BofA warns Fed risks policy mistake with early rate cuts
Investing.com -- Microsoft (NASDAQ:MSFT) has issued a warning about ’Silk Typhoon’, a Chinese espionage group, which has been spying on cloud technology. The group has been blamed for previous breaches in the Treasury and is now targeting IT supply chains. According to a post on Microsoft Security’s blog, the group is focusing on common IT solutions such as remote management tools and cloud applications to gain initial access.
Silk Typhoon, a well-funded and technically efficient group, is known for quickly operationalizing exploits for discovered zero-day vulnerabilities in edge devices. They have one of the largest targeting footprints among Chinese threat actors, due to their opportunistic nature of acting on discoveries from vulnerability scanning operations. Once a vulnerable public-facing device is found, they move quickly to the exploitation phase.
The group has targeted a wide range of sectors and geographic regions, including IT services and infrastructure, remote monitoring and management (RMM) companies, managed service providers (MSPs) and affiliates, healthcare, legal services, higher education, defense, government, non-governmental organizations (NGOs), energy, and others located in the United States and worldwide.
Silk Typhoon has shown proficiency in understanding how cloud environments are deployed and configured. This allows them to move laterally, maintain persistence, and exfiltrate data quickly within victim environments. Since Microsoft Threat Intelligence began tracking this threat actor in 2020, Silk Typhoon has used a variety of web shells to execute commands, maintain persistence, and exfiltrate data from victim environments.
Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments. Microsoft is publishing this information to raise awareness of Silk Typhoon’s recent and long-standing malicious activities, provide mitigation and hunting guidance, and help disrupt operations by this threat actor.
Since late 2024, Microsoft Threat Intelligence has conducted thorough research and tracked ongoing attacks performed by Silk Typhoon. Their efforts have significantly enhanced understanding of the actor’s operations and uncovered new tradecraft used by the actor. Silk Typhoon was observed abusing stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies. This allowed the threat actor to access these companies’ downstream customer environments.
Silk Typhoon also gained initial access through successful password spray attacks and other password abuse techniques, including discovering passwords through reconnaissance. In this activity, Silk Typhoon leveraged leaked corporate passwords on public repositories, such as GitHub, and were successfully authenticated to the corporate account.
In January 2025, Silk Typhoon was observed exploiting a zero-day vulnerability in the public facing Ivanti Pulse Connect VPN (CVE-2025-0282). Microsoft Threat Intelligence Center reported the activity to Ivanti, which led to a rapid resolution of the critical exploit.
Once a victim has been successfully compromised, Silk Typhoon is known to utilize common yet effective tactics to move laterally from on-premises environments to cloud environments. They look to dump Active Directory, steal passwords within key vaults, and escalate privileges. Silk Typhoon has been observed targeting Microsoft AADConnect servers in these post-compromise activities.
While analyzing post-compromise tradecraft, Microsoft identified Silk Typhoon abusing service principals and OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via MSGraph. Silk Typhoon has also been observed compromising multi-tenant applications, potentially allowing the actors to move across tenants, access additional resources within the tenants, and exfiltrate data.
Silk Typhoon is known to utilize covert networks to obfuscate their malicious activities. These covert networks, tracked by Microsoft as “CovertNetwork”, refer to a collection of egress IPs consisting of compromised or leased devices that may be used by one or more threat actors.
Since 2021, Silk Typhoon has been observed targeting and compromising vulnerable unpatched Microsoft Exchange servers, GlobalProtect Gateway on Palo Alto Networks (NASDAQ:PANW) firewalls, Citrix NetScaler appliances, Ivanti Pulse Connect Secure appliances, and others.
This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.