Microsoft Threat Intelligence has identified a tactical shift by Silk Typhoon, a China-linked cyber espionage group, which is now targeting IT supply chains. The group has exploited remote management software and cloud applications to infiltrate organisations, leveraging unpatched vulnerabilities in widely used applications. While Microsoft cloud services have not been directly attacked, the group has used stolen credentials and security keys to move laterally within compromised networks, exploiting Microsoft services and other applications.
Silk Typhoon has been observed rapidly exploiting newly discovered vulnerabilities, targeting IT service providers, remote monitoring firms, managed service providers, healthcare, legal institutions, universities, defence agencies, government bodies, and energy firms. Victims have been identified across multiple regions, including the US.
Since 2020, Microsoft has tracked the group’s use of web shells to execute commands, maintain access, and extract sensitive data. Their deep understanding of cloud infrastructure allows them to move laterally within compromised environments while remaining undetected, claims the report by Microsoft.
Redmond noted that since late 2024, Silk Typhoon has increasingly targeted IT supply chains by abusing stolen API keys and credentials from cloud service providers and privileged access management tools. These credentials enable access to downstream customers of initially breached organisations. Once an API key is obtained, the group conducts reconnaissance, gathers sensitive data, and executes administrative actions, such as resetting administrator accounts, installing web shells, creating unauthorised users, and erasing logs. Microsoft has identified state and local government agencies and IT firms among the primary targets.
The group has also used password spraying attacks and exposed corporate credentials to gain access, often sourcing login information from public repositories such as GitHub. In early 2025, Microsoft detected Silk Typhoon exploiting a zero-day vulnerability (CVE-2025-0282) in Ivanti Pulse Connect VPN and promptly alerted Ivanti, facilitating a rapid resolution.
Once inside, Silk Typhoon moves from on-premises environments to cloud infrastructure, accessing Active Directory data, retrieving stored passwords, and escalating privileges. They have also targeted AADConnect servers, now known as Entra Connect, to gain control over cloud and on-premises systems.
Further analysis has revealed that Silk Typhoon manipulates service principals and OAuth applications with administrative permissions to extract data from OneDrive, SharePoint, and email accounts using Microsoft Graph API. The group has also compromised multi-tenant applications, extending access across multiple organisations. In cases where targeted applications had permissions to Exchange Web Services, email data was extracted. Additionally, Silk Typhoon has created deceptive Entra ID applications mimicking Office 365 services to blend into corporate environments.
To evade detection, the group has used a covert network of compromised Cyberoam appliances, Zyxel routers, and QNAP devices, a tactic increasingly common among advanced cyber actors.
Exploiting vulnerabilities in enterprise systems
“Silk Typhoon is not known to use their own dedicated infrastructure in their operations,” stated the Microsoft Threat Intelligence report. “Typically, the threat actor uses compromised covert networks, proxies, and VPNs for infrastructure, likely to obfuscate their operations. However, they have also been observed using short-lease virtual private server (VPS) infrastructure to support their operations.”
Silk Typhoon has actively exploited security flaws in Microsoft Exchange, Palo Alto Networks GlobalProtect firewalls, Citrix NetScaler, and Ivanti Pulse Connect Secure. In 2024, the group exploited a vulnerability (CVE-2024-3400) in Palo Alto Networks’ GlobalProtect Gateway, enabling remote code execution. Other attacks targeted Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-3519). The group has also leveraged Microsoft Exchange vulnerabilities such as CVE-2021-26855 and CVE-2021-26857 to escalate privileges and maintain access.
Read more: US Treasury cybersecurity breach extends to Secretary Yellen and top officials’ computers
