SentinelOne Foils China-Linked Breach, Traces Hackers to 70 Plus Global Victims
Endpoint-security vendor SentinelOne says a failed break-in at its own systems has led investigators to a sprawling espionage campaign that quietly penetrated dozens of government and critical-infrastructure networks across five continents.
How the Plot Unravelled
-
October 2024, Recon on SentinelOne: Attackers mapped one of the company’s internet-facing servers in a “stage-one” probe, which SentinelOne attributes to PurpleHaze, a China-nexus threat cluster linked to long-running espionage crew APT15.
-
Early 2025, Supply-Chain Intrusion: Weeks later the same operatives slipped into an IT-services provider that manages SentinelOne hardware, this time deploying the modular ShadowPad backdoor. The firm says no customer environments were compromised.
-
Victimology: Forensic pivoting from the two incidents exposed more than 70 organisations, ranging from a South Asian government ministry to a European media conglomerate, targeted between July 2024 and March 2025. Affected sectors include energy, manufacturing, finance, telecoms and research.
Playbook and Toolset
| Tool or Technique | Purpose | Notable Use |
|---|---|---|
| GoReShell backdoor | Reverse-SSH tunnelling written in Go | Used in the South Asian government attack |
| ShadowPad malware | Modular post-exploitation platform | Deployed in the supply-chain vendor hack, overlapping with APT15 tradecraft |
| THC open-source utilities | Lateral movement and privilege gain | First recorded nation-state use of tools from The Hacker’s Choice collective |
| Ivanti CSA zero-days (CVE-2024-8963 and 8190) | Pre-auth code execution for initial access | Chained during the media-company breach, indicating UNC5174 involvement |
Why Security Vendors Are Prime Targets
Breaching a security firm offers attackers outsized returns. Access to product roadmaps, detection logic and customer deployments can help adversaries craft stealthier exploits against downstream victims. SentinelOne’s researchers note that cybersecurity companies sit at the crossroads of visibility and trust, making them irresistible to nation-state operators.
What Comes Next
-
Patching Urgency: CISA urges organisations to apply Ivanti CSA fixes and hunt for GoReShell and ShadowPad artefacts in their networks.
-
Supply-Chain Scrutiny: The incident underscores growing attacker focus on third-party IT providers as gateways to better-defended targets.
-
Threat-Intel Collaboration: SentinelOne is sharing indicators of compromise with CERTs worldwide to contain further spread.
SentinelOne’s quick detection averted damage to its customers, yet the episode is a fresh reminder that even companies dedicated to stopping breaches must constantly defend against them.
Photo Credit: DepositPhotos.com