Hafnium: Irrefutable Evidence of China's State-Backed Cyber Assault

Beijing is weaponizing its cyber operations through a network of companies and hackers, such as Hafnium, utilizing covert patents for advanced intrusion tools. The SentinelLABS report, "China's Covert Capabilities | Silk Spun From Hafnium" , has exposed this multi-tiered system, revealing an unexpected arsenal against targets like Apple devices. This digital aggression has triggered unprecedented international condemnation and a propaganda counter-offensive from Beijing

A detailed analysis of the SentinelLABS report titled "China’s Covert Capabilities | Silk Spun From Hafnium" has shed light on the intricate and clandestine state-sponsored hacking operations. The report highlights new findings regarding the Hafnium threat group, also known as Silk Typhoon , revealing how its activities are deeply rooted in a network of companies and individuals operating on behalf of Beijing's Ministry of State Security (MSS).

SentinelLABS identified over 10 patents for highly intrusive forensics and data collection technologies. These technologies offer significant and previously undocumented offensive capabilities , registered by companies directly named in U.S. indictments as collaborating with the Hafnium group. The identified offensive capabilities range from acquiring encrypted endpoint data, mobile forensics, to collecting traffic from network devices.

SentinelLABS' research was not limited to identifying technical capabilities but also explored the complex relationships between indicted hackers, the ownership of their associated firms, and the ties these firms have with various Chinese government entities involved in offensive cyber operations. This in-depth analysis provides a clearer perspective on the structure and operational methods of Beijing's government cyber contracting system.

In July 2025, the U.S. Department of Justice (DOJ) released an indictment of two hackers, Xu Zewei and Zhang Yu, working on behalf of China's Ministry of State Security (MSS). The indictment outlined that Xu and Zhang worked for two firms previously unattributed in the public domain to the Hafnium (aka Silk Typhoon) threat actor group. There is no information in the provided document indicating that Xu Zewei and Zhang Yu were arrested in Italy.

Hafnium has a long and notable history of attacks against defense contractors, policy think tanks, higher education, and infectious disease research institutions. The group became exceptionally prolific in 2021, exploiting several zero-day vulnerabilities in Microsoft Exchange Server (MES). Despite this notoriety, the report emphasizes that Hafnium is often wrongly blamed for the wider abuse of the ProxyLogon vulnerabilities that followed the original Hafnium activity, as lesser-tier threat groups flooded the zone with exploitation attempts to opportunistically deliver payloads ranging from espionage to ransomware.

The three key findings of this research were fundamental:

1. Previously Undocumented Offensive Tooling: Previously unobserved or unreported offensive tooling owned by Hafnium-associated companies named in U.S. indictments was identified. This tooling raises questions about these firms' ongoing work in support of the MSS and how attribution is difficult. A significant example is one company holding at least one patent on software designed to remotely recover files from Apple computers, a capability not documented as used by Hafnium or any related threat actor groups.

2. Complex Hierarchies and Relationships: The DOJ indictment provides new insights into the tiers of relationships between hackers and their customers. This aspect raises important questions about the extent to which the MSS and its regional offices offer operational support to its contracted hackers.

3. Extensive Company Network: The research delved into several companies tied to the indicted Hafnium-affiliated hackers and documented their relationships. The report found evidence of multiple companies registered by one of the defendants, Xu Zewei, and dozens more by an associate.

This new insight into the Hafnium-affiliated firms' capabilities highlights a significant deficiency in the threat actor attribution space: threat actor tracking typically links campaigns and clusters of activity to a named actor. However, the report demonstrates the strength in identifying not only the individuals behind attacks, but the companies they work for, the capabilities those companies have, and how those capabilities fortify the initiatives of the state entities who contract with these firms.

The Companies Behind Hafnium and Their Hidden Capabilities: A Detailed Examination

The Hafnium cluster, as revealed by recent DOJ indictments, consisted of at least three different companies. At least two of the indicted individuals, Xu Zewei and Zhang Yu, and their respective companies, Shanghai Powerock Network Company (上海势岩网络科技发展有限公司) and Shanghai Firetech Information Science and Technology Company (上海势炎信息科技有限公司) , worked under the direction of the Shanghai State Security Bureau (SSSB). While Yin Kecheng likely worked alongside Xu and Zhang, his exact capacity—as an employee, subcontractor, or jointly tasked by the SSSB—remains unclear. It is also uncertain what work, access, or tooling Zhou Shuai was trying to push through i-Soon, another company implicated in these operations.

