Silk Typhoon, a China-linked threat actor formerly known as Hafnium, has shifted its tactics significantly since its involvement in the exploitation of security flaws in Microsoft Exchange servers in January 2021. The group has transitioned its focus to targeting the IT supply chain as an initial means of accessing corporate networks. The Microsoft Threat Intelligence team has uncovered that Silk Typhoon is now exploiting remote management tools and cloud applications to gain entry into victim systems. This shift represents a more stealthy and strategic approach, where rather than directly exploiting vulnerabilities in systems like Microsoft Exchange, they are now targeting the IT solutions and cloud infrastructure that organizations rely on, ultimately creating a foothold to conduct further attacks.
After successfully compromising a target, Silk Typhoon uses stolen keys and credentials to infiltrate customer networks, where they can abuse a variety of deployed applications.
These include Microsoft services and other tools within the victim’s environment to meet their espionage objectives. This is particularly concerning because Silk Typhoon has demonstrated the ability to infiltrate networks across a wide range of sectors, including IT services, managed service providers (MSPs), remote monitoring companies, healthcare, legal services, higher education, defense, government, and NGOs globally. Their ability to exploit a variety of deployed applications suggests that their tactics are not only versatile but also highly efficient, enabling them to scale their operations quickly and effectively.
A particularly concerning tactic the group has developed involves abusing stolen API keys and credentials tied to privilege access management (PAM) systems, cloud app providers, and cloud data management companies.
These tools enable Silk Typhoon to conduct supply chain attacks, compromising the networks of downstream customers who rely on these IT services. In late 2024, the threat actor was linked to reconnaissance and data collection activities on targeted devices via admin accounts, primarily focusing on the state and local government sectors and the IT industry. This method highlights Silk Typhoon’s expertise in cloud infrastructure, allowing them to move laterally within compromised environments and execute commands to exfiltrate sensitive data from cloud-based platforms like OneDrive and SharePoint through the MSGraph API. This demonstrates a sophisticated understanding of cloud environments and how attackers can exploit these technologies for broader access.
In addition to exploiting vulnerabilities in widely used applications like Ivanti Pulse Connect VPN and Palo Alto Networks firewalls, Silk Typhoon has been observed leveraging password spray attacks using leaked enterprise credentials found on public platforms like GitHub. These tactics are employed alongside zero-day vulnerabilities such as CVE-2025-0282, CVE-2024-3400, and CVE-2023-3519, among others, to maximize their chances of breaching targeted organizations.
To conceal the origin of their activities, Silk Typhoon uses a “CovertNetwork” that consists of compromised devices, including Cyberoam appliances, Zyxel routers, and QNAP devices. These compromised devices are used to maintain persistence and ensure remote access to victim environments.
This technique, combined with the use of various web shells, allows Silk Typhoon to continue their operations undetected and to exfiltrate data while maintaining access for future exploitation. The group’s ability to blend their malicious activities with legitimate network traffic is a hallmark of their advanced techniques, making them a significant and evolving threat to organizations worldwide.
