Microsoft Threat Intelligence has identified a shift in tactics by Silk Typhoon, a Chinese state-sponsored cyber-espionage group, which is now targeting IT supply chain providers, including remote management tools and cloud applications.
By exploiting unpatched applications and leveraging stolen credentials, the group gains access to downstream customer environments, enabling extensive cyber-espionage activities.
This development follows Silk Typhoon’s suspected involvement in the December 2024 breach of the U.S. Treasury Department. That attack exploited a vulnerability in BeyondTrust’s Remote Support SaaS product, allowing hackers to reset passwords and access unclassified government documents. The Treasury oversees critical financial systems, making it a high-value target for state-sponsored cyber-espionage.
Silk Typhoon’s evolving tactics
Silk Typhoon — one of the most active Chinese threat actors — has been tracked by Microsoft since 2020. The group is known for swiftly weaponizing newly discovered zero-day vulnerabilities in edge devices. Their latest campaign, ongoing since late 2024, focuses on breaching IT service providers, remote monitoring and management (RMM) firms, and cloud data management companies.
Rather than directly attacking Microsoft cloud services, the hackers exploit security weaknesses in widely used IT solutions to gain initial access. Once inside, they escalate privileges using stolen API keys and credentials, granting them access to their victims' networks. Their activities include:
- Targeting cloud and IT service providers – Using compromised API keys to infiltrate connected customer environments.
- Stealing sensitive data – Conducting reconnaissance on government policy, legal proceedings, and intelligence-related documents.
- Deploying persistence mechanisms – Using web shells, admin account resets, and credential theft to maintain long-term access.
- Exploiting Microsoft Entra Connect – Gaining elevated privileges to move laterally between on-premises and cloud environments.
Microsoft's research also links Silk Typhoon to past attacks exploiting zero-day vulnerabilities in widely used enterprise software, including products from Ivanti, Palo Alto Networks, Citrix, and also Microsoft.
The latest zero-day exploitation is CVE-2025-0282, impacting Ivanti Pulse Connect VPNs. Microsoft says the threat actors exploited the flaw as a zero day in January 2025, before Ivanti released a security patch.
CVE-2023-3519 in Citrix NetScaler Gateway and CVE-2024-3400 in Palo Alto Networks GlobalProtect Gateway endpoints were leveraged by Silk Typhoon operatives in early 2024 to gain unauthorized access and execute code on compromised devices.
To mask their operations, Silk Typhoon routes traffic through compromised devices, including Cyberoam appliances, Zyxel routers, and QNAP storage systems, making attribution more challenging.
As Silk Typhoon continues to refine its tactics, targeting IT infrastructure at a supply chain level, organizations must remain vigilant and ensure they have patched all known vulnerabilities through timely application of security updates.
YouTubers Blackmailed With Channel Bans to Promote Malware in Videos
Leave a Reply