The Chinese government-linked hacking group known as Silk Typhoon has been continuing their cyberattacks utilizing stolen API keys and cloud credentials since late 2024, targeting IT companies and government agencies at both state and local levels. Microsoft Threat Intelligence has been monitoring these attacks, which have been ongoing since the intrusion into the US Treasury Department in December.
The US Treasury Department breach, believed to be orchestrated by Silk Typhoon, resulted in the theft of data from workstations belonging to crucial departments such as the Office of Foreign Assets Control and the Office of the Treasury Secretary. This cyber espionage operation was facilitated by the theft of a BeyondTrust digital key used for remote technical support.
The scope of Silk Typhoon’s victims has expanded beyond federal government agencies, with Microsoft Threat Intelligence uncovering evidence of ongoing attacks since late 2024. The group’s preferred method of infiltration involves utilizing stolen API keys and credentials to gain unauthorized access to victims’ environments.
Once inside an organization, Silk Typhoon operatives conduct reconnaissance activities, focusing on gathering information related to US government policies, legal processes, and law enforcement investigations that align with China’s interests. The hacking group has adapted its tactics, now targeting remote management tools and cloud applications to initiate their attacks.
Silk Typhoon, formerly known as Hafnium, gained notoriety for the 2021 Microsoft Exchange Server security breaches, where they exploited zero-day vulnerabilities to access sensitive data from various US-based entities. Recent incidents in January saw Silk Typhoon leveraging a zero-day vulnerability in the Ivanti Pulse Connect VPN.
Microsoft’s threat intelligence team has previously detected Silk Typhoon exploiting vulnerabilities in Citrix NetScaler ADC and NetScaler Gateways, along with Palo Alto Networks firewalls, to compromise multiple organizations. This pattern of behavior underscores the group’s persistence and evolving strategies in carrying out cyber espionage activities.
As the threat landscape continues to evolve, organizations must remain vigilant against sophisticated threat actors like Silk Typhoon, who are relentless in their pursuit of sensitive information. By staying informed of the latest cybersecurity developments and implementing robust security measures, entities can enhance their defenses against malicious cyber activities.
The ongoing efforts by cybersecurity experts and law enforcement agencies to combat groups like Silk Typhoon are crucial in safeguarding sensitive data and maintaining the integrity of critical infrastructure. Collaboration between public and private sectors is essential in addressing cyber threats effectively and mitigating potential risks posed by malicious actors in the digital realm.