SentinelLABS researchers have uncovered a trove of more than 10 patents filed by Chinese companies directly linked to the notorious Silk Typhoon hacking group (formerly known as Hafnium), revealing sophisticated cyber espionage tools that extend far beyond the group’s publicly known capabilities.
The discovery follows a July 2025 Department of Justice indictment that exposed new details about China’s Ministry of State Security (MSS) contracting ecosystem for offensive cyber operations.
Patent Portfolio Reveals Advanced Forensic Arsenal
Shanghai Firetech Information Science and Technology Company, operated by indicted hacker Zhang Yu, filed patents for an extensive range of intrusive technologies, including “Apple computer comprehensive evidence collection software,” “remote automated evidence collection software,” and “router intelligent evidence collection software.”
The patents describe capabilities for remotely accessing encrypted endpoint data, conducting mobile device forensics, and extracting traffic from network infrastructure.
Particularly concerning are patents for tools designed to support potential human intelligence operations, including “intelligent home appliances analysis platform,” “long-range household computer network intelligentized control software,” and “intelligent home appliances evidence collection software.”
These capabilities suggest the group may be developing tools for close-access operations against individual targets, representing a significant evolution from traditional network intrusion methods.
Additional patents cover “specially designed computer hard drive decryption software,” “remote cellphone evidence collection software,” and “network information security actual confrontation practice software,” indicating ongoing development of offensive cyber capabilities that have not been publicly attributed to the Silk Typhoon group.
DOJ Indictment Exposes Chinese State Security Connections
The July 2025 indictment of hackers Xu Zewei and Zhang Yu revealed their direct collaboration with Shanghai State Security Bureau (SSSB), a regional office of China’s MSS.
Zhang Yu supervised hacking activities at Shanghai Firetech while coordinating operations with Xu Zewei, who worked at Shanghai Powerock Network Company.
This represents the highest tier of China’s cyber contracting ecosystem, where trusted contractors receive specific operational tasking from MSS officers.
The relationship contrasts sharply with lower-tier contractors like i-Soon, whose leaked internal communications showed poor morale and low-paying contracts.
Shanghai Firetech maintained a subsidiary in Chongqing that hired up to 25 college interns in 2018, suggesting operations extending beyond Shanghai’s jurisdiction.
Attribution Challenges and Hidden Capabilities
The patent discoveries highlight critical gaps in threat actor attribution.
While cybersecurity researchers track Silk Typhoon through observed attack patterns, the company’s intellectual property portfolio reveals capabilities, including Apple device compromise tools that have never been documented in public threat intelligence reports.
This suggests either unreported campaigns or tools developed for other MSS regional offices, underscoring the difficulty of comprehensive threat actor attribution in an ecosystem where the same corporate structures may support multiple state security operations.
