Unravelling Silk Typhoon’s Capabilities

Uploaded on 2025-07-30 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-China, FREE TO VIEW

A new report, *China’s Covert Capabilities: Unspooling Silk Spun From Hafnium, published by SentinelLabs on 30 July 2025, exposes the sophisticated cyber espionage tools developed by Chinese firms linked to the state-sponsored hacking group Silk Typhoon, also known as Hafnium.

Authored by Dakota Cary, the report details over ten patents for intrusive data collection technologies registered by companies named in United States indictments for supporting Hafnium’s operations.

As organisations grapple with securing autonomous AI systems, the findings highlight the growing threat of state-backed cyber actors exploiting software vulnerabilities, a concern echoed in recent cybersecurity guidance.

Prolific Threat Actor

Silk Typhoon, directed by China’s Ministry of State Security (MSS), has a storied history of targeting defence contractors, policy think tanks, universities, and infectious disease research institutions. Its most notorious campaign in 2021 exploited zero-day vulnerabilities in Microsoft Exchange Server (MES), compromising thousands of organisations globally.

The report reveals that two indicted hackers, Xu Zewei and Zhang Yu, operated through Shanghai Powerock Network Company and Shanghai Firetech Information Science and Technology Company, respectively, under the Shanghai State Security Bureau (SSSB).

These firms developed tools capable of extracting encrypted endpoint data, conducting mobile forensics, and collecting network traffic, expanding the group’s offensive arsenal.

The report identifies a suite of patented technologies, including software for remotely recovering files from Apple computers, router evidence collection, and hard drive decryption. These capabilities, previously unreported in Hafnium’s tradecraft, suggest a broader scope of operations than publicly documented. This vulnerability is particularly relevant given Silk Typhoon’s history of exploiting software supply chains, as seen in the MES attacks.

The ProxyLogon Fallout

Silk Typhoon’s 2021 MES campaign, exploiting the ProxyLogon vulnerability, had far-reaching consequences. Initially detected in January 2021, the group’s stealthy access to United States government emails triggered a global crisis when other Chinese hacking groups began exploiting the same flaws at scale by late February. This led to widespread deployment of webshells, enabling persistent access to compromised servers even after patches were applied.

The United States Department of Justice (DOJ) responded with a court-authorised operation to remove these shells, a rare intervention reflecting the severity of the breach.

The campaign’s fallout reshaped international cybersecurity policy. In July 2021, the United States, United Kingdom, and European Union issued a joint statement condemning China’s cyber activities, a diplomatic milestone that disrupted China’s ability to block such declarations through European Union dissent. 

The report notes that this coordinated response, coupled with China’s subsequent blending of cyber threat intelligence with state propaganda, was a direct consequence of Silk Typhoon’s actions.

Corporate Connections & MSS Ties

The report delves into the intricate relationships between indicted hackers and their affiliated firms. Xu Zewei and Zhang Yu, directed by the SSSB, operated through Shanghai Powerock and Shanghai Firetech, respectively. Zhang’s company, Shanghai Firetech, also maintains a subsidiary in Chongqing, suggesting a broader operational footprint. The DOJ’s July 2025 indictment of Xu and Zhang, alongside earlier charges against Yin Kecheng and Zhou Shuai, reveals a tiered ecosystem of Chinese cyber contractors. While low-tier firms like i-Soon struggle with unstable contracts, Shanghai Firetech enjoys a trusted relationship with the MSS, handling specific designated tasks.

Shanghai Firetech’s patents, including tools for intelligent home appliance analysis and remote cellphone evidence collection, hint at capabilities suited for human intelligence (HUMINT) operations. These tools, which could enable close-access surveillance, have not been publicly linked to Hafnium’s campaigns, raising questions about their deployment.

The report suggests that these capabilities may have been sold to other MSS regional offices, complicating attribution efforts. 

 Attribution Challenges

The report highlights a critical gap in cyber threat attribution: tracking campaigns often focuses on clusters of activity rather than the organisations behind them. Shanghai Firetech’s extensive toolkit, including unreported capabilities against Apple devices, suggests that some operations may be attributed to other threat actors or remain undetected.

The absence of these tools in public Hafnium tradecraft could reflect their use in covert operations or commercial defensive applications, though no such marketing exists.

A Call for Vigilance

The *Hafnium Spun Silk report clearly demonstrates es the need for enhanced cybersecurity measures, particularly as agentic AI systems introduce new vulnerabilities. The OWASP Securing Agentic Applications Guide 1.0 recommends robust input validation and sandboxing to mitigate risks like those posed by Silk Typhoon’s supply chain attacks.

By exposing the depth of China’s cyber capabilities, the report urges organisations to prioritise visibility and control over software dependencies, ensuring that state-sponsored threats do not exploit the digital fabric of modern systems.

Hacker News  |  NatoThoughts  |   @sentinelOne  |  

Image: Ideogram

You Might Also Read:

Fancy Bear's Anatomy: Tactics, Techniques & Procedures:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« A Guide To Taming Agentic AI Risks
Semperis Ransomware Risk Report Highlights Alarming Trends »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Nordic IT Security

Nordic IT Security

Nordic IT Security is a cyber security business forum in Scandinavia bringing together the converging worlds of IT, Cyber and Information Security.

ElcomSoft

ElcomSoft

ElcomSoft is a global leader in computer and mobile forensics, IT security and forensic data recovery.

Mnemonica

Mnemonica

Mnemonica specializes in providing data protection system, information security compliance solutions, cloud and managed services.

Synectics Solutions

Synectics Solutions

Synectics deliver solutions for reducing risk, combating financial crime, and enabling organisations to meet their compliance and regulatory commitments.

Wizlynx PTE LTD

Wizlynx PTE LTD

Wizlynx PTE LTD is the Singapore branch of Wizlynx Group located in Singapore, offering Information and Cyber Security Services throughout the entire Asia Pacific (APAC) region.

Turkish Accreditation Agency (TURKAK)

Turkish Accreditation Agency (TURKAK)

TURKAK is the national accreditation body for Turkey. The directory of members provides details of organisations offering certification services for ISO 27001.

Carbonite

Carbonite

Carbonite offers all the tools necessary for protecting data from the most common forms of data loss, including ransomware, accidental deletions, hardware failures and natural disasters.

BluBracket

BluBracket

BluBracket is the first comprehensive security solution that makes code safe—so developers can innovate and collaborate, and security teams can sleep at night.

RackTop Systems

RackTop Systems

RackTop Systems is the pioneer of CyberConverged data security, a new market that fuses data storage with advanced security and compliance into a single platform.

SystemExperts

SystemExperts

SystemExperts is a premier provider of IT compliance and cyber security consulting services.

Traced

Traced

At Traced, our aim is to redefine mobile cyber security to provide the best possible protection to everyone against breaches of privacy and security.

ChaosSearch

ChaosSearch

ChaosSearch is a massively scalable ELK-compatible log analysis platform delivered as a fully managed service with high-performance and low cost.

Cubro Network Visibility

Cubro Network Visibility

Cubro network visibility solutions remove network monitoring ‘blind spots’ to provide enhanced visibility and control of all data transiting a company’s network.

Two99

Two99

Two99 provide tailored excellence in the areas of E-Commerce, Marketing, Consulting, and Cyber Security.

Krash Consulting

Krash Consulting

Krash Consulting is a premier provider of Cyber Security solutions, offering a range of services to safeguard businesses against cyber-attacks, minimize fraud, and protect brand reputation globally.

HyperSphere

HyperSphere

HyperSphere Data Protect is a patented technology establishing the world’s first cyberstorage solution designed to make data resilient against AI and quantum threats.