Chinese espionage group Silk Typhoon shifts focus to supply chain attacks

Last updated: 6 March 2025
china-cybercriminals-espionge
Image by Cybernews.

Silk Typhoon, an espionage-focused Chinese hacker group previously known as Hafnium, is changing its tactics and focusing on supply chain attacks.

The group is now targeting common IT solutions like remote management tools and cloud applications to gain initial access, claims Microsoft Threat Intelligence in its latest report.

The researchers say they have closely monitored Silk Typhoon since 2024 and observed patterns in its recent activity, which primarily targets governments and IT companies.

ADVERTISEMENT

The hackers use stolen API keys to access downstream customers of the compromised companies and perform reconnaissance and data collection via an admin account. They also plant malicious scripts, create additional users, and clear logs after performing their actions.

Silk Typhoon has also been observed spying on companies using password spraying attacks, leveraging leaked corporate passwords on public repositories such as GitHub.

According to Microsoft, the group typically targets victims with zero-day exploits, vulnerable third-party services or software providers, and compromised credentials.

After compromising a company, cybercriminals move from on-premises to cloud environments. They look to dump Active Directory, steal passwords within key vaults, and escalate privileges.

While analyzing post-compromise tradecraft, Microsoft identified Silk Typhoon abusing service principals and OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via Microsoft Graph.

vilius Gintaras Radauskas Niamh Ancell BW Paulina Okunyte
Be the first to know and get our latest stories on Google News
Google News Follow us

“Throughout their use of this technique, Silk Typhoon has been observed gaining access to an application that was already consented within the tenant to harvest email data and adding their own passwords to the application. Using this access, the actors can steal email information via the MSGraph API,” reads the report.

Silk Typhoon is best known for the Microsoft Exchange Server data breach in 2021, which led to attacks against thousands of companies. More recently, in March 2024, the group used a zero-day exploit in GlobalProtect Gateway on Palo Alto Networks firewalls to compromise multiple organizations

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Can a dumbphone help you with excessive smartphone use?
Papua New Guinea shuts down Facebook, but that won’t stop users
Russian crypto exchange popular among ransomware gangs is reborn two weeks after its crackdown
Whistleblowers help Binance catch and suspend insider trader
Financing your fried chicken? Buy Now, Pay Later creeps into fast food
Massive OPSEC oversight: top-secret Yemen war plans sent to journalist on Signal
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked