The threat group known as Silk Typhoon has been active since the 2021 exploitation of zero-day vulnerabilities in Microsoft Exchange servers. The group has a diverse attack history, partly as a result of their opportunistic method of taking advantage of vulnerabilities discovered by their scanning operations. As an espionage-focused group, Silk Typhoon has historically attempted to compromise defense contractors, healthcare institutions, law firms, and more.
Microsoft Threat Intelligence has discovered a recent shift in tactics from Silk Typhoon, identified in late 2024. The group has been increasingly targeting IT solutions, taking advantage of IT infrastructure and exploiting supply chain connections to gain initial access to organizations’ networks.
Exploiting IT Supply Chains for Initial Access
Silk Typhoon is targeting common IT solutions such as remote management tools and cloud applications to obtain access to corporate networks and carry out further threat activity. This tactic “introduces specific technical challenges for defenders,” according to Casey Ellis, Founder at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity. “Their approach leverages the inherent trust organizations place in their IT and cloud infrastructure, effectively expanding the attack surface to include interconnected supply chains and third-party applications.”
The group is known to search for and exploit unpatched security gaps in applications, especially zero-day vulnerabilities that they can take advantage of before security professionals have a chance to patch them. By going after IT supply chains, Silk Typhoon can exploit a vulnerability in one organization’s security and eventually gain access to many more corporate networks connected to the initial access point.
The Tactics: How Silk Typhoon Moves Through the Network
To gain access to the network initially, Silk Typhoon often uses zero-day exploits, but the group has also been spotted gaining initial access via compromised credentials. This includes password spray attacks, passwords discovered by reconnaissance, and leaked credentials.
Once they achieve the stage of infiltrating the target’s network, the attackers seek out ways to expand their access, allowing them to move laterally and gain access to cloud environments. They have also been seen using stolen API keys to infiltrate downstream supply chain partners, as well as manipulating service principals and OAuth applications to exfiltrate data and escalate privileges via the MSGraph API.
To evade detection and obfuscate their attacks, Silk Typhoon relies on a covert network made up of compromised Cyberoam appliances, Zyxel routers, and QNAP devices, enabling the attackers to hide their malicious activity within legitimate IT infrastructure.
The Risk to Enterprises and Cloud Security
Cloud applications and remote management tools, like those targeted in Silk Typhoon’s latest attacks, are lucrative to threat actors because they can enable lateral movement and provide access to a broader range of sensitive areas and resources beyond the on-premises network they have infiltrated. In a hybrid IT environment, this means that an unpatched vulnerability in any application could potentially act as the initial access point that lets attackers access the organization’s cloud environment.
While exploiting technical flaws like zero-day vulnerabilities is one of the group’s primary tactics for infiltration, the role of compromised credentials must not be downplayed. Poor password hygiene is disturbingly common, leading to repositories of stolen corporate credentials being leaked to the public, enabling widespread espionage campaigns.
Defensive Strategies: How Organizations Can Protect Themselves
In order to protect against attacks like this recent Silk Typhoon campaign, organizations should implement a range of security solutions and policies. Prioritizing patching and vulnerability management can help to address commonly exploited weaknesses and prevent the exploitation of zero-day flaws. Enforcing good password hygiene and mandatory multi-factor authentication (MFA) can protect against credential theft and compromise, which also commonly act as the initial access vector.
Beyond measures to prevent these attacks, organizations are encouraged to attempt to mitigate the damage in case attackers manage to infiltrate the network. Employing a zero trust security model and continuous identity and access verification can hinder the attackers from moving laterally or escalating their privileges, as can implementing stronger service principal and application security. Cloud monitoring and threat detection solutions are designed to identify anomalous activity early to detect network intrusions.
Preparing for the Next Wave of Threats
Threat actors are always trying to develop new tactics to increase the efficiency of their attacks and evade known security measures, and organizations must take proactive cybersecurity measures to protect their networks, operations, and data. Microsoft Threat Intelligence continues to track Silk Typhoon activity and other threats, provide information about the threat actors’ tactics, goals, and capabilities, and offer tools and guidance for mitigation.
Looking ahead, it is crucial to follow threat intelligence to keep track of the most pressing risks and mitigations as they shift over time. Organizations are encouraged to continuously reassess and update their security strategies to use the most effective tools and methods to meet evolving attack techniques.
