Silk Typhoon Linked to Powerful Offensive Tools - Dark Reading

THREAT INTELLIGENCE VULNERABILITIES & THREATS CYBERSECURITY OPERATIONS CYBERATTACKS & DATA BREACHES NEWS Silk Typhoon Linked to Powerful Offensive Tools, PRC-Backed Companies An unsealed indictment associated with the Chinese threat group shows its members worked for companies closely aligned with the PRC as part of a larger contractor ecosystem. Elizabeth Montalbano,Contributing Writer July 30, 2025 4 Min Read SOURCE: BEEBRIGHT VIA SHUTTERSTOCK Fresh insights into China-backed threat group Silk Typhoon's attacks on the US government and other targets reveal previously unknown sophisticated offensive tooling as well as tight links between attackers, the companies for which they work, and the Chinese government. SentinelLabs analyzed an indictment of two hackers, Xu Zewei and Zhang Yu, released by the Department of Justice (DoJ) earlier this month that outlines their work for two firms on behalf of China's Ministry of State Security (MSS), they revealed in a report published today. The pair are alleged to be part of Silk Typhoon, aka Hafnium, a notorious Chinese threat actor, and info from the indictment demonstrates how China's contracting ecosystem plays a key role in the threat landscape, according to the report. Specifically, researchers identified more than 10 patents for "highly intrusive forensics and data collection technologies" registered by companies — such as Shanghai Firetech Information Science and Technology Company — working on behalf of Silk Typhoon and which have not previously been identified as tools of the threat actor. These technologies offer unreported offensive capabilities, from acquisition of encrypted endpoint data to mobile forensics and data collection from network devices. Related:China's TA4922 Expands Cybercrime Attacks Globally Looking Beyond Threat Groups The revelations highlight a gap in typical threat attribution that tends to identify named threat actors rather than the companies for which they are employed, which should not be overlooked when investigating attacks, observes Dakota Cary, China-focused consultant at SentinelOne and a non-resident fellow at the Atlantic Council's Global China Hub at SentinelLabs. In this case, the companies employing the hackers indicted were part of a hierarchy of Chinese contractors involved in doing offensive hacking for the People's Republic of China (PRC), he tells Dark Reading via email. "The difference between capabilities owned by Shanghai Firetech and observed Hafnium [tactics, techniques, and procedures, or TTPs] underlines how mapping intrusion activity back to an organization is not a 1-to-1 question, especially in China," he tells Dark Reading. "Defenders may have encountered other intrusions supported by Shanghai Firetech without ever knowing the same company was behind both that intrusion and Hafnium." Overall, SentinelLabs found that defenders can gain an advantage by identifying not only the individuals and groups behind attacks, but the companies they work for, the capabilities those companies have, and how those capabilities fortify the initiatives of the state entities that contract with these firms. Related:China Uses Dual-Method Cyberattack on Czech Orgs Unraveling the Chinese 'Hired Gun' Ecosystem Silk Typhoon/Hafnium is a notorious threat group that security researchers have been tracking for years. It was most recently associated with a breach of the US Treasury Department, but also has been tied to attacks on organizations in multiple sectors, including defense contractors, healthcare, nongovernmental organizations, higher education, law firms, and policy think thanks. In 2021, the group also garnered considerable attention for exploiting four zero-day vulnerabilities in Microsoft Exchange Server, including one now infamously known as ProxyLogon, to compromise email servers in targeted strikes. The indictment revealed that China's contracting ecosystem forces many companies and individuals to collaborate on intrusions, which means many China-based advance persistent threats (APTs) like Silk Typhoon may contain many different companies with many different clients, Cary says. "China's diverse private sector offensive ecosystem supports a wide array of intrusion capabilities," he tells Dark Reading. "Mapping observed tooling back to a cluster may not actually represent the true organization structure of the attackers." Related:Patch Now: Another Palo Alto Auth Bypass Bug Under Active Exploit Indeed, the DoJ indictment reveals a hierarchy of offensive hacking outfits in China, with Zewei and Yu working at the direction of the Shanghai State Security Bureau (SSSB) while also working for other companies. Zewei was working at the Shanghai Powerock Network Company, while Yu was employed with Shanghai Firetech, which itself was working on specific tasking from MSS officers. There are other companies on the lower rungs of the hierarchy as well, such as i-Soon, whose employees are plagued with low morale and low-paying contracts, often subcontracting to bigger, better firms, according to the report. These workers can move up the ladder by working for a direct competitor called Chengdu404, which has stable business, works from multiple offices, and at one point was China's most prolific APT. Rethink Threat Intelligence What all this means for threat intelligence is that researchers should begin to shift their thinking away from tracking clusters of behavior and tracking it back to ATPs or other groups, and digging deeper into the organizations employing the individual members of their groups and their capabilities. This could lead them to find already uncovered links behind various threat groups and actors that are tied by offensive tooling provided by those organizations, which could lead to more successful threat-hunting outcomes, Cary observes. "Threat intelligence analysts should be conscientious of pivoting from tool-use as an indicator of a relationship between attackers or their APTs," he says. "As the research shows, the companies that support intrusions may be providing their tooling to other actors in the ecosystem, leading to incomplete or misleading attribution." About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure More Webinars Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS