Silk Typhoon Hackers Now Target IT Supply Chains to Breach Networks

In a significant shift in tactics, the notorious Chinese state-sponsored espionage group Silk Typhoon has turned its attention to IT supply chains, compromising remote management tools and cloud services to gain access to downstream customers. Microsoft, the tech giant, has confirmed breaches across multiple industries, including government, IT services, healthcare, defense, education, NGOs, and energy.

According to Microsoft's report, Silk Typhoon exploits unpatched applications that allow them to elevate their access in targeted organizations and conduct further malicious activities. Once compromised, the attackers use the stolen keys and credentials to infiltrate customer networks, where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives.

Silk Typhoon's new tactics mark a significant departure from its previous methods. The group was previously known for hacking U.S. Office of Foreign Assets Control (OFAC) office in early December 2024 and stealing data from the Committee on Foreign Investment in the United States (CFIUS). However, it appears that Silk Typhoon has shifted its focus to exploiting vulnerabilities in IT supply chains.

Microsoft reports that Silk Typhoon abuses stolen API keys and compromised credentials for IT providers, identity management, privileged access management, and RMM solutions, which are then used to access downstream customer networks and data. The attackers scan GitHub repositories and other public resources to locate leaked authentication keys or credentials and then use them to breach environments.

The threat actors are also known for using password spray attacks to gain access to valid credentials. Previously, the group primarily leveraged zero-day and n-day flaws in public-facing edge devices to gain initial access, plant web shells, and then move laterally via compromised VPNs and RDPs.

However, with its new tactics, Silk Typhoon is able to move within cloud environments, stealing Active Directory sync credentials (AADConnect), and abusing OAuth applications for a much stealthier attack. The group no longer relies on malware and web shells, instead exploiting cloud apps to steal data and then clear logs, leaving only a minimal trace behind.

According to Microsoft's observations, Silk Typhoon continues to exploit vulnerabilities alongside its new tactics, sometimes as zero days, for initial access. Most recently, the threat group was observed exploiting a critical Ivanti Pulse Connect VPN privilege escalation flaw (CVE-2025-0282) as a zero-day to breach corporate networks.

Earlier, in 2024, Silk Typhoon exploited CVE-2024-3400, a command injection vulnerability in Palo Alto Networks GlobalProtect, and CVE-2023-3519, a remote code execution flaw in Citrix NetScaler ADC and NetScaler Gateway. Microsoft says the threat actors have created a "CovertNetwork" consisting of compromised Cyberoam appliances, Zyxel routers, and QNAP devices, which are used to launch attacks and obfuscate malicious activities.

Microsoft has listed updated indicators of compromise and detection rules that reflect Silk Typhoon's latest shift in tactics at the bottom of its report. Defenders are recommended to add the available information to their security tools to detect and block any attacks timely.

As the threat landscape continues to evolve, it is essential for organizations to remain vigilant and take proactive measures to protect themselves against emerging threats like Silk Typhoon.

Updated Indicators of Compromise and Detection Rules

To help defenders detect and block attacks by Silk Typhoon, Microsoft has listed the following indicators of compromise and detection rules:

* CVE-2025-0282: Ivanti Pulse Connect VPN privilege escalation flaw * CVE-2024-3400: Command injection vulnerability in Palo Alto Networks GlobalProtect * CVE-2023-3519: Remote code execution flaw in Citrix NetScaler ADC and NetScaler Gateway

Defenders are recommended to add these indicators to their security tools to stay ahead of the threat.

Chinese Espionage Tools Deployed in RA World Ransomware Attack

In another development, Chinese espionage tools have been detected in the recent RA World ransomware attack. IPany VPN was breached in a supply-chain attack to push custom malware.

Similarly, MirrorFace hackers have been targeting Japanese government and politicians since 2019, using custom malware to spy on their networks.

Chinese hackers are also using custom malware to spy on US telecom networks. The New NailaoLocker ransomware has been used against EU healthcare organizations.

As the threat landscape continues to evolve, it is essential for organizations to remain vigilant and take proactive measures to protect themselves against emerging threats like Silk Typhoon.