Security researchers have identified a new shift in tactics by the Chinese espionage group Silk Typhoon, also known as Hafnium. According to Microsoft Threat Intelligence, the group is now increasingly utilizing common IT solutions such as remote management tools and cloud applications to gain initial access to targeted networks. While they have not directly targeted Microsoft cloud services, Silk Typhoon has been exploiting unpatched applications to escalate privileges and infiltrate networks.
Silk Typhoon, known for being a well-resourced and technically adept state-sponsored threat actor, has one of the largest targeting footprints among Chinese espionage groups. Their operations have affected a wide range of sectors including IT services, healthcare, government agencies, and higher education institutions across the US and beyond.
Recent activities by Silk Typhoon include abusing stolen API keys and credentials from privilege access management (PAM) systems, cloud application providers, and cloud data management companies. By leveraging these stolen credentials, the group has managed to infiltrate downstream customer environments, conduct reconnaissance, and exfiltrate sensitive data related to US government policy and legal processes.
Another tactic employed by Silk Typhoon involves password spray attacks and other credential abuse methods. The group scans public repositories like GitHub for leaked corporate passwords, successfully authenticating to corporate accounts. This highlights the critical importance of strong password hygiene and multi-factor authentication (MFA) in safeguarding against such attacks.
Moreover, Silk Typhoon has also been exploiting zero-day vulnerabilities, such as the one discovered in the Ivanti Pulse Connect VPN (CVE-2025-0282), which Microsoft reported in January 2025. The group has been targeting identity management, privileged access management, and remote monitoring solutions to gain footholds within IT providers and managed service environments.
Once inside a network, Silk Typhoon implements lateral movement techniques by stealing credentials, compromising Active Directory, targeting Microsoft AADConnect servers, manipulating service principals and OAuth applications, and exfiltrating data from Microsoft services like OneDrive, SharePoint, and Exchange. To conceal their activities, the group uses covert networks comprising compromised Cyberoam appliances, Zyxel routers, and QNAP devices, aligning with broader trends among Chinese threat actors seeking to disguise their operations.
In response to the threat posed by Silk Typhoon, Microsoft has issued guidance to help organizations mitigate risks associated with the group. Recommendations include patching all public-facing devices, securing privileged accounts, monitoring for anomalous activity, auditing service principals, scrutinizing multi-tenant applications, and enforcing zero-trust principles to limit exposure.
Overall, the evolving tactics of Silk Typhoon underscore the importance of continuous vigilance and robust cybersecurity measures to protect against sophisticated state-sponsored threat actors. Organizations must remain proactive in implementing security protocols and best practices to safeguard their networks and sensitive data from emerging cyber threats.