The China-based threat actor responsible for the zero-day exploitation of security vulnerabilities in Microsoft Exchange servers in January 2021 has altered its strategy to target the information technology (IT) supply chain, enabling them to gain initial access to corporate networks.
According to recent findings from the Microsoft Threat Intelligence team, the Silk Typhoon (formerly known as Hafnium) hacking group is now focusing on IT solutions such as remote management tools and cloud applications to establish a foothold.
“After successfully compromising a victim, Silk Typhoon utilizes the stolen keys and credentials to infiltrate customer networks, where they can then abuse various deployed applications, including Microsoft services and others, to achieve their espionage objectives,” the tech giant stated in a report published today.
The adversarial collective is assessed to be “well-resourced and technically efficient,” rapidly leveraging exploits for zero-day vulnerabilities in edge devices for opportunistic attacks, allowing them to scale their attacks across a wide range of sectors and regions.
This includes information technology (IT) services and infrastructure, remote monitoring and management (RMM) companies, managed service providers (MSPs) and affiliates, healthcare, legal services, higher education, defense, government, non-governmental organizations (NGOs), energy, and others located in the United States and worldwide.
Silk Typhoon has also been observed relying on various web shells to achieve command execution, persistence, and data exfiltration from victim environments. Additionally, they have demonstrated a keen understanding of cloud infrastructure, allowing them to move laterally and harvest data of interest.
Since late 2024, the attackers have been linked to a new set of methods, primarily involving the abuse of stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies to conduct supply chain compromises of downstream customers.
“Leveraging access obtained via the API key, the actor performed reconnaissance and data collection on targeted devices via an admin account,” Microsoft said, adding that targets of this activity primarily encompassed the state and local government, as well as the IT sector.
Some of the other initial access routes adopted by Silk Typhoon include the zero-day exploitation of a security flaw in Ivanti Pulse Connect VPN (CVE-2025-0282) and the use of password spray attacks using enterprise credentials surfaced from leaked passwords on public repositories hosted on GitHub and others.
Also exploited by the threat actor as a zero-day are –
- CVE-2024-3400, a command injection flaw in Palo Alto Networks firewalls
- CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway
- CVE-2021-26855 (also known as ProxyLogon), CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, a set of vulnerabilities impacting Microsoft Exchange Server
A successful initial access is followed by the threat actor taking steps to move laterally from on-premises environments to cloud environments and leveraging OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via the MSGraph API.
In an attempt to obfuscate the origin of their malicious activities, Silk Typhoon relies on a “CovertNetwork” comprising compromised Cyberoam appliances, Zyxel routers, and QNAP devices, a hallmark of several Chinese state-sponsored actors.
“During recent activities and historical exploitation of these appliances, Silk Typhoon utilized a variety of web shells to maintain persistence and to allow the actors to remotely access victim environments,” Microsoft said.
