Microsoft Threat Intelligence has identified a significant shift in tactics by Silk Typhoon, a Chinese state-sponsored espionage group that has begun targeting common IT solutions including remote management tools and cloud applications to gain initial access to organizational networks.
This well-resourced and technically efficient group holds one of the largest targeting footprints among Chinese threat actors, demonstrating the ability to quickly operationalize exploits for discovered zero-day vulnerabilities in edge devices.
Since late 2024, Silk Typhoon has been observed abusing stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies.
This technique allows the threat actor to access downstream customer environments after compromising an initial target.
Microsoft researchers note that after successfully stealing API keys, the hackers access downstream customers and tenants, perform reconnaissance, collect sensitive data, and implant web shells for persistence.
The threat actor has demonstrated proficiency in understanding cloud environment configurations, enabling successful lateral movement, persistence establishment, and data exfiltration.
Their targeting scope is remarkably broad, affecting sectors including IT services, healthcare, legal services, higher education, defense, government agencies, non-governmental organizations, and energy companies primarily in the United States but extending worldwide.
In January 2025, Silk Typhoon was observed exploiting a zero-day vulnerability (CVE-2025-0282) in Ivanti Pulse Connect VPN. Microsoft promptly reported this activity to Ivanti, leading to rapid resolution of the critical exploit.
This action significantly reduced the window during which sophisticated threat actors could leverage the vulnerability.
Tradecraft and Detection
Once inside a victim network, Silk Typhoon employs sophisticated techniques to move laterally from on-premises environments to cloud infrastructure.
They typically dump Active Directory, steal passwords from key vaults, and escalate privileges. The group has specifically targeted Microsoft Entra Connect servers (formerly AADConnect) to gain access to both on-premises and cloud environments simultaneously.
The hackers have been observed manipulating service principals and OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via Microsoft Graph API.
In some cases, they gain access to existing applications that already have consent within the tenant, add their own passwords to these applications, and use this access to steal email information.
They carefully name created applications to blend into the environment by mimicking legitimate services or Office 365 themes.
Microsoft recommends organizations patch all public-facing devices immediately, validate that Ivanti Pulse Connect VPNs are updated to address CVE-2025-0282, audit privilege levels of all identities, monitor service principal sign-ins from unusual locations, and implement strong credential hygiene practices including multi-factor authentication.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free