Microsoft Threat Intelligence has uncovered a strategic shift in the tactics of Silk Typhoon, a Chinese state-backed cyber-espionage group. This well-resourced threat actor is now exploiting IT supply chains by targeting remote management tools, cloud applications, and privileged access management (PAM) solutions to gain unauthorized access to enterprise networks.
According to Microsoft’s report, “Silk Typhoon has shown proficiency in understanding how cloud environments are deployed and configured, allowing them to successfully move laterally, maintain persistence, and exfiltrate data quickly within victim environments.”
Silk Typhoon’s latest attacks focus on compromising IT service providers and infrastructure companies, including remote monitoring and management (RMM) firms, managed service providers (MSPs), and cloud data management platforms. By infiltrating these key supply chain components, the attackers can indirectly access the downstream networks of multiple organizations.
Since late 2024, Silk Typhoon has been observed “abusing stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies“, which allows them to move laterally and compromise additional targets. The targeted sectors include:
- State and local governments
- IT service providers and cloud infrastructure companies
- Healthcare, legal, and higher education institutions
- Defense and energy sectors
Silk Typhoon is known for rapidly operationalizing zero-day vulnerabilities in edge devices and exploiting unpatched applications. Microsoft notes that “Silk Typhoon has pursued initial access attacks against targets of interest through the development of zero-day exploits or discovering and targeting vulnerable third-party services and software providers.”
One recent example includes the exploitation of a zero-day vulnerability in Ivanti Pulse Connect VPN (CVE-2025-0282) in January 2025. By gaining initial access, the attackers attempt to escalate privileges, exfiltrate sensitive data, and maintain persistence through sophisticated techniques, including:
- Password spraying and leaked credential abuse: The group was found using “password spray attacks and other password abuse techniques, including discovering passwords through reconnaissance.”
- Web shell implants and admin account takeovers: Silk Typhoon has deployed web shells to execute commands, maintain persistence, and exfiltrate data from compromised networks.
- Manipulation of cloud applications: The attackers have been observed abusing “service principals and OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via MSGraph.”
- Targeting Active Directory environments: Microsoft notes that “Silk Typhoon has been observed targeting Microsoft AADConnect servers,” a critical tool used to sync on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). A successful compromise could allow attackers to control both on-prem and cloud environments.
To evade detection, Silk Typhoon has increasingly relied on covert networks. Microsoft tracks these as “CovertNetwork”, which consists of compromised Cyberoam appliances, Zyxel routers, and QNAP devices used to disguise malicious activity. The use of such infrastructure enables the attackers to mask their true origins and make attribution more challenging.
Silk Typhoon has a long history of exploiting high-profile vulnerabilities to compromise enterprise environments. Microsoft has observed the group targeting unpatched versions of:
- Microsoft Exchange servers (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
- Palo Alto Networks GlobalProtect Gateway (CVE-2024-3400)
- Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-3519)
These exploits have enabled the attackers to deploy web shells, maintain persistent access, and steal sensitive data from victim networks.
Microsoft has issued direct notifications to affected organizations and provided security guidance to help mitigate the threat.
Related Posts:
- FCC Takes Action to Strengthen Cybersecurity in Response to Salt Typhoon Cyberattack
- Volt Typhoon APT Group Resurfaces: A Persistent Threat to Critical Infrastructure
- Volt Typhoon: Chinese State-Sponsored APT Targets U.S. Critical Infrastructure
- Flax Typhoon Botnet Exploits 66 Vulnerabilities: A Global Threat to Critical Infrastructure
