Compromising a cybersecurity company would grant hackers insights into thousands of protected environments. A SentinelOne report details how threat actors go to great lengths to gain access.
“We don’t just study attacks, we experience them firsthand, levied against us. Our teams face the same threats we help others prepare for, and that proximity to the front lines shapes how we think, and how we operate,” SentinelOne said in a new report.
For cybersecurity vendors, it’s practically taboo to talk about being targeted, the firm assures.
Yet real-world attacks constantly pressure vendors’ environments. This facilitates continuous improvement by reinforcing what works and revealing what doesn’t.
“In the past several months alone, we’ve observed and defended against a spectrum of attacks ranging from financially motivated crimeware to tailored campaigns by advanced nation-state actors,” the company details.
North Korea (DPRK) affiliated IT workers are one of the most prolific and persistent adversary campaigns. The SentineOne team has tracked around 360 fake personas and over 1,000 job applications linked to them.
Fake workers applied for roles at the cybersecurity company, even attempting to secure positions on the intelligence engineering team investigating them.
The other persistent threat is the Chinese government-sponsored hacker. A threat actor named the ShadowPad targeted SentinelOne’s supply chain, compromising a logistics provider responsible for managing hardware logistics.
“We identified a large collection of victim organizations compromised using ScatterBrain-obfuscated ShadowPad. Between July 2024 and March 2025, this malware was used in intrusions at over 70 organizations across various regions globally, spanning sectors such as manufacturing, government, finance, telecommunications, and research,” SentinelOne said.
Ransomware is a third major threat. Nitrogen ransomware gang used social engineering to acquire legitimate licenses, targeting “lightly vetted resellers.” Criminals actively seek access to security platforms (like SentinelOne’s EDR) to disable defenses, test malware, and evade detection.
Black Basta ransomware has also been observed testing their tools across multiple endpoint security platforms, including SentinelOne, CrowdStrike, Carbon Black, and Palo Alto Networks, before launching attacks.
“For the right price, aspiring threat actors continually attempt to obtain time-bound or persistent access to our EDR platform and administrative consoles. Well-known cybercrime forums are filled with vendors openly advertising such access, and just as many buyers actively seeking it,” the report reads.
The lessons learned help to harden operational security and supply chain monitoring. The report underscores the necessity of maintaining real-time awareness over internal assets and adjacent service providers.
Your email address will not be published. Required fields are markedmarked