Chinese companies linked to the state-sponsored hacking group known as Silk Typhoon (aka Hafnium) have been identified as behind over a dozen technology patents, shedding light on the shadowy cyber contracting ecosystem and its offensive capabilities.
The patents cover forensics and intrusion tools that enable encrypted endpoint data collection, Apple device forensics, and remote access to routers and smart home devices, SentinelOne said in a new report shared with The Hacker News.
"This new insight into the Hafnium-affiliated firms' capabilities highlights an important deficiency in the threat actor attribution space: threat actor tracking typically links campaigns and clusters of activity to a named actor," Dakota Cary, China-focused strategic advisor for SentinelLabs, said.
"Our research demonstrates the strength in identifying not only the individuals behind attacks, but the companies they work for, the capabilities those companies have, and how those capabilities fortify the initiatives of the state entities who contract with these firms."
The findings build upon the U.S. Department of Justice's (DoJ) July 2025 indictment of Xu Zewei and Zhang Yu, who, working on behalf of China's Ministry of State Security (MSS), are accused of orchestrating the widespread exploitation campaign in 2021 aimed at Microsoft Exchange Server using then-zero-days dubbed ProxyLogon.
Court documents alleged that Zewei worked for a company named Shanghai Powerock Network Co. Ltd., while Yu was employed at Shanghai Firetech Information Science and Technology Company, Ltd. Both individuals are said to have operated under the discretion of the Shanghai State Security Bureau (SSSB).
Interestingly, Natto Thoughts reported that Powerock deregistered its business on April 7, 2021, a little over a month after Microsoft pointed fingers at China for the zero-day exploitation activity. Zewei would then go on to join Chaitin Tech, another prominent cybersecurity firm, only to change jobs again and begin working as an IT manager at Shanghai GTA Semiconductor Ltd.
It's worth mentioning at this stage that Yin Kecheng, another hacker tied to Silk Typhoon who was indicted by the U.S. in March 2025, is said to have been employed at a third Chinese firm named named Shanghai Heiying Information Technology Company, Limited, which was established by Zhou Shuai, a Chinese patriotic hacker and purported data broker.
"Shanghai Firetech worked on specific tasking handed down from MSS officers," Cary explained. "Shanghai Firetech and co-conspirators earned an on-going, trusting relationship with the MSS's premier regional office, the SSSB."
"This 'directed' nature of the relationship between the SSSB and these two companies contours the tiered system of offensive hacking outfits in China."
Further investigation into the web of connections between the individuals and their companies has uncovered patents filed by Shanghai Firetech and Shanghai Siling Commerce Consulting Center, a firm jointly founded by Yu and Yin Wenji, CEO of Shanghai Firetech to collect "evidence" from Apple devices, routers, and defensive equipment.
There is also evidence to suggest that Shanghai Firetech is also engaged in developing solutions that could enable close access operations against individuals of interest.
"The variety of tools under the control of Shanghai Firetech exceeds those attributed to Hafnium and Silk Typhoon publicly," Cary said. "The capabilities may have been sold to other regional MSS offices, and thus not attributed to Hafnium, despite being owned by the same corporate structure."
