Microsoft Threat Intelligence has issued a warning about Silk Typhoon, a Chinese espionage group that has recently shifted its tactics to target common IT solutions, including remote management tools and cloud applications, for initial access.
The group, known for its large targeting footprint and quick exploitation of zero-day vulnerabilities, has been observed attacking a wide range of sectors globally, with a focus on IT services, remote monitoring and management companies, and managed service providers.
Chinese Espionage Group Shifts Tactics to Target Remote Management Tools and Cloud Applications
Since late 2024, Silk Typhoon has been abusing stolen API keys and credentials associated with privilege access management, cloud app providers, and cloud data management companies.
This approach allows the threat actor to access downstream customer environments of initially compromised companies.
The group has demonstrated proficiency in understanding cloud environment configurations, enabling them to move laterally, maintain persistence, and exfiltrate data rapidly.
Supply Chain Compromise and Credential Abuse
In addition to API key abuse, Silk Typhoon has gained initial access through successful password spray attacks and other password abuse techniques.
The group has leveraged leaked corporate passwords from public repositories, highlighting the importance of robust password hygiene and multi-factor authentication.
Once inside a victim’s network, Silk Typhoon employs various tactics to move laterally from on-premises environments to cloud environments.
These include dumping Active Directory, stealing passwords from key vaults, and escalating privileges.
The group has also been observed targeting Microsoft AADConnect servers, which could allow them to access both on-premises and cloud environments.
Silk Typhoon has shown a pattern of manipulating service principals and OAuth applications with administrative permissions to perform data exfiltration via Microsoft Graph API.
The actors have been seen gaining access to existing applications within compromised tenants, adding their own passwords, and using this access to steal email information.
To obfuscate their activities, Silk Typhoon utilizes covert networks comprised of compromised devices, including Cyberoam appliances, Zyxel routers, and QNAP devices.
Microsoft has provided extensive hunting guidance and recommendations to help organizations detect and mitigate Silk Typhoon’s activities.
These include inspecting log activity related to Entra Connect servers, analyzing newly created applications, and scrutinizing multi-tenant application authentications.
As the threat landscape continues to evolve, organizations must remain vigilant and implement robust security measures to protect against sophisticated actors like Silk Typhoon.
Microsoft’s detailed report serves as a crucial resource for cybersecurity professionals and IT administrators in fortifying their defenses against these emerging threats.
