Microsoft reports a tactical shift in the operations of the Chinese cyber-espionage group Silk Typhoon, which is now actively targeting remote management tools and cloud services as part of a broader supply chain attack strategy. This evolved approach enables threat actors to infiltrate victims’ environments at a much deeper level.
The company confirms that these attacks have affected multiple sectors, including government agencies, IT services, healthcare, defense, education, non-profit organizations, and the energy industry. Silk Typhoon exploits unpatched software vulnerabilities to escalate privileges and execute malicious activities within compromised systems. Once inside, the group leverages stolen keys and credentials to infiltrate client networks, taking advantage of security flaws in widely used cloud platforms and services.
Silk Typhoon previously gained notoriety for its December 2024 attack on the U.S. Office of Foreign Assets Control (OFAC) and the theft of sensitive data from the Committee on Foreign Investment in the United States (CFIUS). Around the same time, the group began exploiting stolen API keys and credentials to gain access to IT service providers, identity and privileged access management solutions, and remote monitoring tools. Additionally, they scan GitHub repositories and other public resources for leaked credentials, supplementing these efforts with brute-force attacks.
Earlier, Silk Typhoon primarily targeted organizations directly, exploiting peripheral devices, deploying web shells, and moving laterally through compromised VPN and RDP connections. However, its new attack vector, focusing on Managed Service Providers (MSPs), allows it to operate discreetly in cloud environments while exfiltrating Active Directory credentials and abusing OAuth applications.
The group has also reduced its reliance on malware and web shells, instead prioritizing the exploitation of cloud services to facilitate data theft and stealthy persistence. Microsoft has observed that Silk Typhoon leverages both known and zero-day vulnerabilities for initial access. Most recently, the group exploited a critical vulnerability in Ivanti Pulse Connect VPN (CVE-2025-0282) to escalate privileges and breach corporate networks.
In 2024, Silk Typhoon conducted attacks using CVE-2024-3400 in Palo Alto Networks GlobalProtect and CVE-2023-3519 in Citrix NetScaler ADC and NetScaler Gateway. Additionally, Microsoft has identified that Silk Typhoon has constructed “CovertNetwork”, a stealth infrastructure comprising compromised Cyberoam, Zyxel, and QNAP devices, which are used both for launching attacks and concealing their activities.
To mitigate the risk of compromise, Microsoft advises administrators to implement the latest Indicators of Compromise (IOCs) and detection rules outlined in their report. These measures will significantly reduce the likelihood of large-scale breaches and system intrusions.