Shanghai Firetech, in particular, stands out for its extensive arsenal of tools, many of which have not been publicly attributed to Hafnium and Silk Typhoon thus far. Shanghai Firetech filed for patents on a number of forensics technologies with clear applications as offensive capabilities. These include:

• "Remote automated evidence collection software"

• "Apple computer comprehensive evidence collection software"

• "Router intelligent evidence collection software"

• "Computer scene rapid evidence collection software"

• "Defensive equipment reverse production software"

A striking aspect is that while Hafnium's observed capabilities check some of these generic boxes, no one had previously reported the group's capabilities against Apple devices. This discovery is particularly relevant considering that Yin Wenji, co-founder of Shanghai Firetech and CEO of Shanghai Firetech Information Science and Technology Co. , had already given a talk in 2015 at the Central University of Finance and Economics advertising his ability to recover files from Apple Filevault , five years before his new company would file for patent protection on a tool capable of collecting files from Apple computers. This raises questions about how Hafnium came to exploit Microsoft Exchange vulnerabilities in the same month that OrangeTsai publicly found them, on January 5, 2021. Theories include compromising devices of employees working on inbound vulnerability reports at Microsoft , or even Hafnium hacking into OrangeTsai's devices and stealing the vulnerabilities during his research phase. Zhang and Xu's close relationship with the SSSB reinforces the possibility that the Bureau itself collected OrangeTsai's research through an insider at Microsoft, a close-access operation against OrangeTsai, or some other collection method, and then passed the vulnerabilities to Xu and Zhang. A DOJ indictment shows the Guangdong State Security Department passing malware to its contracted hackers, a pattern that could have been replicated by the SSSB.

More recent patent filings from Shanghai Firetech, spanning from 2021 to 2025, suggest capabilities that could be useful not only in cyber operations but also in Human Intelligence (HUMINT) operations. Capabilities like the "intelligent home appliances analysis platform (2)" (registered on May 13, 2025) , "long-range household computer network intelligentized control software (6)" (registered on November 26, 2024) , and "intelligent home appliances evidence collection software (23)" (registered on June 7, 2021) could support close access operations against individuals. Other recent patents demonstrate that the firm continues to support offensive cyber operations, including "specially designed computer hard drive decryption software (13)" (registered on May 15, 2023) , "remote cellphone evidence collection software (21)" (registered on June 8, 2021) , or "network information security actual confrontation practice software (24)" (registered on June 7, 2021). While these tools may also have commercial defensive applications, the lack of advertising or offering such products on the market strongly suggests a primary offensive use.

The wide range of patented capabilities by Shanghai Firetech, not all observed in operations attributed to Hafnium, could be explained by the company's relationships with MSS offices beyond just Shanghai. While no public tenders or contracts were found, Shanghai Firetech likely offers offensive services to additional customers outside of Shanghai. The company maintains a subsidiary in Chongqing, Chongqing Firetech (重庆势炎信息科技有限公司) , which might be larger than its Shanghai-based mothership. In the summer of 2018, Chongqing Firetech opened positions for up to 25 college interns, including for a third office in Nanchang. Shanghai Firetech, by contrast, only paid insurance benefits on 32 full-time employees. The absence of Chongqing Firetech from the indictment does not necessarily indicate that the company was not involved in activity attributed to the Hafnium cluster.

Evolution of Naming and Attribution Challenges

In 2022, Microsoft updated the group's alias from Hafnium to Silk Typhoon. DOJ indictments indicate that Yin's and Zhou's activities were tracked under various naming conventions and clusters, including Silk Typhoon. A DOJ press release summary lists numerous aliases for the Hafnium group, including "APT27," "Threat Group 3390," "Bronze Union," "Emissary Panda," "Lucky Mouse," and "Iron Tiger," and more recently "UTA0178," "UNC 5221," and "Silk Typhoon".

