Recent investigations have revealed that several Chinese technology firms with connections to the state-sponsored hacking group Silk Typhoon (also known as Hafnium) have filed more than 15 patents related to advanced cyber espionage tools. The patents in question cover a wide array of capabilities, including tools for encrypted data extraction from endpoints, forensics on Apple devices, and remote access and control over routers and smart home infrastructure. The documented technologies reveal that these firms possess not only the expertise to conduct cyber intrusions but also the intent to expand their technical prowess well beyond what has previously been attributed to Silk Typhoon.
Individuals and Companies Under Scrutiny
This information comes in the wake of indictments issued by the U.S. Department of Justice (DoJ) in July 2025 against Xu Zewei and Zhang Yu. According to the indictments, both individuals played direct roles in facilitating the notorious exploitation of Microsoft Exchange Servers (the ProxyLogon vulnerabilities) in 2021 on behalf of China’s Ministry of State Security (MSS). Xu Zewei was associated with Shanghai Powerock Network Co. Ltd., while Zhang Yu worked for Shanghai Firetech Information Science and Technology Company, Ltd. Both organizations reportedly operated under directives from the Shanghai State Security Bureau (SSSB).
Evolving Corporate Relationships and State Links
Following the public exposure of the Exchange Server attack and Microsoft’s attribution of the activity to Chinese actors, Shanghai Powerock was deregistered in April 2021. Xu Zewei subsequently joined Chaitin Tech and later moved to Shanghai GTA Semiconductor Ltd. Investigators have traced other Silk Typhoon-linked individuals, such as Yin Kecheng, to companies like Shanghai Heiying Information Technology Company, Ltd., established by Zhou Shuai, a prominent data broker and former patriotic hacker.
Evidence suggests that Shanghai Firetech, in particular, undertook explicit assignments from MSS officers and developed a cooperative relationship with the SSSB. These connections illustrate the tiered workforce structure that characterizes China’s approach to “directed” cyber operations—whereby private sector companies are directly contracted to perform state-sponsored offensive tasks.
Patent Portfolio and Broader Tool Distribution
Shanghai Firetech and the Shanghai Siling Commerce Consulting Center (founded by Zhang Yu and Yin Wenji, CEO of Shanghai Firetech) have filed patents for technologies designed to collect and analyze evidence from Apple platforms, routers, and other digital security devices. There are also indications Shanghai Firetech is developing tools for close-access operations—enabling compromise through physical proximity to target systems.
Notably, the suite of offensive tools attributed to Shanghai Firetech exceeds the capabilities publicly linked to Silk Typhoon or Hafnium operations. It is believed that some of these toolsets have been distributed to multiple regional MSS offices, which further complicates attribution challenges and demonstrates the breadth of involvement by state-linked enterprises.
