Microsoft reports about the changing tactics of the Chinese cyberspion group, Silk Typhoon, which is now targeting remote control tools and cloud services in supply chain attacks. This new approach allows attackers to access customers at a deeper level.
The company has confirmed that the attacks have impacted various industries including state institutions, IT services, healthcare, defense, education, NGOs, and energy sectors. Silk Typhoon exploits vulnerabilities in unnecessary applications to escalate privileges and carry out harmful actions in compromised systems. The group then uses stolen keys and accounting data to penetrate customer networks through vulnerabilities in popular services.
Previously, Silk Typhoon was known for attacks on US Foreign Asset (OFAC) in December 2024 and the US Foreign Investment Committee (CFIUS). They have now started using stolen API keys and accounting data to access IT suppliers, identification solutions, privileged access, and remote monitoring tools. They also search GitHub repositories and other public resources for keys and password leaks.
In the past, attackers targeted organizations directly through vulnerabilities in peripheral devices, web shells, and compromised VPN and RDP connections. However, the new approach through MSP suppliers allows them to operate stealthily in cloud environments, stealing Active Directory accounting data and exploiting OAUTH applications.
Silk Typhoon has reduced the use of malicious software and web shells, focusing on cloud services to steal data and cover their tracks. Microsoft has observed the group leveraging vulnerabilities, including Zero-Day exploits, for initial access. They recently exploited a critical vulnerability in Ivanti Pulse Connect VPN (CVE-2025-0282) to escalate privileges and penetrate corporate networks.
In 2024, the group targeted vulnerabilities in Palo Alto Networks GlobProtes (CVE-2024-3400) and Citrix Netscaler Adc and Netscaler Gateway (CVE-2023-3519). Microsoft also uncovered Silk Typhoon’s creation of “CoverTnetwork,” a hidden infrastructure using infected devices from Cyberoam, Zyxel, and Qnap for attacks and obfuscation.
To defend against these attacks, Microsoft recommends that administrators implement updated compromise indicators and detection rules outlined in their report. This proactive approach can significantly reduce the risk of compromise and large-scale hacks.