Chinese companies believed to be affiliated with the state-sponsored hacking group known as Silk Typhoon (Hafnium) has been linked to over a dozen technology patents for highly intrusive forensics and data collection technologies, according to the latest SentinelLab’s findings.
The patents, analyzed by the team, mention tools for encrypted endpoint data collection, forensic access to Apple devices, and remote control of routers and smart home systems.
At the beginning of this month, US Department of Justice indicted two Chinese nationals, Xu Zewei and Zhang Yu, for their roles in a 2021 global cyber exploitation campaign that targeted Microsoft Exchange Servers using zero-day vulnerabilities known collectively as ProxyLogon. Prosecutors allege the two were acting on behalf of China’s Ministry of State Security (MSS).
Court documents identify Zewei as an employee of Shanghai Powerock Network Co. Ltd. and Zhang Yu as working for Shanghai Firetech Information Science and Technology Company, Ltd. Both firms reportedly operated under the oversight of the Shanghai State Security Bureau (SSSB). Notably, Powerock liquidated its business in April 2021, just over a month after Microsoft publicly attributed the ProxyLogon attacks to Chinese state actors. Since then, Zewei has worked in several roles, including time at Chaitin Tech and later at Shanghai GTA Semiconductor Ltd.
Further investigation has revealed additional corporate links to Silk Typhoon operatives. One hacker, Yin Kecheng, is believed to have worked at Shanghai Heiying Information Technology Company, a firm founded by Zhou Shuai, an alleged patriotic hacker and data broker. Yin also co-founded the Shanghai Siling Commerce Consulting Center with Zhang Yu. This company, along with Firetech, filed patents related to data collection from consumer electronics and network infrastructure, potentially enabling advanced surveillance techniques.
Evidence suggests Firetech has been involved in developing close-access operational tools that could be used to physically compromise individuals’ devices or systems in proximity-based operations.
Recent patents from Shanghai Firetech, along with its past work with the SSSB, show that the company may have tools for human intelligence (HUMINT) operations. Some of its patents focus on smart home device analysis, remote control software, and tools for collecting digital evidence, which could help in closely monitoring individuals. Other patents, like those for breaking into hard drives, collecting data from cellphones, and running cyberattack simulations, suggest the company is still active in offensive cyber work.
Researhers say that the companies could be developing and selling their tools not only to the Shanghai State Security Bureau but also to other regional MSS offices across China.