The SentinelLABS report underscores the inherent difficulty in successfully attributing intrusions to the responsible organizations. The variety of tools under the control of Shanghai Firetech far exceeds those publicly attributed to Hafnium and Silk Typhoon. It is possible that these capabilities may have been sold to other regional MSS offices, and thus not attributed to Hafnium, despite being owned by the same corporate structure. While tools for remote control of home appliances, home computer networks, file decryption, and remote mobile forensics do have commercial defensive applications, the absence of such advertised products strongly suggests an offensive use.

Threat actor designations and naming conventions typically track clusters of behavior, not the organizations carrying out operations. Successful attribution resolves a campaign back to their actual operators, like Hafnium or Fancy Bear. This report suggests that there are very likely other campaigns and activities tracked under different names which can be attributed to Shanghai Firetech. Their absence from the DOJ indictment of Zhang Yu and Xu Zewei may reflect a balance of equities on the part of the FBI, releasing in the indictment only what is popularly recognized as Hafnium and meets relevant legal thresholds while privately retaining intelligence of the company's other campaigns and tooling.

Context of the Chinese Cyber Contracting Ecosystem: A Tiered Structure

The DOJ, in its indictment against Xu Zewei and Zhang Yu, provided new insights into Beijing's contracting ecosystem. This system is characterized by a tiered structure for its offensive hacking outfits. At the lowest tier of the contracting ecosystem are "bottom feeders," like i-Soon. This company's leaked files and U.S. indictment of their employees show a firm stuck in low-paying contracts with poor morale, and often subcontracting to bigger, better firms. A step up from i-Soon might be its prime contractor and competitor, Chengdu404, whose founders were also indicted. Chengdu404 has stable business, works from multiple offices, and at one point was the country's most prolific APT. The tier of contractors the Beijing government holds closest are actors like Xu Zewei and Zhang Yu , who operate under the direct instruction of MSS offices like the SSSB. However, the MSS has not completely abandoned state-run operations. Past DOJ indictments show that other MSS offices do indeed use front companies , as in the case of Wuhan Xiao Rui Zhi (Wuhan XRZ), established in 2010 by the Hubei State Security Department as a front company for state operations.

Geopolitical Impact and International Reaction

Hafnium's reckless behavior has significantly impacted foreign policy and unified the voices of the EU, UK, and US. While Hafnium gained fame following the revelation of their stealthy access to U.S. Government emails through an MES vulnerability known as ProxyLogon in March 2021 , the group is often wrongly blamed for what happened next. The proliferation of ProxyLogon vulnerability exploitation by lesser-tier threat groups led to such a dire situation that the DOJ received its first court authorization for the FBI to remove these webshells en masse from compromised servers. Microsoft had alerted its Microsoft Advanced Protection Program partners to some POC code on February 23 , and just five days later, on February 28 , new Chinese state-affiliated and criminal hacking groups began exploiting the vulnerability at an immense scale. It remains unclear exactly how the exploit proliferated ahead of the patch.

This rapid dissemination and exploitation of the vulnerability prompted the U.S., U.K., and E.U. to issue their first ever joint statement condemning Beijing's actions in cyberspace in July 2021. This statement roiled CCP policymakers, who had previously fended off such joint decrees by convincing one E.U. state to reject such declarations , given that the E.U. requires unanimous consent for foreign policy statements. The fallout from the wanton abuse of the vulnerability thus upended Beijing's foreign policy success.

The joint statement so perturbed CCP policymakers that the country launched an offensive public opinion campaign against U.S. hacking operations that continues today. Before the July 2021 joint statement, Beijing did not coordinate cyber threat intelligence publications with state propaganda outlets. Following the statement, a pattern emerged of coordinated private-sector CTI reports, English-language propaganda pieces, and statements by the Beijing Ministry of Foreign Affairs. SentinelOne published a report detailing this change in February 2024 , and the findings of that report are corroborated by a textbook on cybersecurity published by a committee of experts in the country. Beijing now regularly releases propaganda pieces alongside cyber threat intelligence reports; this change was completely prompted by the U.S. success in unifying the European Union behind a joint statement, which itself was enabled by the country's behavior.