The China-lined threat actor behind the zero-day exploitation of security flaws in Microsoft Exchange servers in January 2021 has shifted its tactics to target the information technology (IT) supply chain as a means to obtain initial access to corporate networks.
That’s according to new findings from the Microsoft Threat Intelligence team, which said the Silk Typhoon (formerly Hafnium) hacking group is now targeting IT solutions like remote management tools and cloud applications to obtain a foothold.
“After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives,” the tech giant said in a report published today.
The adversarial collective is assessed to be “well-resourced and technically efficient,” swiftly putting to use exploits for zero-day vulnerabilities in edge devices for opportunistic attacks that allow them to scale their attacks at scale and across a wide range of sectors and regions.
This includes information technology (IT) services and infrastructure, remote monitoring and management (RMM) companies, managed service providers (MSPs) and affiliates, healthcare, legal services, higher education, defense, government, non-governmental organizations (NGOs), energy, and others located in the United States and throughout the world.
Silk Typhoon has also been observed relying on various web shells to achieve command execution, persistence, and data exfiltration from victim environments. It’s also said to have demonstrated a keen understanding of cloud infrastructure, further allowing it to move laterally and harvest data of interest.
At least since late 2024, the attackers have been linked to a new set of methods, chief among which concerns the abuse of stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies to conduct supply chain compromises of downstream customers.
“Leveraging access obtained via the API key, the actor performed reconnaissance and data collection on targeted devices via an admin account,” Microsoft said, adding targets of this activity mainly encompassed the state and local government, as well as the IT sector.
Some of the other initial access routes adopted by Silk Typhoon entail the zero-day exploitation of a security flaw in Ivanti Pulse Connect VPN (CVE-2025-0282) and the use of password spray attacks using enterprise credentials surfaced from leaked passwords on public repositories hosted on GitHub and others.
Also exploited by the threat actor as a zero-day are –
- CVE-2024-3400, a command injection flaw in Palo Alto Networks firewalls
- CVE-2023-3519, An unauthenticated remote code execution (RCE) vulnerability affecting Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway
- CVE-2021-26855 (aka ProxyLogon), CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, a set of vulnerabilities impacting Microsoft Exchange Server
A successful initial access is followed by the threat actor taking steps to move laterally from on-premises environments to cloud environments, and leverage OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via the MSGraph API.
In an attempt to obfuscate the origin of their malicious activities, Silk Typhoon relies on a “CovertNetwork” comprising compromised Cyberoam appliances, Zyxel routers, and QNAP devices, a hallmark of several Chinese state-sponsored actors.
“During recent activities and historical exploitation of these appliances, Silk Typhoon utilized a variety of web shells to maintain persistence and to allow the actors to remotely access victim environments,” Microsoft said.
