Patents by Silk Typhoon-linked company shed light on Beijing’s offensive hacking capabilities

Researchers have discovered more than 10 patents for powerful offensive cybersecurity technologies filed by a prominent Chinese company allegedly involved in Beijing’s Silk Typhoon campaign.

SentinelOne's threat researchers pored through recent Justice Department indictments of prominent Chinese hackers and mapped out the country’s evolving web of private companies that are hired to launch cyberattacks on behalf of the government. 

The report focuses on intellectual property rights filings by Shanghai Firetech, a company the DOJ said works on behalf of the Shanghai State Security Bureau (SSSB). The company was allegedly involved in many of the Silk Typhoon attacks and was previously identified as part of the Hafnium attacks seen in 2021.

The researchers found previously unseen patents on offensive technologies tied to Shanghai Firetech, SentinelLabs expert Dakota Cary told Recorded Future News.

The findings suggest the company “serves other offensive missions not tied to the Hafnium cluster,” he said. 

“The company also has patents on a variety of offensive tools that suggest the capability to monitor individual's homes, like ‘intelligent home appliances analysis platform,’ ‘long-range household computer network intelligentized control software,’ and ‘intelligent home appliances evidence collection software’ which could support surveillance of individuals abroad.”

Cary noted that intelligence agencies like the CIA are known to use similar tools. 

Shanghai Firetech also filed patents for software for “remote” evidence collection, and for targeting routers and Apple devices, among other uses.

The patent for Apple computers stood out to the researchers because it allows actors to remotely recover files from devices and was not previously documented as a capability of any Hafnium-related threat actor. 

SentinelLabs said the technologies “offer strong, often previously unreported offensive capabilities, from acquisition of encrypted endpoint data, mobile forensics, to collecting traffic from network devices.” 

The Justice Department indicted two prominent hackers this month — Xu Zewei and Zhang Yu — that are accused of working with China’s Ministry of State Security (MSS) and its Shanghai bureau. The indictments said Xu and Zhang worked for two firms previously unattributed in the public domain to the Hafnium/Silk Typhoon group. 

Xu was arrested after flying into Milan on July 3, and prosecutors accused both men of being deeply involved in China’s cyberattacks on institutions working on COVID-19 vaccines throughout 2020 and 2021. The DOJ obtained emails from Xu to the Shanghai security bureau confirming he had acquired the contents of the COVID-19 researchers’ mailboxes.

The report details the difficulty incident responders, law enforcement and cybersecurity firms face in trying to attribute campaigns to specific threat actors now that China has moved to distance itself from damaging hacking campaigns that have roiled rivals and allies alike. 

“The variety of tools under the control of Shanghai Firetech exceed those attributed to Hafnium and Silk Typhoon publicly. The findings underline the difficulty in successfully attributing intrusions to the organizations responsible for them,” the researchers said. 

“The capabilities may have been sold to other regional MSS offices, and thus not attributed to Hafnium, despite being owned by the same corporate structure. It is possible that none of the tooling uncovered by this report was ever deployed in offensive operations.”

Hafnium gained prominence in 2021 for the campaign targeting the Microsoft vulnerability known as ProxyLogon. The bug was used to steal troves of U.S. government emails and other data from large companies. 

The DOJ said that through Hafnium, Beijing “targeted over 60,000 U.S. entities, successfully victimizing more than 12,700 in order to steal sensitive information.”