Silk Typhoon, the Chinese espionage group known for its sophisticated cyberattacks, has now set its sights on the global IT supply chain. According to Microsoft Threat Intelligence, the group has shifted its tactics to target commonly used IT solutions such as remote management tools and cloud applications. This strategic shift allows Silk Typhoon to gain initial access to victim organizations, enabling them to conduct advanced espionage operations within compromised networks.
Since 2020, Silk Typhoon has emerged as a prominent threat actor backed by the Chinese state. The group’s activities showcase a high level of technical expertise and resourcefulness, allowing them to exploit vulnerabilities rapidly. Their modus operandi involves discovering and exploiting zero-day vulnerabilities in IT infrastructures, particularly targeting unpatched public-facing devices. This proactive and opportunistic approach has positioned Silk Typhoon as one of the most active and dangerous cyber espionage groups globally.
While Microsoft has not yet observed direct targeting of their cloud services by Silk Typhoon, the group exploits unpatched software applications to escalate access and expand their reach across organizational networks. Once inside a victim organization, Silk Typhoon gains access to sensitive information and tools, leveraging stolen credentials to manipulate applications, including Microsoft services, to achieve their espionage goals.
Silk Typhoon’s attacks span a wide range of sectors, including information technology, defense, government, healthcare, energy, legal services, education, and non-governmental organizations (NGOs) globally. Their operations are not limited to specific regions, with targets in both the United States and internationally. The group’s interests lie in sectors holding sensitive data or critical to global infrastructure, indicating a strategic focus on valuable information.
The group’s intricate knowledge of cloud environments facilitates seamless lateral movement within victim networks, aiding them in maintaining persistence, escalating privileges, and swiftly extracting valuable data. Microsoft Threat Intelligence has been monitoring Silk Typhoon’s activities since 2020, shedding light on their operational methods, including the use of web shells to execute commands and maintain access in compromised environments.
Recent research from Microsoft Threat Intelligence has uncovered new tactics employed by Silk Typhoon, particularly their compromise of the IT supply chain. By utilizing stolen API keys and credentials, the group gains entry into third-party service providers, subsequently infiltrating downstream customer environments. They have specifically targeted sectors like privileged access management (PAM), cloud app providers, and cloud data management companies in these supply chain compromises.
Once inside victim networks through stolen API keys, Silk Typhoon conducts reconnaissance on devices and harvests valuable data, focusing on information related to U.S. government policies, law enforcement investigations, and legal processes. Post-compromise activities include resetting admin accounts, implanting web shells, creating new users, and clearing system logs to cover their tracks and maintain access undetected.
In addition to exploiting software vulnerabilities, Silk Typhoon leverages weak password practices through password spray attacks and other password abuse techniques to infiltrate victim environments. This initial access allows them to move laterally, utilizing compromised credentials to steal data across on-premises and cloud systems. Notably, the group has targeted Microsoft AADConnect servers to escalate privileges and navigate between environments.
Silk Typhoon’s operations extensively involve infiltrating cloud environments post-compromise. By targeting service principals and OAuth applications with administrative permissions, they gain access to valuable data, including email information via the MSGraph API and compromise Exchange Web Services (EWS) for email data theft. The group has also been observed creating Entra ID applications mimicking legitimate services like Office 365 to exfiltrate data across different tenants undetected.
In conclusion, Silk Typhoon’s adept exploitation of covert networks and sophisticated cyber tools underscores the importance of robust cybersecurity defenses in an increasingly cloud-dependent and complex IT landscape. As the group continues to evolve its tactics and target critical sectors worldwide, organizations and nations must remain vigilant and proactive in safeguarding their digital assets from such advanced threats.