FlagThis - #sentinelone

SentinelOne, a cybersecurity firm, has revealed that it was the target of a year-long reconnaissance campaign by China-linked espionage groups, identified as APT15 and UNC5174. This campaign, dubbed "PurpleHaze," involved network reconnaissance and intrusion attempts, ultimately aiming to gather strategic intelligence and potentially establish access for future conflicts. SentinelOne discovered the campaign when the suspected Chinese spies tried to break into the security vendor's own servers in October 2024. The attempted intrusion on SentinelOne's systems failed, but it prompted a deeper investigation into the broader campaign and the malware being used.

The investigation revealed that over 70 organizations across multiple sectors globally were targeted, including a South Asian government entity and a European media organization. The attacks spanned from July 2024 to March 2025 and involved the use of ShadowPad malware and post-exploitation espionage activity. These targeted sectors include manufacturing, government, finance, telecommunications, and research. The coordinated attacks are believed to be connected to Chinese government spying programs.

SentinelOne has expressed high confidence that the PurpleHaze and ShadowPad activity clusters can be attributed to China-nexus threat actors. This incident underscores the persistent threat that Chinese cyber espionage actors pose to global industries and public sector organizations. The attack on SentinelOne also highlights that cybersecurity vendors themselves are prime targets for these groups, given their deep visibility into client environments and ability to disrupt adversary operations. SentinelOne recommends that more proactive steps are taken to prevent future attacks.


References :

• The Register - Security: Chinese spy crew appears to be preparing for conflict by backdooring 75+ critical orgs
• hackread.com: Chinese-Linked Hackers Targeted 70+ Global Organizations, SentinelLABS
• www.scworld.com: FAILED ATTACK ON SENTINELONE REVEALS CAMPAIGN BY CHINA-LINKED GROUPS
• The Hacker News: Over 70 Organizations Across Multiple Sectors Targeted by China-Linked Cyber Espionage Group
• www.cybersecuritydive.com: SentinelOne rebuffs China-linked attack — and discovers global intrusions
• SecureWorld News: Chinese Hackers Target SentinelOne in Broader Espionage Campaign
• securityaffairs.com: China-linked threat actor targeted +70 orgs worldwide, SentinelOne warns
• Cyber Security News: New Report Reveals Chinese Hackers Targeted to Breach SentinelOne Servers
• www.sentinelone.com: The security firm said the operatives who tried to breach it turned out to be responsible for cyberattacks on dozens of critical infrastructure organizations worldwide.
• BleepingComputer: SentinelOne shares new details on China-linked breach attempt
• cyberpress.org: A newly published technical analysis by SentinelLABS has exposed a sophisticated, multi-phase reconnaissance and intrusion campaign orchestrated by Chinese-nexus threat actors, aimed explicitly at SentinelOne’s digital infrastructure between mid-2024 and early 2025.
• gbhackers.com: New Report Reveals Chinese Hackers Attempted to Breach SentinelOne Servers
• industrialcyber.co: SentinelOne links ShadowPad and PurpleHaze attacks to China-aligned threat actors

Classification:

• HashTags: #CyberEspionage #APT15 #UNC5174
• Company: SentinelOne
• Target: Global organizations
• Attacker: China-linked
• Product: SentinelOne
• Feature: Network reconnaissance
• Malware: ShadowPad
• Type: Espionage
• Severity: Major

SentinelOne experienced a significant service disruption on May 29th that lasted approximately seven hours, impacting enterprise customers globally. According to a root-cause analysis released by the company, the outage was triggered by a software flaw within an infrastructure control system. This flaw led to the unintended removal of critical network routes and DNS resolver rules, resulting in widespread loss of network connectivity. SentinelOne has emphasized that the disruption was not the result of a cyberattack, but rather a software glitch in an automated process.

The company explained that the flaw occurred during the transition of its production system to a new cloud-based architecture using infrastructure as code principles. A control system slated for deprecation was triggered by the creation of a new account. A software flaw in the configuration comparison function misidentified discrepancies and incorrectly applied what it believed to be the correct configuration state, overwriting existing network settings. While customer endpoints remained protected, security teams were unable to access management consoles and other related services.

The incident primarily affected enterprise customers, hindering their ability to manage security operations and access important data. SentinelOne assured customers that their endpoints continued to operate without interruption and that no security data was lost. Federal customers, including those using GovCloud, were unaffected, though they were notified as a precaution. The company has provided a detailed timeline of the outage, which began at 9:37 a.m. ET and was resolved by 4:05 p.m. ET, and is taking steps to prevent future occurrences.


References :

• bsky.app: Bsky post talking about the SentinelOne service disruption
• BleepingComputer: Bleapingcomputer articel on SentinelOne Outage.
• www.cybersecuritydive.com: Article about SentinelOne analysis linking service disruption to software flaw
• Techzine Global: Last week's SentinelOne outage was due to a software glitch.

Classification:

• HashTags: #SentinelOne #Outage #SoftwareBug
• Company: SentinelOne
• Target: SentinelOne Customers
• Product: SentinelOne
• Feature: Service Outage
• Type: ProductUpdate
• Severity: Medium