Full Report
The Chinese espionage group known as Silk Typhoon has expanded the cyberattacks to target the global IT supply chain. Microsoft Threat Intelligence has identified a shift in the group’s tactics, highlighting a new focus on commonly used IT solutions such as remote management tools and cloud applications. The group's strategic aim is to gain initial access to victim organizations, allowing them to further infiltrate networks and perform sophisticated espionage operations. Since 2020, Silk Typhoon has become one of the most formidable Chinese state-backed threat actors. Their activities demonstrate a high level of resourcefulness and technical expertise, allowing them to exploit vulnerabilities rapidly. Their threat intelligence tactics are centered around discovering and leveraging zero-day vulnerabilities in information technology infrastructures, particularly public-facing devices that remain unpatched. Their swift operational tempo and opportunistic approach make them one of the most active and dangerous cyber espionage groups in the world. While Microsoft has not yet observed Silk Typhoon targeting their cloud services directly, the group exploits unpatched software applications to elevate their access and extend their reach across organizational networks. Once a victim is compromised, the group gains access to sensitive information and tools, using stolen credentials to abuse applications—some of which include Microsoft services—to meet their espionage objectives. Silk Typhoon Targets a Wide Range of Sectors The scope of Silk Typhoon’s attacks is expansive, targeting a variety of sectors, including information technology, defense, government, healthcare, energy, legal services, education, and non-governmental organizations (NGOs) across the globe. These attacks are not confined to any specific region, as Silk Typhoon has been observed targeting organizations in both the United States and internationally. Their activity suggests that the group is especially interested in sectors that hold sensitive data or play a critical role in global infrastructure. Their sophisticated understanding of cloud environments allows them to move laterally through victim networks with ease. This capability helps the group maintain persistence, escalate privileges, and exfiltrate valuable data rapidly. Microsoft Threat Intelligence has tracked the activities of Silk Typhoon since 2020, providing crucial insights into the group’s operational methods, which include using web shells to execute commands and persistently maintain access in compromised environments. Compromise of IT Supply Chains Recent research from Microsoft Threat Intelligence, which began tracking Silk Typhoon in late 2024, reveals new tactics employed by the group. One of the most interesting changes has been the group’s compromise of the IT supply chain, using stolen API keys and credentials to gain access to third-party service providers. These compromises have given Silk Typhoon a foothold into downstream customer environments. In particular, they have targeted sectors such as privileged access management (PAM), cloud app providers, and cloud data management companies. Once they gain access through these API keys, Silk Typhoon performs reconnaissance on victim devices and harvests valuable data. The group has specifically shown interest in information related to U.S. government policy, law enforcement investigations, and legal processes that are of strategic value to China’s geopolitical interests. Other methods employed by Silk Typhoon during their post-compromise activities include resetting admin accounts, implanting web shells, creating new users, and clearing system logs to hide their tracks. Password Spray and Abuse In addition to exploiting software vulnerabilities, Silk Typhoon has demonstrated proficiency in abusing weak password practices to gain access. The group has used password spray attacks, where attackers try commonly used passwords across many accounts, and other password abuse techniques. Silk Typhoon has also been observed conducting reconnaissance using publicly available data, such as leaked corporate passwords found on repositories like GitHub. The exploitation of these vulnerabilities often serves as the first step in Silk Typhoon’s attack chain, granting them initial access to victim environments. Once inside, they proceed with lateral movement tactics, utilizing compromised credentials and stealing data across both on-premises and cloud systems. Notably, Silk Typhoon has been observed targeting Microsoft AADConnect servers, which synchronize on-premises Active Directory with Azure Active Directory (AAD), allowing them to escalate privileges and move between environments. Cloud Environments and Data Exfiltration A key aspect of Silk Typhoon’s operations involves infiltrating cloud environments. Once the group has compromised an on-premises environment, they escalate their access to cloud environments by targeting service principals and OAuth applications with administrative permissions. This access enables them to steal email data via MSGraph API, and, in some cases, compromise Exchange Web Services (EWS) to steal email data. In some cases, Silk Typhoon has been seen creating Entra ID applications designed to mimic legitimate services within the environment, such as Office 365. These efforts are part of their broader strategy to exfiltrate data, move across different tenants, and conduct further espionage activities without detection. Conclusion Silk Typhoon's reliance on covert networks, such as the CovertNetwork, which includes compromised devices like Cyberoam appliances, Zyxel routers, and QNAP devices, enables them to obfuscate their activities and maintain a low profile while exfiltrating data from victim environments. As nations and organizations increasingly depend on cloud technologies and complex IT infrastructures, Silk Typhoon’s ability to exploit these systems highlights the need for better cybersecurity defenses.
