China-linked APT Silk Typhoon targets IT Supply Chain
Microsoft has issued a warning about the growing threat of China-linked APT group Silk Typhoon, which is targeting the global IT supply chain using IT firms to spy and move laterally. The group, linked to the US Treasury hack in 2020, has shifted its tactics to target IT solutions like remote management tools and cloud apps for initial access.
Silk Typhoon is a China-linked cyber espionage group involved in the cyber attack against the US Treasury. Despite not directly attacking Microsoft cloud services, they exploit unpatched apps to escalate privileges and gain access to customer networks. Using stolen credentials, they abuse various applications for espionage.
The Chinese APT has one of the widest targeting scopes, with a focus on multiple sectors worldwide, including information technology (IT) services and infrastructure, remote monitoring and management (RMM) companies, managed service providers (MSPs) and affiliates, healthcare, legal services, higher education, defense, government, non-governmental organizations (NGOs), and energy.
The group has been active since at least 2020, using web shells for command execution and data theft. Silk Typhoon demonstrates a deep knowledge of cloud environments that allow the group to move laterally, maintain persistence, and exfiltrate data.
Initial Access and Lateral Movement
The APT group gains initial access to target infrastructure via zero-day exploits, vulnerable third-party services, and compromised credentials, targeting IT providers and RMM solutions. In January 2025, they exploited a zero-day in Ivanti Pulse Connect VPN (CVE-2025-0282).
Once inside, the threat actors move laterally from on-premises to cloud environments by dumping Active Directory, stealing passwords from key vaults, and escalating privileges. The group targets AADConnect (now Entra Connect) servers, which sync on-prem AD with Entra ID.
Exfiltration and Data Theft
Silk Typhoon abuses service principals and OAuth applications with admin permissions to exfiltrate email, OneDrive, and SharePoint data via MSGraph. They hijack consented applications, add their own passwords, and steal email data.
They also compromise multi-tenant apps, enabling lateral movement across tenants. In some cases, they create Entra ID apps disguised as legitimate services to facilitate data theft.
Covert Networks and Attribution
Microsoft observed the APT group using covert networks to hide their activities. Attackers rely on a collection of egress IPs consisting of compromised or leased devices to make attribution hard.
“Silk Typhoon was observed utilizing a covert network that is comprised of compromised Cyberoam appliances, Zyxel routers, and QNAP devices.” reads the analysis published by Microsoft. “The use of covert networks has become a common tactic among various threat actors, particularly Chinese threat actors.”
Mitigation and Recommendations
Microsoft has alerted affected customers and is raising awareness, offering guidance to mitigate Silk Typhoon’s threats and disrupt their operations. “Silk Typhoon is not known to use their own dedicated infrastructure in their operations. Typically, the threat actor uses compromised covert networks, proxies, and VPNs for infrastructure, likely to obfuscate their operations.”
“However, they have also been observed using short-lease virtual private server (VPS) infrastructure to support their operations” concludes the report.
Microsoft has published recommendations to allow customers to detect and mitigate the APT’s activity. Follow us on Twitter: @securityaffairs and Facebook and Mastodon for more security updates and insights.