoft noted that multiple malicious actors had started targeting the flaws. The involvement of the hackers and their companies in multiple operations could explain the rapid adoption of the exploit.
SentinelLabs also identified connections between that APT and two other Chinese individuals, Yin Wenji and Peng Yinan, who co-founded Campus Command together with Zhang Yu.
Yin Wenji, founder and CEO of Shanghai Firetech, spoke in 2015 of the possibility to recover files from Apple Filevault. In 2020, the company filed for “patent protection on a tool capable of collecting files from Apple computers,” SentinelLab notes.
Shanghai Firetech also filed for patents on forensics technologies enabling remote automated evidence collection from Apple devices, routers, and other systems. Some of these capabilities are part of Silk Typhoon’s arsenal.
Other patents show that the company develops capabilities useful in HUMINT operations (gathering information from human sources) and still supports offensive operations. The company likely offers services to clients beyond Shanghai, as it has a subsidiary in Chongqing, namely Chongqing Firetech.
“The variety of tools under the control of Shanghai Firetech exceed those attributed to Hafnium and Silk Typhoon publicly. The findings underline the difficulty in successfully attributing intrusions to the organizations responsible for them. The capabilities may have been sold to other regional MSS offices, and thus not attributed to Hafnium,” SentinelLabs notes.
Related: Mobile Forensics Tool Used by Chinese Law Enforcement Dissected
Related: Chinese Hackers and User Lapses Turn Smartphones Into a ‘Mobile Security Crisis’
Related: Bipartisan Bill Aims to Block Chinese AI From Federal Agencies
Related: Chinese Tech Companies Tencent, CATL and Others Protest US Listings as Army-Linked Companies
