Targeting the IT Sector’s Backbone_ Silk Typhoon

Summary

Cyble Research and Intelligence Labs came across a blog published by Microsoft about Silk Typhoon, a Chinese state-sponsored cyberespionage group. This group is highly skilled and rapidly exploits zero-day vulnerabilities in edge devices. Silk Typhoon targets a wide range of industries, including IT, healthcare, legal, defense, government, and energy sectors, both in the U.S. and globally. They are known for rapidly exploiting discovered vulnerabilities and have one of the largest targeting footprints among Chinese threat actors.

Recently, Silk Typhoon shifted tactics to focus on common IT tools like remote management software and cloud applications to gain access to networks. While they aren't directly targeting Microsoft cloud services, they exploit unpatched applications to elevate their access and conduct malicious activities. Microsoft has been monitoring this group since 2020 and has notified impacted customers while offering guidance on threat detection and mitigation to help organizations strengthen their defenses.

Technical Details

Initial Access Tactics

Silk Typhoon employs a mix of advanced and opportunistic methods to gain initial access:

● Password Abuse: This type of attack uses password spray attacks and reconnaissance to find leaked corporate passwords on public sites like GitHub. Successful authentication through these tactics highlights the need for strong password hygiene and multifactor authentication (MFA).

● Exploitation of Vulnerabilities: Targets zero-day exploits and vulnerable third-party services, focusing on IT providers, identity management, privileged access management, and remote monitoring and management (RMM) solutions.

● Notable Exploit: In January 2025, a zero-day vulnerability (CVE-2025-0282) in Ivanti Pulse Connect VPN was exploited. Microsoft's prompt reporting led to a rapid patch by Ivanti.

Since late 2024, Silk Typhoon has targeted supply chains using stolen API keys and credentials from Privileged Access Management (PAM) systems, cloud app providers, and cloud data management companies. This allowed them to access the downstream customer environments of compromised companies.

Once inside, Silk Typhoon used admin accounts to gather data related to China-based interests, U.S. government policy, and law enforcement documents. They conducted reconnaissance and collected valuable information

To stay hidden, the group reset default admin accounts, deployed web shells for remote access, created new users and cleared logs to cover their tracks. Their main targets were state and local governments and the IT sector, showing a focus on accessing sensitive government information and IT infrastructure.

Silk Typhoon's key activities included accessing downstream customer environments of compromised companies. Once inside, they performed thorough reconnaissance and collected data using administrative accounts. The data gathered often aligned with China-based interests, U.S. government policy, and law enforcement documents, indicating a focused approach to intelligence gathering.

Persistence

To maintain persistence and avoid detection, Silk Typhoon used several techniques, including resetting default admin accounts, deploying web shells for remote access, creating new user accounts, and clearing logs to erase evidence of their actions. Their main targets were state and local governments and the IT sector, highlighting a strategy focused on accessing sensitive governmental information and critical IT infrastructure.

Lateral Movement to Cloud Environments

After gaining on-premises access, Silk Typhoon:

● Dumps Active Directory data and extracts passwords from key vaults.

● Escalates privileges and specifically targets AADConnect (now Entra Connect) servers to bridge on-premises and cloud environments.

Use of Covert Networks

The threat actor uses covert networks consisting of compromised or leased devices, including:

● Compromised Cyberoam appliances

● Zyxel routers

● QNAP devices

Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

● Continuously monitor for suspicious activities such as unexpected admin account changes, web shell deployment, and abnormal API usage. Regularly review and securely store logs to detect and investigate potential breaches.

● Enforce multifactor authentication (MFA) on all accounts, especially for admin and privileged access, to prevent unauthorized access using stolen or weak credentials.

● Regularly update software and systems to address known vulnerabilities. Conduct routine vulnerability assessments to identify and remediate potential security gaps before attackers can exploit them.

● Conduct security assessments of third-party vendors and enforce security requirements, including MFA and strong password policies. Establish clear incident response plans to handle potential supply chain compromises.

● Implement strict access controls and usage policies for API keys and service principals. Regularly rotate API keys, limit their permissions, and monitor for unusual activity to prevent abuse.

Conclusion

Silk Typhoon employs advanced tactics to compromise supply chains and cloud environments, focusing on state and local governments and the IT sector. The threat actor uses stolen API keys, compromised credentials, and zero-day vulnerabilities to access sensitive data related to Chinabased interests, U.S. government policy, and law enforcement. They avoid using dedicated infrastructure, instead leveraging compromised covert networks, proxies, VPNs, and short-lease virtual private servers (VPS) to obfuscate their activities

Their ability to conduct stealthy reconnaissance, maintain persistence, and hide their tracks highlights the need for strong security practices, including password hygiene, multifactor authentication (MFA), and proactive cloud environment monitoring.