Hafnium, a government-backed hacking group, is patenting technology to access Apple computers, cell phones, and smart home devices.
A comprehensive investigation by SentinelLabs, a renowned malware and cybercrime research site, reveals a complex network of companies, hackers, and government links indicating a sophisticated Chinese cyber-espionage campaign. Despite censorship efforts, Chinese netizens are discussing and commenting on the report, titled “Silk Spun from Hafnium.” It investigates the activities of the hacking group Hafnium, also known as Silk Typhoon, revealing that its operations are broader and more state-sponsored than previously thought.
Hafnium gained widespread attention in 2021 after exploiting weaknesses in Microsoft Exchange servers, which allowed access to sensitive emails from U.S. government agencies and private firms. Although Hafnium was held responsible for the initial breach, subsequent attacks by other hacking groups exploiting the same vulnerabilities made it difficult to assign blame. Hafnium’s involvement in sparking a global cybersecurity crisis cemented its reputation.
SentinelLabs’ recent findings expand on Hafnium’s previous activities. The report highlights three companies and four individuals connected to Hafnium, all reportedly operating under China’s Ministry of State Security (MSS), particularly its Shanghai division. These entities—Shanghai Powerock, Shanghai Firetech, and an unnamed third company—are not merely rogue groups, but seem to be contracted agents working for the Chinese government, engaging in offensive cyber operations.
What is particularly concerning is the variety of tools these companies have created. Patents filed by Shanghai Firetech show they can remotely access encrypted data from Apple computers, gather information from routers and smart home devices, decrypt hard drives, and perform mobile phone surveillance.
These tools imply a degree of intrusion that exceeds usual hacking activities. They could be employed to steal data and observe people in their homes, access private messages, and even control smart devices.
The report highlights significant concerns regarding the evolving nature of cyber threats. While cybersecurity experts have traditionally identified hacking groups through their behavior patterns—such as targets, tools, and operational methods—SentinelLabs suggests this method overlooks broader context. By shifting focus to the identities behind the attacks—the connected companies, individuals, and governments—we gain a more comprehensive understanding of the threat environment.
This is important because it indicates that China’s cyber activities are not merely carried out by individual hackers. Instead, they form a coordinated ecosystem that includes layers of contractors, government supervision, and advanced tools. Several of these companies have subsidiaries in different cities, implying a comprehensive national network of cyber operatives.
The Hafnium case is part of a larger pattern. The report outlines how China’s cyber strategies have developed since 2021, following the Hafnium breach that drew rare joint criticism from the U.S., UK, and EU. China initiated a coordinated propaganda effort, combining cybersecurity reports with government media messaging. This demonstrates how cyber activities are now closely integrated into China’s political approach.
Recently, U.S. Department of Justice indictments have identified more hackers and companies associated with Hafnium. These legal cases expose the extent of these actors’ integration into China’s state infrastructure. For instance, one hacker was discovered to have reported directly to the Shanghai State Security Bureau, overseeing other hackers and organizing attacks.
One of the report’s most notable aspects is its focus on the people behind the hacks. It profiles individuals like Zhang Yu and Xu Zewei (the latter arrested in Italy on July 8), who reportedly conducted operations for the MSS while working at private companies. Their backgrounds include everything from university tech startups to public talks on Apple device forensics, indicating that these aren’t shadowy figures hiding in basements but professionals operating openly.
This human aspect introduces additional complexity. It highlights how cyber skills are developed within China’s tech sector, with individuals transitioning between academia, private companies, and government roles. This also complicates attribution: distinguishing between legitimate business activities and espionage becomes challenging when the same individual is involved in both commercial and government-backed hacking.
The SentinelLabs report highlights that China’s cyber capabilities are sophisticated and highly institutionalized. The tools detailed in the report could spy on government officials, steal intellectual property from companies, track dissidents and journalists, or conduct surveillance on foreign citizens, including human rights and religious liberty activists who criticize China.
Since these tools are patented and linked to actual companies, they can be sold, shared, or repurposed, allowing their influence to go well beyond China’s borders.
Furthermore, the report indicates that many of these capabilities have not yet been seen in real-world attacks. This could mean defenders are unaware of the full extent of the threat and may be unprepared to defend against it.
The report advocates for changing the global approach to Chinese cyber threats. Rather than solely monitoring malware and attack patterns, defenders should focus on understanding the organizations behind these activities. This involves identifying the companies that develop the tools, the individuals operating them, and the government or Communist Party agencies guiding their actions.
This method could also guide diplomatic initiatives, helping countries determine how to hold state-sponsored hackers accountable.
Source: Bitter Winter
