Microsoft Warns of Silk Typhoon Hackers Exploiting Cloud Services to Attack IT Supply Chain

Microsoft Threat Intelligence has identified a significant shift in tactics by Silk Typhoon, a Chinese espionage group, now targeting common IT solutions such as remote management tools and cloud applications for initial access.

This well-resourced and technically proficient threat actor has demonstrated a large targeting footprint among Chinese threat actors, exploiting vulnerabilities in edge devices and moving swiftly from discovery to exploitation.

Chinese Espionage Group Shifts Tactics to Target IT Solutions

Since late 2024, Silk Typhoon has been observed abusing stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies.

This approach allows the threat actor to access downstream customer environments of initially compromised companies.

The group has also gained initial access through successful password spray attacks and other password abuse techniques, including discovering leaked corporate passwords on public repositories.

Supply Chain Compromise and Credential Abuse

Silk Typhoon’s activities span a wide range of sectors and geographic regions, including IT services, remote monitoring and management companies, managed service providers, healthcare, legal services, higher education, defense, government, NGOs, and energy sectors, primarily located in the United States and globally.

The threat actor has demonstrated proficiency in understanding cloud environment deployments and configurations, enabling successful lateral movement, persistence maintenance, and rapid data exfiltration within victim environments.

Since 2020, Silk Typhoon has utilized various web shells for command execution, persistence, and data exfiltration.

In their recent activities, Silk Typhoon has been observed using stolen API keys to access downstream customers of initially compromised companies, performing reconnaissance and data collection on targeted devices via admin accounts.

The group has also been seen resetting default admin accounts, implanting web shells, creating additional users, and clearing logs of their actions.

Microsoft has directly notified targeted or compromised customers, providing crucial information for securing their environments.

The company recommends several mitigation strategies, including inspecting log activity related to Entra Connect servers, analyzing newly created applications, scrutinizing multi-tenant applications, and investigating any observed activity related to Microsoft Graph or eDiscovery, particularly for SharePoint or email data exfiltration.

To defend against these threats, Microsoft advises organizations to ensure all public-facing devices are patched, implement strong controls and monitoring for security identities, and defend against credential compromise by building credential hygiene and practicing the principle of least privilege.

Additionally, organizations should implement Conditional Access policies enforcing Microsoft’s Zero Trust principles and enable risk-based user sign-in protection.

As Silk Typhoon continues to evolve its tactics, organizations must remain vigilant and proactive in their cybersecurity measures to protect against this sophisticated threat actor targeting the IT supply chain.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free