Chinese government-backed hackers attempted, and failed, to breach cybersecurity firm SentinelOne in what experts call a textbook example of long-term espionage tradecraft aimed at high-value targets. The intrusion attempts were detailed in a new report from SentinelOne's research arm, SentinelLABS, which also uncovered broader campaigns affecting dozens of organizations across the globe.
According to the firm, the threat actors are part of a larger China-nexus operation tracked as PurpleHaze and ShadowPad, with activity observed between July 2024 and March 2025. While SentinelOne itself was not compromised, one of its IT vendors was targeted in a separate intrusion, emphasizing the growing risk of supply chain exploitation.
"The objective of these efforts appears to be long-term persistent access to high-value targets," the report notes, "particularly entities in sectors that align with strategic Chinese interests including defense, logistics, and media."
SentinelOne attributed the activity to state-sponsored threat actors with links to groups previously identified as APT15 and UNC5174.
"The attackers invested considerable effort in infrastructure acquisition and operational security. They operated at a slow cadence, used novel malware loaders, and attempted to minimize noise—all hallmarks of a patient, well-resourced threat actor."
Aiming for the defenders
The report's most striking revelation may not be the failure of the attackers, but rather the fact that they targeted a cybersecurity company. SentinelOne's visibility into its systems allowed it to detect reconnaissance efforts and prevent lateral movement from its compromised vendor.
"What SentinelOne is seeing now is classic China-nexus activity," said Craig Jones, VP of Security Operations at Ontinue. "We saw the same playbook during the Pacific Rim attacks—stealthy implants, edge device compromises, and a focus on long-term access to high-value infrastructure. This isn't new—it's a continuation of a well-honed strategy."
This incident follows a pattern: targeting vendors and security firms can offer attackers disproportionate access to downstream clients and national infrastructure. SentinelOne said that other targets of the broader campaign include a South Asian government entity, a European media organization, and more than 70 critical infrastructure organizations.
A call for coordinated defense
Security leaders say these kinds of intrusions emphasize the importance of vigilance, layered defenses, and real-time intelligence sharing.
"SentinelOne has long been on the leading edge of tracking China-nexus actors," said Casey Ellis, Founder of Bugcrowd. "What's needed is vigilance and information sharing—both general awareness and technical-level indicators."
Heath Renfrow, CISO and Co-founder at Fenix24, argues that the U.S. government must go further than current measures like executive orders and indictments. He advocates for a mandatory vendor audit framework, operational coordination centers, and clear offensive deterrence policies that include economic consequences for adversarial states.
"China's strategy is patient and long-term," Renfrow said. "Our response must be equally sustained, strategic, and unapologetically proactive."
Follow SecureWorld News for more stories related to cybersecurity.
