China-backed threat actors, including notorious groups APT15 and UNC5174, launched a series of attacks targeting over 70 high-value organizations across various sectors between July of last year and March of the current year.
SentinelOne’s threat research arm, SentineLabs, has been actively tracking this malicious activity, categorizing it under the name PurpleHaze and identifying it as part of a broader ShadowPad operation. Their investigation revealed two specific instances where SentinelOne was impacted. The first, occurring in October, involved the PurpleHaze activity, characterized by threat actors conducting “extensive remote reconnaissance” on SentinelOne servers accessible via the internet. The second incident, which took place at the beginning of this year, was connected to ShadowPad malware and focused on a third-party organization responsible for managing hardware logistics for SentinelOne employees.
Upon discovering the intrusion at the logistics provider, SentinelOne acted swiftly. “We promptly informed the IT services and logistics organization of the intrusion details,” the SentinelLabs researchers stated. They immediately initiated a comprehensive investigation into SentinelOne’s internal infrastructure, software, and hardware assets. This thorough examination found “no evidence of compromise” within SentinelOne’s direct systems.
Despite the lack of direct internal compromise, SentinelOne remains uncertain of the attackers’ ultimate goal in targeting the logistics provider. While the immediate focus might have been the third-party organization itself, Chinese threat actors are known for their tactic of establishing footholds in one entity to extend their reach to downstream organizations. This possibility remains a concern and underscores the interconnected nature of cyber threats.
The targeting of cybersecurity vendors like SentinelOne highlights what the company views as an under-discussed aspect of the current threat landscape. Cybersecurity companies are particularly attractive targets for threat actors due to their crucial role in protecting clients, their deep visibility into diverse network environments, and their ability to disrupt malicious operations. SentinelOne emphasized this point, stating, “Cybersecurity companies are high-value targets for threat actors due to their protective roles, deep visibility into client environments, and ability to disrupt adversary operations.”
SentinelOne is advocating for greater transparency and collaboration within the cybersecurity industry regarding these types of attacks. Their objective in publicly disclosing these incidents is to “contribute to strengthening industry defenses by promoting transparency and encouraging collaboration.” They believe that sharing information about these campaigns helps to “destigmatize sharing of [indicators of compromise] related to these campaigns, and thus contribute to a deeper understanding of the tactics, objectives, and operational patterns of China-nexus threat actors.”
The two primary groups linked to these attacks, APT15 and UNC5174, have a long history of malicious activity. APT15, active for over two decades with periods of dormancy and resurgence, has recently been observed targeting Chinese ethnic populations and foreign ministries in both North and South America. UNC5174, previously documented by Mandiant, is believed to operate as a contractor for the Chinese government, focusing on Western countries including the United States, the United Kingdom, and Canada.
In addition to defending itself, SentinelOne also tracked a significant number of other intrusions by either APT15 or UNC5174 during the eight-month period between July and March. These intrusions affected a diverse range of targets, including a South Asian government entity and a European media organization, in addition to the more than 70 organizations across various sectors mentioned earlier. These sectors included manufacturing, government, finance, telecommunications, and research.
The findings from this series of attacks by China-backed actors highlight the relentless nature of the threat landscape. SentinelOne emphasizes the critical need for all organizations, especially cybersecurity vendors, to maintain a high level of vigilance, implement robust monitoring capabilities, and have effective and rapid response plans in place to defend against such sophisticated attacks.
“By publicly sharing details of our investigations,” the SentinelLabs researchers wrote, “we aim to provide insight into the rarely discussed targeting of cybersecurity vendors, helping to destigmatize sharing of [indicators of compromise] related to these campaigns, and thus contribute to a deeper understanding of the tactics, objectives, and operational patterns of China-nexus threat actors.” This collaborative approach, they argue, is essential to building stronger collective defenses against persistent and advanced threat actors operating on behalf of nation-states.
