Cyber Espionage: Unpacking Recent Attacks on SentinelOne and Other Targets
Background on the Intrusions
Between July 2024 and March 2025, a significant series of cyber intrusions targeting various organizations, including American cybersecurity firm SentinelOne, came to light. These breaches appear to form part of a wider landscape of digital espionage activities. SentinelOne researchers, Aleksandar Milenkoski and Tom Hegel, noted that the attack chain included diverse entities, ranging from a government agency in South Asia to a European media organization, affecting more than 70 businesses across multiple sectors.
Targeted Sectors
The sectors impacted by these cyberattacks were varied, encompassing manufacturing, government, finance, telecommunications, and research. Observably, an IT services company responsible for logistics for SentinelOne’s employees also found itself among the victims during the breaches in early 2025. This diverse targeting indicates a strategic approach by the attackers to maximize their reach across different industries.
Attribution of the Attacks
SentinelOne researchers have high confidence in attributing these activities to actors connected to China. Some of these attacks are associated with a threat cluster identified as PurpleHaze, which overlaps with known Chinese cyber espionage groups, such as APT15 and UNC5174. This connection is critical for understanding the broader implications of state-sponsored cyber activities.
Initial Disclosure and Reconnaissance
In late April 2024, SentinelOne first revealed reconnaissance activities that targeted certain internet-facing servers. These servers were intentionally accessible due to specific operational needs. Researchers indicated that the focus of these reconnaissance efforts was to assess server availability, likely in preparation for more aggressive attacks in the future.
Complexity of the Attack Clusters
An extensive investigation has uncovered six distinct activity clusters, denoted from A to F, dating back to the initial breach of a South Asian government entity in June 2024. This timeline reveals a methodical approach to cyber intrusions, with the activities occurring in phases:
- Activity A: Compromise of a South Asian government entity (June 2024)
- Activity B: A series of attacks targeting various organizations globally (July 2024 to March 2025)
- Activity C: Attack on the IT services and logistics firm (early 2025)
- Activity D: Follow-up intrusion on the same South Asian government entity (October 2024)
- Activity E: Reconnaissance efforts focused on SentinelOne servers (October 2024)
- Activity F: Breach of a prominent European media organization (late September 2024)
These clusters illustrate the systematic way in which the threat actors operated, targeting a range of entities both associated and independent of each other.
The Technical Landscape of the Breaches
During the June 2024 attack on the South Asian government entity, the attackers deployed ShadowPad, a piece of malware that has been obfuscated using techniques like ScatterBrain. This digital ammunition overlaps with several recent campaigns wherein ShadowPad has been associated with ransomware, particularly a variant known as NailaoLocker, which exploits vulnerabilities in Check Point gateway devices.
The subsequent attack in October 2024 involved not just repurposing ShadowPad but also implementing a new backdoor dubbed GoReShell. This Go-based reverse shell allows attackers to connect to infected hosts using SSH. Notably, this tool has been reported in conjunction with the earlier attack on the European media outlet.
Utilization of Specialized Tools
Interestingly, the tools employed in these attacks, especially those linked to The Hacker’s Choice (THC), represent a significant evolution in cyber threats. This marks a rare instance where software developed by a group of security experts was co-opted for malicious purposes, indicating a high level of sophistication typical of state-sponsored attacks.
The Role of Networking Infrastructure
Activity F has been associated with a China-linked actor that maintains loose ties to an access broker referred to as UNC5174, as tracked by Google Mandiant. This group has been implicated in exploiting vulnerabilities in systems like SAP NetWeaver to deploy GOREVERSE, a variant of GoReShell. The involvement of operational relay boxes deployed from China demonstrates a well-planned infrastructure aimed at sustaining these cyber operations.
Conclusion
The ongoing investigations and findings highlight a complex web of cyber espionage activities relevant to national security and corporate integrity. SentinelOne’s detailed reports reveal a level of sophistication and planning that is increasingly characteristic of state-sponsored cyber actors. Keeping abreast of such developments is essential for companies and governments alike attempting to navigate the challenging landscape of cyber threats.
