Unravelling Silk Typhoon’s Capabilities

Uploaded on 2025-07-30 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-China, FREE TO VIEW

A new report, *China’s Covert Capabilities: Unspooling Silk Spun From Hafnium, published by SentinelLabs on 30 July 2025, exposes the sophisticated cyber espionage tools developed by Chinese firms linked to the state-sponsored hacking group Silk Typhoon, also known as Hafnium.

Authored by Dakota Cary, the report details over ten patents for intrusive data collection technologies registered by companies named in United States indictments for supporting Hafnium’s operations.

As organisations grapple with securing autonomous AI systems, the findings highlight the growing threat of state-backed cyber actors exploiting software vulnerabilities, a concern echoed in recent cybersecurity guidance.

Prolific Threat Actor

Silk Typhoon, directed by China’s Ministry of State Security (MSS), has a storied history of targeting defence contractors, policy think tanks, universities, and infectious disease research institutions. Its most notorious campaign in 2021 exploited zero-day vulnerabilities in Microsoft Exchange Server (MES), compromising thousands of organisations globally.

The report reveals that two indicted hackers, Xu Zewei and Zhang Yu, operated through Shanghai Powerock Network Company and Shanghai Firetech Information Science and Technology Company, respectively, under the Shanghai State Security Bureau (SSSB).

These firms developed tools capable of extracting encrypted endpoint data, conducting mobile forensics, and collecting network traffic, expanding the group’s offensive arsenal.

The report identifies a suite of patented technologies, including software for remotely recovering files from Apple computers, router evidence collection, and hard drive decryption. These capabilities, previously unreported in Hafnium’s tradecraft, suggest a broader scope of operations than publicly documented. This vulnerability is particularly relevant given Silk Typhoon’s history of exploiting software supply chains, as seen in the MES attacks.

The ProxyLogon Fallout

Silk Typhoon’s 2021 MES campaign, exploiting the ProxyLogon vulnerability, had far-reaching consequences. Initially detected in January 2021, the group’s stealthy access to United States government emails triggered a global crisis when other Chinese hacking groups began exploiting the same flaws at scale by late February. This led to widespread deployment of webshells, enabling persistent access to compromised servers even after patches were applied.

The United States Department of Justice (DOJ) responded with a court-authorised operation to remove these shells, a rare intervention reflecting the severity of the breach.

The campaign’s fallout reshaped international cybersecurity policy. In July 2021, the United States, United Kingdom, and European Union issued a joint statement condemning China’s cyber activities, a diplomatic milestone that disrupted China’s ability to block such declarations through European Union dissent.

The report notes that this coordinated response, coupled with China’s subsequent blending of cyber threat intelligence with state propaganda, was a direct consequence of Silk Typhoon’s actions.

Corporate Connections & MSS Ties

The report delves into the intricate relationships between indicted hackers and their affiliated firms. Xu Zewei and Zhang Yu, directed by the SSSB, operated through Shanghai Powerock and Shanghai Firetech, respectively. Zhang’s company, Shanghai Firetech, also maintains a subsidiary in Chongqing, suggesting a broader operational footprint. The DOJ’s July 2025 indictment of Xu and Zhang, alongside earlier charges against Yin Kecheng and Zhou Shuai, reveals a tiered ecosystem of Chinese cyber contractors. While low-tier firms like i-Soon struggle with unstable contracts, Shanghai Firetech enjoys a trusted relationship with the MSS, handling specific designated tasks.

Shanghai Firetech’s patents, including tools for intelligent home appliance analysis and remote cellphone evidence collection, hint at capabilities suited for human intelligence (HUMINT) operations. These tools, which could enable close-access surveillance, have not been publicly linked to Hafnium’s campaigns, raising questions about their deployment.

The report suggests that these capabilities may have been sold to other MSS regional offices, complicating attribution efforts.

Attribution Challenges

The report highlights a critical gap in cyber threat attribution: tracking campaigns often focuses on clusters of activity rather than the organisations behind them. Shanghai Firetech’s extensive toolkit, including unreported capabilities against Apple devices, suggests that some operations may be attributed to other threat actors or remain undetected.

The absence of these tools in public Hafnium tradecraft could reflect their use in covert operations or commercial defensive applications, though no such marketing exists.

A Call for Vigilance

The *Hafnium Spun Silk report clearly demonstrates es the need for enhanced cybersecurity measures, particularly as agentic AI systems introduce new vulnerabilities. The OWASP Securing Agentic Applications Guide 1.0 recommends robust input validation and sandboxing to mitigate risks like those posed by Silk Typhoon’s supply chain attacks.

By exposing the depth of China’s cyber capabilities, the report urges organisations to prioritise visibility and control over software dependencies, ensuring that state-sponsored threats do not exploit the digital fabric of modern systems.

Hacker News | NatoThoughts | @sentinelOne |

Image: Ideogram

You Might Also Read:

Fancy Bear's Anatomy: Tactics, Techniques & Procedures:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.