Failed attack on SentinelOne reveals campaign by China-linked groups

Following a failed attack on its infrastructure, SentinelOne reported June 9 that its researchers observed in a follow-up investigation that China-nexus threat actors PurpleHaze and ShadowPad launched attacks into more than 70 organizations worldwide.

The attacks targeted the manufacturing, government, finance, telecom and research sectors across North America, South America, Europe, Africa, and South Asia, according to SentinelOne's blog.

“This research underscores the persistent threat Chinese cyberespionage actors pose to global industries and public sector organizations, while also highlighting a rarely discussed target they pursue: cybersecurity vendors,” wrote the SentinelOne researchers.

Heath Renfrow, co-founder at CISO at Fenix24, said the SentinelOne incident underscores a long-standing truth in cybersecurity: defenders are high-value targets, especially those with access to proprietary security tooling, threat intelligence, and client infrastructure.

“The PRC’s consistent use of advanced tradecraft and strategic targeting of security vendors like SentinelOne is not surprising, it’s an extension of their broader cyber-espionage doctrine, where compromising trusted nodes provides disproportionate leverage in downstream operations,” said Renfrow. “China’s strategy is patient and long-term. Our response must be equally sustained, strategic, and unapologetically proactive.”

Renfrow said while the U.S. has taken stronger stances through executive orders, international cyber alliances, and increased private-sector collaboration, it must go further. He said here’s what’s still needed:

Mandatory breach disclosure and vendor audit frameworks for all critical infrastructure sectors, including third-party risk exposure.

A unified threat intelligence fusion center between government and vetted private incident responders — not just information sharing, but operational coordination.

Clear offensive deterrence doctrine, backed by public attribution and economic consequences, not just indictments that rarely lead to arrests.

Tim Peck, senior threat researcher at Securonix, added that while the U.S. has no doubt begun addressing the threat posed by the state-sponsored group through initiatives like CISA advisories and public/private threat intelligence sharing, these steps remain purely reactive.

“A more proactive stance is needed, which includes mandatory cybersecurity standards for vendors that support critical infrastructure, especially when it comes to the integrity of national security,” said Peck. “Additionally, expanding federal investment into more proactive aspects of cybersecurity, such as threat hunting and routine table top exercises, which incorporate scenarios that address potential supply chain attacks, can help harden security teams in the event of future intrusions."

Nic Adams, founder and CEO at 0rcus, said SentinelOne found these China-nexus groups conducting synchronized reconnaissance across a global espionage matrix designed to harvest high-value intel and stage potential disruptions across sovereign networks. Adams said the recon patterns against a South Asian government and European media illustrate cross-regional campaigns which aim to map both digital and geopolitical fault lines.

“The U.S. needs to start using/hiring black hat hackers, integrate threat-hunting coalitions sharing IOC telemetry in real-time, mandate adversarial-resilience certifications for every vendor, and fund joint red-blue-purple-black exercises that simulate multi-pronged supply-chain attacks against national-scale critical infrastructure,” said Adams.