The Chinese espionage group known as Silk Typhoon has expanded the cyberattacks to target the global IT supply chain. Microsoft Threat Intelligence has identified a shift in the group’s tactics, highlighting a new focus on commonly used IT solutions such as remote management tools and cloud applications. The group’s strategic aim is to gain initial access to victim organizations, allowing them to further infiltrate networks and perform sophisticated espionage operations.
Since 2020, Silk Typhoon has become one of the most formidable Chinese state-backed threat actors. Their activities demonstrate a high level of resourcefulness and technical expertise, allowing them to exploit vulnerabilities rapidly. Their threat intelligence tactics are centered around discovering and leveraging zero-day vulnerabilities in information technology infrastructures, particularly public-facing devices that remain unpatched. Their swift operational tempo and opportunistic approach make them one of the most active and dangerous cyber espionage groups in the world.
While Microsoft has not yet observed Silk Typhoon targeting their cloud services directly, the group exploits unpatched software applications to elevate their access and extend their reach across organizational networks. Once a victim is compromised, the group gains access to sensitive information and tools, using stolen credentials to abuse applications—some of which include Microsoft services—to meet their espionage objectives.
Silk Typhoon Targets a Wide Range of Sectors
The scope of Silk Typhoon’s attacks is expansive, targeting a variety of sectors, including information technology, defense, government, healthcare, energy, legal services, education, and non-governmental organizations (NGOs) across the globe. These attacks are not confined to any specific region, as Silk Typhoon has been observed targeting organizations in both the United States and internationally. Their activity suggests that the group is especially interested in sectors that hold sensitive data or play a critical role in global infrastructure.
Their sophisticated understanding of cloud environments allows them to move laterally through victim networks with ease. This capability helps the group maintain persistence, escalate privileges, and exfiltrate valuable data rapidly. Microsoft Threat Intelligence has tracked the activities of Silk Typhoon since 2020, providing crucial insights into the group’s operational methods, which include using web shells to execute commands and persistently maintain access in compromised environments.
Compromise of IT Supply Chains
Recent research from Microsoft Threat Intelligence, which began tracking Silk Typhoon in late 2024, reveals new tactics employed by the group. One of the most interesting changes has been the group’s compromise of the IT supply chain, using stolen API keys and credentials to gain access to third-party service providers. These compromises have given Silk Typhoon a foothold into downstream customer environments. In particular, they have targeted sectors such as privileged access management (PAM), cloud app providers, and cloud data management companies.
Once they gain access through these API keys, Silk Typhoon performs reconnaissance on victim devices and harvests valuable data. The group has specifically shown interest in information related to U.S. government policy, law enforcement investigations, and legal processes that are of strategic value to China’s geopolitical interests. Other methods employed by Silk Typhoon during their post-compromise activities include resetting admin accounts, implanting web shells, creating new users, and clearing system logs to hide their tracks.
Password Spray and Abuse
In addition to exploiting software vulnerabilities, Silk Typhoon has demonstrated proficiency in abusing weak password practices to gain access. The group has used password spray attacks, where attackers try commonly used passwords across many accounts, and other password abuse techniques. Silk Typhoon has also been observed conducting reconnaissance using publicly available data, such as leaked corporate passwords found on repositories like GitHub.
The exploitation of these vulnerabilities often serves as the first step in Silk Typhoon’s attack chain, granting them initial access to victim environments. Once inside, they proceed with lateral movement tactics, utilizing compromised credentials and stealing data across both on-premises and cloud systems. Notably, Silk Typhoon has been observed targeting Microsoft AADConnect servers, which synchronize on-premises Active Directory with Azure Active Directory (AAD), allowing them to escalate privileges and move between environments.
Cloud Environments and Data Exfiltration
A key aspect of Silk Typhoon’s operations involves infiltrating cloud environments. Once the group has compromised an on-premises environment, they escalate their access to cloud environments by targeting service principals and OAuth applications with administrative permissions. This access enables them to steal email data via MSGraph API, and, in some cases, compromise Exchange Web Services (EWS) to steal email data.
In some cases, Silk Typhoon has been seen creating Entra ID applications designed to mimic legitimate services within the environment, such as Office 365. These efforts are part of their broader strategy to exfiltrate data, move across different tenants, and conduct further espionage activities without detection.
Conclusion
Silk Typhoon’s reliance on covert networks, such as the CovertNetwork, which includes compromised devices like Cyberoam appliances, Zyxel routers, and QNAP devices, enables them to obfuscate their activities and maintain a low profile while exfiltrating data from victim environments.
As nations and organizations increasingly depend on cloud technologies and complex IT infrastructures, Silk Typhoon’s ability to exploit these systems highlights the need for better cybersecurity defenses.