Cyber Blog

Cybersecurity company SentinelOne has revealed that a group of hackers linked to the Chinese government tried to break into its systems and gather information about the company and some of its most important customers.

The hacker group, called PurpleHaze, first caught SentinelOne’s attention in 2024 during an incident involving a company that handled equipment for SentinelOne employees.

PurpleHaze is believed to be connected to another Chinese hacking group known by several names, including APT15 and Nickel, which has been involved in government spying before.

In one case, the hackers targeted a South Asian government organization in October 2024. They used a secret program (a “backdoor”) to take control of computers and quietly send information back to their own systems. The hackers set this up using a network of hidden computers that made their activities harder to trace.

SentinelOne also discovered that this same organization had been attacked earlier in June 2024 using a different spying tool known as ShadowPad. This tool has been used by other Chinese hacking groups and sometimes even to deliver ransomware, a type of software that locks up files until a payment is made. It’s not yet clear if both attacks came from the same group, but they appear to be connected.

The attackers used a tool called ScatterBrain to hide the spying software from security systems. Over 70 companies in industries like manufacturing, government, finance, and research may have been affected by these attacks, which likely took advantage of weaknesses in specific network devices made by Check Point.

One of the targets included a company that handled equipment for SentinelOne employees, but SentinelOne says there’s no sign that its own systems were harmed.

Other Threats: Fake Job Applicants and Ransomware Gangs

SentinelOne also said it had to deal with attempts by North Korean hackers who tried to get jobs at the company using fake identities. They sent in over 1,000 fake job applications, even trying to join SentinelOne’s top intelligence team.

On top of that, ransomware groups — criminals who break into systems and demand money — have been trying to learn how to get past security tools like those made by SentinelOne. Some of these criminals buy or rent access to these tools on illegal websites and messaging groups.

One group, called Nitrogen, goes even further. Instead of stealing logins, they pretend to be real companies. They create fake websites, emails, and documents to trick software resellers into giving them access to real security products.

Nitrogen’s methods are very convincing, said SentinelOne’s researchers. They target smaller vendors who don’t always check their customers carefully, making it easier for the hackers to slip through.

There’s even a growing black market service where hackers can test their malicious software to see if it gets caught by security systems. These services help them fine-tune their attacks before using them in the real world.