Chinese espionage group Silk Typhoon has recently shifted its tactics to focus on IT supply chain attacks to infiltrate target environments, Microsoft’s Threat Intelligence team said in a new report.
Instead of directly attacking cloud services, the group exploits unpatched IT solutions like remote management tools, cloud applications, and privileged access management (PAM) solutions to gain initial access. This strategy allows them to abuse stolen API keys and credentials linked to PAM, cloud app providers, and cloud data management companies, which in turn gives them access to downstream customer environments, including sensitive systems in state and local governments, as well as the IT sector.
Silk Typhoon uses the stolen credentials to infiltrate customer networks and carry out reconnaissance and data collection using admin-level access. The data the attackers collect is typically related to China’s interests, US government policies, legal documents, and law enforcement investigations.
Further tactics employed by Silk Typhoon include resetting default admin accounts, implanting web shells, creating additional users, and clearing logs to cover their tracks. The group has also been observed conducting password spray attacks and exploiting leaked corporate passwords from repositories like GitHub to authenticate and gain access to corporate accounts.
Silk Typhoon has also targeted vulnerabilities in third-party services and software providers, including zero-day exploits. For instance, in January 2025, the group exploited a zero-day vulnerability (CVE-2025-0282) in Ivanti Pulse Connect VPN.
After gaining initial access, Silk Typhoon often attempts to move laterally within the victim's environment, from on-premises systems to cloud environments. They target key systems like Active Directory, steal passwords from key vaults, and escalate privileges. The group has been observed specifically targeting Microsoft AADConnect servers (now Entra Connect), which synchronize on-premises Active Directory with Entra ID (formerly Azure AD). By compromising AADConnect, Silk Typhoon could escalate privileges across both on-premises and cloud environments, enabling lateral movement.
Silk Typhoon’s post-compromise activities have included abusing service principals and OAuth applications with administrative permissions to exfiltrate data from Microsoft services like email, OneDrive, and SharePoint through MSGraph. To obfuscate activities and avoid detection, the group employs covert networks comprised of compromised devices, such as Cyberoam appliances, Zyxel routers, and QNAP devices, which they use for malicious operations.
Historically, Silk Typhoon has targeted vulnerabilities in widely used IT infrastructure and appliances, such as Microsoft Exchange servers and various VPN and firewall solutions. For instance, they exploited critical vulnerabilities like CVE-2021-26855 in Microsoft Exchange servers and CVE-2024-3400 in Palo Alto Networks’ GlobalProtect Gateway, as well as CVE-2023-3519 in Citrix NetScaler ADC and NetScaler Gateways.
In addition to exploiting these vulnerabilities, the hackers often deploy web shells to maintain persistence and provide remote access for further attacks.
