FlagThis - #unc5174

SentinelOne, a cybersecurity firm, has revealed that it was the target of a year-long reconnaissance campaign by China-linked espionage groups, identified as APT15 and UNC5174. This campaign, dubbed "PurpleHaze," involved network reconnaissance and intrusion attempts, ultimately aiming to gather strategic intelligence and potentially establish access for future conflicts. SentinelOne discovered the campaign when the suspected Chinese spies tried to break into the security vendor's own servers in October 2024. The attempted intrusion on SentinelOne's systems failed, but it prompted a deeper investigation into the broader campaign and the malware being used.

The investigation revealed that over 70 organizations across multiple sectors globally were targeted, including a South Asian government entity and a European media organization. The attacks spanned from July 2024 to March 2025 and involved the use of ShadowPad malware and post-exploitation espionage activity. These targeted sectors include manufacturing, government, finance, telecommunications, and research. The coordinated attacks are believed to be connected to Chinese government spying programs.

SentinelOne has expressed high confidence that the PurpleHaze and ShadowPad activity clusters can be attributed to China-nexus threat actors. This incident underscores the persistent threat that Chinese cyber espionage actors pose to global industries and public sector organizations. The attack on SentinelOne also highlights that cybersecurity vendors themselves are prime targets for these groups, given their deep visibility into client environments and ability to disrupt adversary operations. SentinelOne recommends that more proactive steps are taken to prevent future attacks.


References :

• The Register - Security: Chinese spy crew appears to be preparing for conflict by backdooring 75+ critical orgs
• hackread.com: Chinese-Linked Hackers Targeted 70+ Global Organizations, SentinelLABS
• www.scworld.com: FAILED ATTACK ON SENTINELONE REVEALS CAMPAIGN BY CHINA-LINKED GROUPS
• The Hacker News: Over 70 Organizations Across Multiple Sectors Targeted by China-Linked Cyber Espionage Group
• www.cybersecuritydive.com: SentinelOne rebuffs China-linked attack — and discovers global intrusions
• SecureWorld News: Chinese Hackers Target SentinelOne in Broader Espionage Campaign
• securityaffairs.com: China-linked threat actor targeted +70 orgs worldwide, SentinelOne warns
• Cyber Security News: New Report Reveals Chinese Hackers Targeted to Breach SentinelOne Servers
• www.sentinelone.com: The security firm said the operatives who tried to breach it turned out to be responsible for cyberattacks on dozens of critical infrastructure organizations worldwide.
• BleepingComputer: SentinelOne shares new details on China-linked breach attempt
• cyberpress.org: A newly published technical analysis by SentinelLABS has exposed a sophisticated, multi-phase reconnaissance and intrusion campaign orchestrated by Chinese-nexus threat actors, aimed explicitly at SentinelOne’s digital infrastructure between mid-2024 and early 2025.
• gbhackers.com: New Report Reveals Chinese Hackers Attempted to Breach SentinelOne Servers
• industrialcyber.co: SentinelOne links ShadowPad and PurpleHaze attacks to China-aligned threat actors

Classification:

• HashTags: #CyberEspionage #APT15 #UNC5174
• Company: SentinelOne
• Target: Global organizations
• Attacker: China-linked
• Product: SentinelOne
• Feature: Network reconnaissance
• Malware: ShadowPad
• Type: Espionage
• Severity: Major