IT Supply Chains Hit by China's Silk Typhoon
STACK Cybersecurity
Leading MSSP | Formerly AM Data Service | Cybersecurity Expertise for Today's Threats
China-Linked Hacker Cartel Expands Cyber Attacks Again
Severity: Medium
The China-linked threat actor Silk Typhoon, formerly known as Hafnium, has evolved its tactics to target the IT supply chain for initial access to corporate networks. According to a recent report from the Microsoft Threat Intelligence team, Silk Typhoon now actively targets remote management tools, cloud applications, and IT service providers. By compromising these solutions, the group can infiltrate downstream customer networks, gaining access to sensitive systems and data.
Silk Typhoon has been observed using stolen credentials and API keys to move laterally across networks and execute supply chain attacks. The group focuses on privileged access management credentials and API keys from cloud service providers and cloud data management firms, enabling extensive reconnaissance and data collection on targeted infrastructure. Their attacks impact sectors such as IT services, managed service providers, remote monitoring and management firms, healthcare, legal services, higher education, defense, government, non-governmental organizations, and the energy sector, both in the United States and internationally.
Since late 2024, Silk Typhoon has demonstrated an advanced understanding of cloud environments, exploiting zero-day vulnerabilities and using password spray attacks to gain initial access. The group has been linked to high-profile exploits, including CVE-2025-0282 (Ivanti Pulse Connect VPN), CVE-2024-3400 (Palo Alto Networks firewall), CVE-2023-3519 (Citrix NetScaler ADC and NetScaler Gateway), and the ProxyLogon vulnerabilities in Microsoft Exchange Server. Once inside a compromised environment, the threat actor moves laterally from on-premises systems to cloud platforms, abusing OAuth applications with administrative permissions to extract data from email, OneDrive, and SharePoint via the MSGraph API.
To evade detection, Silk Typhoon relies on a "CovertNetwork" infrastructure, composed of compromised Cyberoam appliances, Zyxel routers, and QNAP devices. The group also deploys web shells within victim environments to maintain persistence, execute commands, and exfiltrate data. Microsoft warns that Silk Typhoon’s growing focus on cloud infrastructure and IT supply chains, coupled with its ability to rapidly exploit zero-day vulnerabilities, makes it a highly adaptable and resourceful threat actor with global implications.
Mitigation: To help detect and mitigate Silk Typhoon’s activity, Microsoft recommends ensuring all public-facing devices are patched and validating any Ivanti Pulse Connect VPN are patched to address CVE-2025-0282. Defend against legitimate application and service principal abuse by establishing strong controls and monitoring for these security identities. Implement the Azure Security Benchmark and general best practices for securing identity infrastructure.
SIEM and SASE Solutions: Integrating Security Information and Event Management (SIEM) and Secure Access Service Edge (SASE) solutions can significantly enhance your organization's defense against advanced threats like Silk Typhoon. SIEM provides comprehensive visibility, real-time monitoring, and automated incident response, while SASE offers a unified security framework, zero-trust principles, secure remote access, and data protection capabilities. STACK Cybersecurity uses these tools to protect our cybersecurity clients.
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.