SentinelOne Alerts on Rising Chinese Cyber Threats
▼ Summary
– SentinelOne warns that cybersecurity vendors are increasingly targeted by threat actors and calls for greater industry transparency and collaboration.
– The company revealed two China-linked cyber operations: “PurpleHaze” (October 2024) involving APT15 and UNC5174, and a broader campaign (July 2024-March 2025) attributed to APT41.
– PurpleHaze involved reconnaissance on SentinelOne servers and exploited Ivanti zero-days, while APT41’s campaign used ShadowPad malware in a supply chain attack via a supplier.
– Both operations utilized operational relay box (ORB) networks and public hacking tools, making attribution and tracking difficult.
– SentinelOne emphasizes the need for constant vigilance, robust monitoring, and rapid response capabilities to counter these sophisticated threats.
SentinelOne has issued a stark warning about escalating cyber threats linked to Chinese state-sponsored actors, calling for increased transparency and cooperation across the cybersecurity industry. The alert follows the company’s investigation into two sophisticated campaigns targeting both its own systems and dozens of global organizations.
The first operation, codenamed PurpleHaze, involved reconnaissance activities against SentinelOne’s internet-facing servers in October 2024. Researchers tied the attack to APT15 (Ke3Chang/Nylon Typhoon), a notorious cyber-espionage group with ties to China, alongside UNC5174, an initial access broker believed to work for Chinese government interests. Beyond SentinelOne, victims included a South Asian government agency compromised using the GOREshell backdoor and tools from The Hacker’s Choice (THC). The attackers also leveraged chained Ivanti zero-day vulnerabilities (CVE-2024-8963 and CVE-2024-8190) to infiltrate networks.
Notably, the campaign relied on an operational relay box (ORB) network, a tactic increasingly favored by Chinese threat actors. These dynamic infrastructures allow groups to rapidly shift their attack infrastructure, complicating detection and attribution efforts. SentinelOne emphasized that ORB networks are becoming a hallmark of China-linked cyber operations.
The second incident, spanning July 2024 to March 2025, impacted approximately 70 organizations worldwide and was attributed to APT41. This group attempted a supply chain attack by targeting a SentinelOne vendor, an IT services provider, using the ShadowPad malware platform, disguised with the ScatterBrain obfuscation tool. Initial access likely involved exploiting Check Point gateways, though evidence also pointed to compromised Fortinet, Microsoft IIS, SonicWall, and CrushFTP servers communicating with ShadowPad command-and-control systems.
The findings highlight a troubling trend: cybersecurity firms themselves are now prime targets for nation-state actors. SentinelOne stressed the importance of real-time monitoring, threat intelligence sharing, and rapid incident response to counter these advanced threats. Craig Jones, VP of Security Operations at Ontinue, noted parallels to past Chinese operations, describing the tactics as part of a longstanding strategy focused on persistent access to critical infrastructure.
As attacks grow more brazen, the cybersecurity community faces mounting pressure to fortify defenses and collaborate against these well-resourced adversaries. SentinelOne’s report serves as a sobering reminder that no organization, not even those tasked with protecting others, is immune to these evolving threats.
(Source: InfoSecurity Magazine)
