Dive Brief:
- Chinese government-backed hackers tried and failed to breach security firm SentinelOne by surveilling one of its servers and hacking one of its IT vendors, SentinelOne said in a report published Monday.
- In investigating the failed attempts to breach its systems, SentinelOne discovered that the China-linked hackers had targeted a wide range of government and critical infrastructure organizations around the world.
- The newly published research highlights the fact that security firms themselves are often top targets.
Dive Insight:
SentinelOne’s report focuses on two clusters of activity: An October 2024 reconnaissance campaign against one of its internet-facing servers, which the company attributed to the PurpleHaze threat actor that it revealed in April, and an early 2025 intrusion into an IT services firm that manages SentinelOne hardware, which the company attributed to the China-linked ShadowPad malware.
“The PurpleHaze and ShadowPad activity clusters span multiple partially related intrusions into different targets occurring between July 2024 and March 2025,” SentinelOne researchers wrote. “The victimology includes a South Asian government entity, a European media organization, and more than 70 organizations across a wide range of sectors.” Those sectors include manufacturing, government, finance, telecommunications, research, energy, technology, food and agriculture, healthcare and engineering, according to a SentinelOne spokesperson.
Based on SentinelOne’s observations, the company believes that the China-linked hackers breached all 70 of those organizations, the spokesperson said, although the dwell time varied “significantly” between victims, with some intrusions lasting “for extended periods” and a few being remediated quickly.
The attackers could have done significant damage at SentinelOne with the access gained by hacking its hardware supplier, the spokesperson said. “They could have used such business access to infect employee laptops ... before [being] shipped to homes, compromise OS images, or act as any sort of collection source for employee location and personal details.”
SentinelOne said it had high confidence that China was responsible for the PurpleHaze and ShadowPad activity. “We loosely associate some PurpleHaze intrusions with actors that overlap with the suspected Chinese cyberespionage groups publicly reported as APT15 and UNC5174,” the company said.
The attempt to breach the South Asian government agency came in October 2024, the same month that hackers connected to SentinelOne’s internet-facing server to perform reconnaissance for follow-up attacks. SentinelOne said it linked those intrusions to the same actor (or to one third party supplying separate actors) based on “significant overlaps in infrastructure management, as well as domain creation and naming practices.”
A few weeks before those two attacks, SentinelOne observed China-linked operatives hacking a European media company. All three of these operations involved similar tools, including the GOREshell backdoor and open-source tools provided by a collective called The Hacker’s Choice (THC). SentinelOne said these attacks represented the first time that they had seen nation-state operatives using THC tools.
The operatives who breached the European media firm used infrastructure associated with China and chained together two Ivanti vulnerabilities — CVE-2024-8963 and CVE-2024-8190 — that hadn’t yet been disclosed. SentinelOne said that tactic suggested the involvement of UNC5174, a contractor for China’s Ministry of State Security that specializes in initial access and vulnerability exploitation. CISA in January warned about threat actors chaining together the two Ivanti flaws.
SentinelOne said it was highlighting the PurpleHaze and ShadowPad activity to raise awareness of how often hackers target security vendors.
“Cybersecurity companies are high-value targets for threat actors due to their protective roles, deep visibility into client environments, and ability to disrupt adversary operations,” researchers wrote. “The findings detailed in this post highlight the persistent interest of China-nexus actors in these organizations.”
Editor’s note: This article has been updated with comments from a SentinelOne spokesperson.