Analysis Summary
# Threat Actor: Silk Typhoon
## Attribution & Identity
The threat actor/campaign is identified as **Silk Typhoon**. No specific nation-state attribution is provided in the context, but the activities suggest state-sponsored cyber espionage given the complexity and targeting focus.
## Activity Summary
Silk Typhoon is engaged in a cyber espionage campaign that focuses heavily on targeting the **IT supply chain**. The group moves laterally across compromised environments, steals data, and expands access into cloud systems. A key aspect of their recent activity involves targeting Microsoft AADConnect servers to synchronize on-premises credentials with Azure Active Directory (AAD), enabling privilege escalation and cross-environment movement. They are explicitly focused on maintaining a low profile while exfiltrating data.
## Tactics, Techniques & Procedures
- **Lateral Movement:** Utilizes this tactic across both on-premises and cloud systems.
- **Credential Theft:** Stealing and exploiting user credentials.
- **Privilege Escalation:** Achieved via compromising AADConnect servers.
- **Cloud Environment Infiltration:** Targeting service principals and OAuth applications with administrative permissions.
- **Data Exfiltration:** Stealing email data via MSGraph API and exploiting Exchange Web Services (EWS).
- **Invisibility Efforts:** Creating Entra ID applications designed to mimic legitimate services (e.g., Office 365) to maintain persistence and evade detection during data exfiltration and lateral movement across tenants.
## Targeting
- **Sectors:** IT Supply Chain (inferred by targeting IT infrastructure components).
- **Geography:** Not explicitly mentioned, but the focus on cloud infrastructure suggests global reach based on modern corporate dependency.
- **Victims:** Organizations utilizing complex IT infrastructures reliant on hybrid (on-premises and cloud) environments, specifically utilizing Microsoft synchronization utilities.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named in the provided context.
- **Infrastructure (C2, domains, IPs):** Relies on **covert networks** for obfuscation, specifically mentioning the **CovertNetwork**, which includes compromised devices such as:
- Cyberoam appliances
- Zyxel routers
- QNAP devices
## Implications
Silk Typhoon poses a significant threat due to its sophisticated ability to bridge on-premises and cloud environments via legitimate synchronization tools (AADConnect). Their use of compromised network appliances (Cyberoam, Zyxel, QNAP) within a covert network demonstrates a dedication to persistence and high levels of obfuscation, making detection difficult while they conduct long-term espionage. The targeting of cloud service principals and OAuth apps highlights a shift to targeting identity as the critical access vector in modern infrastructure.
## Mitigations
- **Audit and Secure AADConnect Servers:** Implement stringent security controls, monitoring, and patching for Microsoft AADConnect servers, as these are key footholds for privilege escalation.
- **Monitor Identity Privilege:** Scrutinize permissions on administrative service principals and OAuth applications within Azure/Entra ID.
- **Detect Malicious Application Creation:** Implement proactive monitoring within Entra ID to detect the creation of new applications mimicking legitimate services (e.g., Office 365 spoofs).
- **Monitor API Usage:** Watch for anomalous data retrieval patterns via MSGraph API and potentially EWS, particularly large-scale email data extraction.
- **Network Visibility:** Increase visibility and threat hunting across vulnerable network devices (hardware firewalls, routers, NAS devices like QNAP) which may be co-opted into covert command and control infrastructure.