Full Report
The China-lined threat actor behind the zero-day exploitation of security flaws in Microsoft Exchange servers in January 2021 has shifted its tactics to target the information technology (IT) supply chain as a means to obtain initial access to corporate networks. That's according to new findings from the Microsoft Threat Intelligence team, which said the Silk Typhoon (formerly Hafnium) hacking
Analysis Summary
# Threat Actor: Silk Typhoon
## Attribution & Identity
Attributed to a China-lined threat actor.
Known Aliases: Formerly known as Hafnium.
Associated Groups: The actor relies on infrastructure common to several Chinese state-sponsored actors (e.g., use of compromised Cyberoam appliances, Zyxel routers, and QNAP devices under the "CovertNetwork" infrastructure).
## Activity Summary
The actor initially gained notoriety for the zero-day exploitation of security flaws in **Microsoft Exchange servers in January 2021**.
Recently, Silk Typhoon has shifted tactics to target the **IT supply chain** for initial access. This involves compromising IT solutions like remote management tools and cloud applications.
Following a compromise, stolen keys and credentials are used to infiltrate customer networks via abused deployed applications (including Microsoft services) to achieve espionage objectives.
The group has demonstrated swift exploitation of zero-day vulnerabilities in edge devices (opportunistic scaling).
## Tactics, Techniques & Procedures
- **Initial Access:**
- Zero-day exploitation of edge device vulnerabilities (e.g., Ivanti Pulse Connect VPN [CVE-2025-0282], Palo Alto Networks firewalls [CVE-2024-3400], Citrix NetScaler ADC/Gateway [CVE-2023-3519], and Microsoft Exchange Server vulnerabilities [CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065]).
- Abuse of stolen API keys and credentials associated with Privilege Access Management (PAM), cloud app providers, and cloud data management companies for supply chain compromises.
- Password spray attacks using enterprise credentials leaked on public repositories (like GitHub).
- **Execution & Persistence:** Use of various **web shells** to achieve command execution and persistence.
- **Lateral Movement & C2:** Rapidly move access from on-premises environments to cloud environments.
- **Data Exfiltration:** Leveraging **OAuth applications with administrative permissions** to perform data exfiltration (Email, OneDrive, SharePoint) via the **MSGraph API**.
- **Reconnaissance:** Performing reconnaissance and data collection via an admin account using leveraged API keys.
## Targeting
- Sectors: Information Technology (IT) services and infrastructure, Remote Monitoring and Management (RMM) companies, Managed Service Providers (MSPs) and affiliates, Healthcare, Legal services, Higher Education, Defense, Government, Non-Governmental Organizations (NGOs), Energy.
- Geography: United States and globally.
- Victims: State and local government, and the IT sector (specifically targeted via API key abuse).
## Tools & Infrastructure
- Malware Families Used: Web shells (general mention).
- Infrastructure: Relies on a "CovertNetwork" comprising compromised **Cyberoam appliances, Zyxel routers, and QNAP devices** to obfuscate the origin of activities.
## Implications
Silk Typhoon is assessed to be **well-resourced and technically efficient**, capable of rapidly weaponizing zero-days against widely used edge infrastructure. Their current focus on the IT supply chain and use of stolen cloud credentials/API keys presents a high risk for widespread downstream impact and espionage.
## Mitigations
- Focus defense on securing edge devices against known zero-day exploits used by the actor (Exchange, Ivanti, Palo Alto, Citrix).
- Implement robust monitoring for the unauthorized use of stolen API keys and credentials, especially those granting administrative or privilege access within cloud environments.
- Scrutinize external connections and presence of web shells on network appliances and internal systems.
- Review permissions granted to OAuth applications accessing critical cloud data repositories (Email, OneDrive, SharePoint).