SentinelOne exposed the failure of a global hacking campaign orchestrated by hackers with links to China and attempted on SentinelOne in an effort of reconnaissance and supply chain attacks. The cybersecurity firm has found that threat actors exploited Ivanti vulnerabilities CVE-2024-8963 and CVE-2024-8190 in order to compromise security at a European media endeavour in September 2024, just days prior to the vulnerabilities being made public knowledge.
SentinelOne uncovers a major China-nexus espionage campaign
Chinese government-backed actors attempted to hack the security firm SentinelOne by monitoring one of its servers and hacking one of its IT vendors. SentinelOne examined the defiant attempts to jeopardize its systems and revealed that the China-linked hackers walked towards various government and critical infrastructure bodies all over the globe. The recently published study brings attention to the security firms themselves, which are some of the leading targets.
The PurpleHaze and ShadowPad attacker groups, partially linked to each other, created numerous attacks on different targets starting from July 2024 and ending in March 2025: a South Asian government organization, a European media organization, and over 70 organizations in manufacturing, government, finance, telecom, research, energy, food and agriculture, healthcare, and engineering.
Criminals already show an advanced vulnerability exploitation capacity
The hackers behind the theft of information from the European media used infrastructure with Chinese links and chained two Ivanti vulnerabilities – CVE-2024-8963 and CVE-2024-8190 – that had not been disclosed.ย SentinelOne said the tactic mentioned using UNC5174, a Chinese Minister of State Security initial access and vulnerability exploitation contractor.
Several attack vectors in the cybersecurity vendor ecosystem
The breach of the government agency in South Asia took place in October 2024, the same month when hackers associated with SentinelOne’s internet-facing server were used for reconnaissance efforts to have related attacks in the following months. SentinelOne said those intrusions were attributed to the same actor because of “significant overlap in the management of the infrastructure, the creation and practices of naming of domains, etc.”
The hackers of the three attacks used similar tools, such as the GOREshell backdoor and open-source tools part of a trusted group known as The Hacker’s Choice (THC).ย According to SentinelOne, such attacks were the first instances in which they had seen nation-state players using THC tools. With physical disks hacked into the hardware supplier, the attackers could have done serious damage at SentinelOne.
Attribution links activities to established Chinese APT groups
According to SentinelOne, it was extremely confident that China was the perpetrator of the PurpleHaze and ShadowPad activity. SentinelOne believes that the hackers, who have Chinese origins, have compromised nearly all these 70 organizations, although each victim had a completely different dwell time. The investigation revealed two major groups of activities, named PurpleHaze and ShadowPad, which spanned across several industries such as government, finance, telecommunication, and critical infrastructure from all over the world.
Cybersecurity vendors turn into high-value targets
“Cybersecurity firms have become important targets for threat actors, as they play an important defensive role, provide access to client environments, and can also disrupt the threat actor’s operations,” wrote researchers.
Research highlights how critical it is for vendors in cybersecurity to continually monitor their environment, spot advanced state actors, and respond quickly to any possible attacks. In fact, research from SentinelOne shows just how serious China-related cyber espionage is as high-profile hackers target critical infrastructure and cybersecurity vendors worldwide with rare technical sophistication.
Zero-day use of Ivanti vulnerabilities illustrates an advanced threat actor organization and technically strong skills. This case highlights the significance of supply chain security and will ensure that cybersecurity firms are more vigilant with respect to malicious actors who perceive these companies as valuable targets for cyber intelligence collection and operational compromises from nation-state adversaries.