Microsoft recently unveiled findings that Silk Typhoon, an espionage group supported by China, has been deploying highly sophisticated supply chain attacks targeting IT and cloud service providers. This hacking strategy seeks to infiltrate and spy on downstream customers, offering the group a broader range of targets by exploiting vulnerabilities within a single vendor. According to Microsoft Threat Intelligence, the hackers have directed their efforts towards firms involved in privilege access management, cloud applications, and cloud data management. Using compromised API keys and credentials, Silk Typhoon has been able to conduct thorough reconnaissance and gather data on customer devices, particularly those linked to U.S. government policies and law enforcement investigations.
Tactics and Techniques Employed by Silk Typhoon
The attackers have employed several advanced tactics in their operations, including resetting default admin accounts, implanting malicious web shells, creating additional user accounts, and clearing logs on the compromised devices. Significantly, their primary targets have included state and local governments as well as entities within the IT sector, with these attacks dating back to late 2024. This development indicates a growing sophistication in the cyber operations conducted by nation-state actors, emphasizing the need for a security posture that goes beyond traditional perimeter defenses.
The Silk Typhoon group has further extended its techniques to include password abuse methods, such as password spraying and exploiting passwords leaked on platforms like GitHub. They have repeatedly taken advantage of zero-day vulnerabilities, with Microsoft identifying their exploitation of a major Ivanti Pulse Connect VPN zero-day (CVE-2025-0282) in January 2025. This vulnerability was discovered and patched by Microsoft. In the previous year, Silk Typhoon exploited flaws in Palo Alto Networks’ PAN-OS GlobalProtect Gateway (CVE-2024-3400) and Citrix NetScaler ADC and Gateways (CVE-2023-3519). Their malicious activities have also targeted vulnerabilities in Microsoft Exchange Services since 2021.
Post-Compromise Moves and Concealment Strategies
Once Silk Typhoon manages to compromise a system, their strategy typically involves moving from on-premises environments into the cloud. To escalate privileges, they extract the Active Directory, steal passwords from key vaults, and target AADConnect/Entra Connect for extensive access to Active Directory. Their methods for concealing these activities include using covert networks and exploiting service principals as well as OAuth applications. This allows them to gain administrative permissions on critical services such as email, OneDrive, and SharePoint undetected for extended periods.
In response to these sophisticated attacks, Microsoft has issued a series of recommendations for organizations to follow. Administrators are advised to patch vulnerabilities that are known to be targeted by Silk Typhoon and to implement robust identity and permission controls to thwart any misuse of legitimate applications. Strong password hygiene and the adoption of multi-factor authentication (MFA) are considered essential defensive measures. Furthermore, administrators should closely monitor activities related to Entra Connect, Microsoft Graph, multi-tenant application authentications, the creation of new users and applications, and changes in VPN configurations to identify potential signs of Silk Typhoon’s activity.
Rising Threat and Proactive Defense Strategies
Microsoft has recently revealed that Silk Typhoon, an espionage group backed by China, has been orchestrating highly advanced supply chain attacks aimed at IT and cloud service providers. This hacking method allows the group to penetrate and monitor downstream customers, securing a wider array of targets by capitalizing on vulnerabilities within a single vendor. According to Microsoft’s Threat Intelligence, the cyber attackers have primarily concentrated on companies dealing with privilege access management, cloud applications, and cloud data handling. By utilizing compromised API keys and credentials, Silk Typhoon has managed to carry out extensive reconnaissance and gather data on customer devices. They have particularly targeted those associated with U.S. government policies and law enforcement probes. These attacks have enabled the group to spy on sensitive information, posing significant risks to national security and highlighting the need for robust cybersecurity measures within the IT and cloud service sectors.
