SentinelOne Exposes China’s Contractor Network, Linking MSS & Hafnium to 15+ Stealthy Surveillance Patents
A new report from SentinelOne casts a revealing light on a lesser-known yet extensive facet of China’s cyber-espionage apparatus: the contractor infrastructure tied to the threat group Silk Typhoon (also known as Hafnium), which operates under the aegis of China’s Ministry of State Security (MSS).
According to the publication, several Chinese companies affiliated with this group have registered at least fifteen patents encompassing a broad range of technologies aimed at covert data collection and remote access to digital systems.
These patents cover tools for conducting forensic operations on encrypted endpoints, analyzing Apple devices, and remotely managing routers and smart home components. SentinelOne asserts that this activity highlights not only the technical sophistication of state-aligned entities, but also the orchestrated, multi-tiered contractor network developed around regional MSS bureaus.
The investigation was prompted by a July 2025 indictment by the U.S. Department of Justice against Xu Zewei and Zhang Yu, both accused of participating in the mass exploitation campaign targeting Microsoft Exchange Server vulnerabilities in 2021—an operation that leveraged the infamous ProxyLogon exploit chain.
Court documents reveal that Xu was employed at Shanghai Powerock Network Co., Ltd., while Zhang worked for Shanghai Firetech Information Science and Technology Co., Ltd. Both firms operated under the oversight of the Shanghai State Security Bureau (SSSB).
Notably, Powerock was officially dissolved in April 2021—just one month after China was publicly accused of perpetrating the Exchange Server attacks. Xu subsequently joined Chaitin Tech, a prominent Chinese cybersecurity firm, before moving on to a managerial IT role at Shanghai GTA Semiconductor.
Silk Typhoon’s operational trail also leads to a third company: Shanghai Heiying Information Technology Co., Ltd., which is associated with hacker Yin Kecheng. This firm was founded by Zhou Shuai, a participant in Chinese hacker communities who once branded himself as a “patriot” and a data broker within the black market.
As detailed in the SentinelOne report, Shanghai Firetech executed tasks directly assigned by MSS operatives, and its operational profile suggests deeply entrenched, systematic links with the SSSB. This model—where state-aligned companies are selectively granted contracts—reveals a clear hierarchy of subcontractors with delineated responsibilities and access privileges.
An examination of patent filings further uncovered that in addition to Shanghai Firetech, submissions were made under the name of Shanghai Siling Commerce Consulting Center—a joint venture between Zhang Yu and Yin Wenji, the general manager of Firetech. These filings describe tools for extracting data from Apple devices, routers, and network infrastructure components. Some patents hint at capabilities tailored for operations requiring physical access to hardware.
The report’s authors emphasize that the toolkit available to Firetech appears far more expansive than previously attributed to Hafnium or Silk Typhoon. Moreover, it is plausible that some of these capabilities have been shared with other MSS branches, quietly reinforcing the broader state-aligned ecosystem—without explicit references to Hafnium, yet firmly embedded within the same corporate and operational architecture.
