China-backed espionage group Silk Typhoon is leveraging supply chain attacks against IT and cloud services providers to spy on downstream customers.
Microsoft Threat Intelligence published a report Wednesday exposing Silk Typhoon’s latest tactics, noting the group’s exploitation of zero-day vulnerabilities and targeting of IT service providers. The latest targets include companies providing privilege access management, cloud application and cloud data management companies all with the aim of accessing customer environments.
“Third party as an attack vector is reminiscent of high-profile supply chain breaches like SolarWinds and MOVEit. Threat actors recognize that exploiting a single vendor can open doors to a wide range of targets, making IT supply chains one of the biggest cybersecurity weak points,” SOCRadar chief security officer Ensar Seker told SC Media.
Silk Typhoon leveraged the access provided by API keys and credentials associated with the compromised IT services to perform reconnaissance and collect data on customer devices. The group focused on data related to Chinese government interests such as US government policy and information on law enforcement investigations.
The attackers also performed actions such as resetting default admin accounts, implanting web shells, creating additional users and clearing logs of their actions on victims’ devices. The majority of victims of these supply chain attacks, first observed beginning in late 2024, were in state and local government and the IT sector.
“This development is yet another wake-up call that nation-state cyber operations are becoming more refined, leveraging trusted IT solutions to remain stealthy and persistent. Organizations must move beyond traditional perimeter defenses and adopt a proactive security posture to counter this evolving threat landscape,” said Seker.
Another recent tactic leveraged by Silk Typhoon is password abuse, including password spraying and theft of passwords leaked on public repositories such as GitHub.
In addition to supply chain compromise and password abuse as initial access vectors, Silk Typhoon has traditionally leveraged vulnerability exploits, including exploitation of zero-day flaws, to attack its victims.
In January 2025, the threat actor exploited the critical Ivanti Pulse Connect VPN zero-day tracked as CVE-2025-0282, which enables unauthenticated remote code execution (RCE). The exploitation was discovered by and reported to Ivanti by the Microsoft Threat Intelligence Center, which quickly patched the flaw.
In 2024, Silk Typhoon began targeting multiple zero-days including a flaw in the GlobalProtect Gateway feature of Palo Alto Networks PAN-OS, tracked as CVE-2024-3400, and a flaw in Citrix NetScaler ADC and NetScaler Gateways tracked as CVE-2023-3519. The group has also targeted several zero-days in Microsoft Exchange Services, including CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, since 2021.
After initial compromise, Silk Typhoon often moves laterally from on-premises environments to cloud environments. Tactics include escalating privileges by dumping the Active Directory, stealing passwords from key vaults and targeting AADConnect/Entra Connect for Active Directory access.
The threat actor is also known to use covert networks to hide their activities and abuse service principals and OAuth applications to gain administrative permissions on email, OneDrive and SharePoint accounts. Microsoft Graph is frequently abused by Silk Typhoon to exfiltrate data from these and other Microsoft services.
Microsoft recommends organizations ensure that vulnerabilities targeted by Silk Typhoon, such as CVE-2025-0282, are patched and establish strong identity and permission controls to prevent the abuse of legitimate applications like Entra Connect and Microsoft Graph. Robust password hygiene and use of multi-factor authentication (MFA) are also recommended.
Administrators can also monitor for potential Silk Typhoon activity by inspecting activity related to Entra Connect, Microsoft Graph, multi-tenant application authentications, newly created users and applications, and virtual private network (VPN) changes and sign-ons.
