China-Linked Silk Typhoon Hackers Shift Focus to IT Supply Chain Attacks

The Silk Typhoon hacking group, previously known as Hafnium, has evolved its tactics, now targeting IT supply chains to gain entry into corporate networks, according to a new report from Microsoft Threat Intelligence.

  Asia Cyber affairs News   Mar 6, 2025  Add to Reading List
China-Linked Silk Typhoon Hackers Shift Focus to IT Supply Chain Attacks

The Silk Typhoon hacking group, previously known as Hafnium, has evolved its tactics, now targeting IT supply chains to gain entry into corporate networks, according to a new report from Microsoft Threat Intelligence.

Key Developments in Silk Typhoon’s Strategy

  • Shifting Focus to IT Solutions – Instead of solely exploiting zero-day vulnerabilities, the group now leverages remote management tools, cloud applications, and stolen credentials to infiltrate organizations.
  • Expanding Target Scope – Their attacks now affect a wide range of industries, including IT services, managed service providers (MSPs), healthcare, legal, government, defense, NGOs, and energy sectors across the U.S. and globally.
  • Advanced Cloud Exploitation – Silk Typhoon has demonstrated deep knowledge of cloud infrastructure, allowing lateral movement and data theft from Microsoft services and other cloud platforms.

New Tactics and Exploited Vulnerabilities

Since late 2024, Silk Typhoon has been observed:

  • Abusing stolen API keys and privileged credentials from cloud providers and IT management firms to compromise downstream customers.
  • Exploiting zero-day vulnerabilities, including:
    • CVE-2025-0282 (Ivanti Pulse Connect VPN)
    • CVE-2024-3400 (Palo Alto Networks firewall command injection flaw)
    • CVE-2023-3519 (Citrix NetScaler ADC/Gateway RCE)
    • Microsoft Exchange vulnerabilities (ProxyLogon and related flaws)

Stealth and Persistence Techniques

  • Use of Web Shells – Silk Typhoon deploys various web shells for command execution, persistence, and data exfiltration.
  • "CovertNetwork" Infrastructure – The group hides its activities using compromised Cyberoam appliances, Zyxel routers, and QNAP devices, a technique common among Chinese state-sponsored actors.
  • OAuth Abuse for Cloud Data Theft – Once inside a network, the hackers leverage admin-level OAuth permissions to extract emails, OneDrive, and SharePoint data via the MSGraph API.

With these refined and scalable attack methods, Silk Typhoon continues to pose a significant threat to IT infrastructure and global enterprises, reinforcing the need for robust cybersecurity measures to counter supply chain compromises.