Cybersecurity researchers at Microsoft Threat Intelligence have observed that Silk Typhoon aka HAFNIUM, a Chinese espionage group known for its technical skill, is now using common IT solutions as a gateway into networks. Instead of solely relying on highly critical security vulnerabilities in major systems, the group is turning its attention to everyday tools like remote management applications and cloud services.
The shift in tactics aligns with changes adopted by other sophisticated espionage groups worldwide. This trend was first reported in May 2024, highlighting how Russian hackers are moving away from custom payloads in favour of readily available malware. A similar shift was observed in Iran, as reported in August 2024, where Iranian hackers were found collaborating with ransomware gangs in attacks against the United States.
Exploiting Vulnerabilities
Traditionally, Silk Typhoon took advantage of rare zero-day vulnerabilities by scanning for weak public-facing devices such as firewalls and VPNs. Some of its known exploitation includes CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. However, recent activity indicates that the group is now also targeting widely used solutions that many organizations rely on, including remote management tools and cloud applications.
While Microsoft confirms its own cloud services haven’t been directly targeted yet, Silk Typhoon is taking advantage of unpatched applications to breach systems. The group is known for misusing stolen keys and login details to compromise a targeted system and then using the access to reach into other systems, including those used by Microsoft particularly looking for information related to US government policy and legal matters.
Changing Tactics
The group’s change in tactics affects several sectors starting from government and healthcare to IT services and education. By attacking common IT tools, Silk Typhoon will take advantage of the fact that many organizations, including those with updated security measures, may overlook these everyday applications. Once inside, they will make use of various techniques to move across networks, access sensitive data, and even tamper with email and data storage services.
Therefore, Microsoft recommends a few key steps to secure yourself from the Silk Typhoon. First, keep all systems and software updated, as unpatched vulnerabilities are often the easiest entry points for attackers. Strong authentication practices, such as multi-factor authentication (MFA) and unique passwords, add an extra layer of security against unauthorized access.
For system administrators; monitoring network activity can also help detect unusual behaviour, like unexpected administrative changes, which could signal a breach. Additionally, organizations should carefully manage API keys and service credentials, restricting access wherever possible to prevent attackers from exploiting them.