Cybersecurity threats continue to evolve, with the Silk Typhoon hacking group at the forefront. Microsoft has reported a shift in tactics by this Chinese state-sponsored cyber-espionage group, now focusing on IT supply chains to breach networks. This strategic change allows them to infiltrate a wide range of industries, including government, healthcare, and IT services.
Silk Typhoon Targeting Remote Management Tools
According to Microsoft, Silk Typhoon is now exploiting remote management tools and cloud services. This shift enables them to gain access to downstream customers through supply chain attacks. As detailed in Microsoft’s report:
“They [Silk Typhoon] exploit unpatched applications that allow them to elevate their access in targeted organizations and conduct further malicious activities.”
This tactic involves compromising remote management software to infiltrate customer networks. Once inside, the hackers can abuse various applications, including those from Microsoft, to achieve their espionage goals.
Breaches Across Multiple Industries
Microsoft confirmed that the Silk Typhoon group has successfully breached numerous sectors, including:
- Government
- IT Services
- Healthcare
- Defense
- Education
- NGOs
- Energy
The group previously relied on exploiting zero-day vulnerabilities in public-facing edge devices but has transitioned to scanning GitHub repositories for leaked authentication keys and credentials. This approach allows them to conduct password spray attacks to gain access to valid credentials.
Inflitration: Exploiting Vulnerabilities and Credentials
Following their infiltration, Silk Typhoon employs stolen keys and credentials to access customer networks. They are known to exploit unpatched applications, including recent breaches involving critical vulnerabilities such as:
- CVE-2025-0282: A critical Ivanti Pulse Connect VPN privilege escalation flaw.
- CVE-2024-3400: A command injection vulnerability in Palo Alto Networks GlobalProtect.
- CVE-2023-3519: A remote code execution flaw in Citrix NetScaler ADC and NetScaler Gateway.
This change in tactics allows attackers to operate stealthily within cloud environments, manipulating Active Directory sync credentials and abusing OAuth applications.
Stealth and Evasion: Covert Network and Minimal Trace
The Silk Typhoon hackers have developed a “CovertNetwork,” which includes compromised Cyberoam appliances, Zyxel routers, and QNAP devices. This infrastructure is used to launch attacks while obscuring their malicious activities, leaving minimal traces.
Microsoft has updated its indicators of compromise and detection rules reflecting Silk Typhoon’s latest tactics. Organizations are encouraged to integrate this information into their security systems to detect and block potential attacks promptly.
The evolution of Silk Typhoon’s tactics underscores the growing threat to IT supply chains and the need for robust cybersecurity measures. Enterprises must remain vigilant and proactive in addressing these emerging threats to protect their networks and sensitive data.
Helpful Reads:
