China-linked 'Silk Typhoon' Hackers Access Commvault Cloud Environments

A new threat has emerged in the world of cyber espionage, as Chinese hackers known as Silk Typhoon have compromised the cloud environments of a major data management software firm, Commvault. According to a person with knowledge of the matter, who spoke on condition of anonymity, the hacking unit previously infiltrated Treasury Department networks and targeted some of the agency's most sensitive systems.

The breach, which was announced by the Cybersecurity and Infrastructure Security Agency (CISA) and Commvault last Thursday, highlights the growing threat of Chinese government-backed hackers targeting cloud applications with default configurations and elevated permissions. CISA believes that the threat activity may be part of a larger campaign targeting various SaaS companies' cloud applications.

Microsoft has been tracking Silk Typhoon since 2020, labeling their cyber activity as "Typhoon" moniker to distinguish it from other Chinese hacking collectives. The group has made waves over the past year by infiltrating global telecommunications networks and a variety of U.S. critical infrastructure. In March, after receiving new information about the penetrations, Commvault said it was in touch with the FBI, CISA, and others.

"This activity has affected a small number of customers we have in common with Microsoft, and we are working with those customers to provide assistance," Commvault said in a blog post. "There has been no unauthorized access to customer backup data that Comm vault stores and protects."

The breach could have major implications for companies and government agencies that store copies of their most important data in the cloud, putting emails, documents or sensitive customer information at risk. Commvault's client base includes major enterprise firms like Sony, 3M, Deloitte, and AstraZeneca, as well as a vast government services arm.

In January, Shanghai-based hacker Yin Kecheng was sanctioned in connection to the Treasury Department intrusion, and is believed to be tied to China's Ministry of State Security. Microsoft has been tracking Silk Typhoon since 2020, labeling their cyber activity as "Typhoon" moniker to distinguish it from other Chinese hacking collectives.

"Silk Typhoon has shown proficiency in understanding how cloud environments are deployed and configured, allowing them to successfully move laterally, maintain persistence, and exfiltrate data quickly within victim environments," Microsoft said in its March blog. China has been widely deemed by experts as the top cyberespionage threat to the United States, with a history of targeting government agencies, defense contractors, and major tech firms to steal sensitive data and intellectual property.

What's at Stake

The breach could have significant implications for companies and government agencies that store copies of their most important data in the cloud. If hackers gain access to customer applications, they may be able to steal sensitive information, such as emails, documents, or customer data.

CISA has issued a critical joint advisory about the hacking activity, urging companies to patch vulnerabilities in Commvault, Broadcom, and Qualitia products that were being actively exploited. However, it's not immediately clear if those vulnerabilities are connected to Silk Typhoon activity.