Full Report
US Justice Department charges employees of Chinese IT contractor i-Soon. Silk Typhoon targets the IT supply chain for initial access. Chrome extensions that change shape. Attackers target airflow misconfigurations. LibreOffice vulnerability opens the door to script-based attacks. NSO group leaders face charges in spyware case. Today, our own Dave Bittner is our guest as he appeared on the Adopting Zero Trust podcast at ThreatLocker’s Zero Trust World 2025 event with hosts Elliot Volkman and Neal Dennis and guest Dr. Chase Cunningham. And turning $1B into thin air.
Analysis Summary
# Threat Actor: SILK TYPHOON
## Attribution & Identity
The threat actor is associated with espionage activities targeting the IT supply chain, potentially linked to Chinese state-sponsored interests, as indicated by US Justice Department charges against employees of the Chinese IT contractor **i-Soon**.
## Activity Summary
SILK TYPHOON is actively engaged in targeting the IT supply chain to achieve initial access. The activity summary focuses on the charging of individuals linked to i-Soon, suggesting supply chain compromise as a primary vector.
## Tactics, Techniques & Procedures
- Supply chain targeting for initial access.
- *(Note: Specific granular TTPs or MITRE ATT&CK IDs are not detailed in the provided summary context, beyond the high-level supply chain focus.)*
## Targeting
- Sectors: IT Supply Chain, US Treasury (in related reporting context).
- Geography: Not explicitly stated, but associated actors (i-Soon employees) are Chinese nationals, and targets include the US Treasury department.
- Victims: IT infrastructure providers and organizations that rely on them.
## Tools & Infrastructure
- *(Note: No specific malware names or infrastructure details were provided in the context snippet related to SILK TYPHOON.)*
## Implications
The continued focus on the IT supply chain (via groups like SILK TYPHOON and i-Soon linked actors) presents a significant risk, as compromising a third-party vendor can grant wide-ranging access across multiple downstream victims.
## Mitigations
- Focus on securing the IT supply chain against initial access compromises.
- Implement robust vendor risk management programs.
***
# Other Notable Actors/Events Mentioned
The provided context also referenced activities by or against:
1. **i-Soon Employees:** Charged by the US DOJ for cyberattacks. (Attribution: Chinese Nationals)
2. **NSO Group Leaders:** Facing charges in a spyware case in a Catalan court. (Attribution: NSO Group)
3. **North Koreans (DPRK):** Completed the initial laundering stage after stealing over $1 billion from Bybit. (Motivation: Financial)
4. **Unknown Actors:** Exploiting/using malicious Chrome extensions that spoof password managers, and exploiting a LibreOffice vulnerability allowing script-based attacks.
*Note: These actors do not receive a full structured summary as the primary focus directive was on actors detailed in the context, and SILK TYPHOON was the most clearly identified group linked to a specific TTP (supply chain targeting).*