Microsoft Threat Intelligence has sounded the alarm on a critical shift in cyber threat tactics employed by Silk Typhoon, a state-sponsored Chinese espionage group known for its sophisticated and opportunistic attacks. The group, long associated with leveraging zero-day vulnerabilities to compromise targets, is now focusing on infiltrating commonly used IT solutions, including remote management tools and cloud applications. This evolution in attack methodology underscores the growing reliance on third-party software as an entry point for nation-state actors.
Expanding the Attack Surface
While Microsoft has not observed direct attacks on its cloud services, Silk Typhoon has been exploiting unpatched applications to escalate privileges and move laterally within victim environments. Their approach involves stealing API keys and credentials, which enables them to access downstream customers of compromised companies. This method has allowed the group to breach networks across various industries, including healthcare, legal, higher education, government, defense, and energy sectors.
Ensar Seker, Chief Security Officer at SOCRadar, highlighted the significance of this shift:
“Microsoft’s latest disclosure about Silk Typhoon signals a significant shift in cyber threat tactics. Instead of relying on direct exploits, they’re now targeting common IT solutions like remote management tools and cloud applications. This move aligns with a broader trend where adversaries exploit trusted third-party applications and supply chains to gain access to organizations.”
“This method allows them to infiltrate multiple targets simultaneously by exploiting stolen API keys, credentials, and vulnerabilities in commonly used applications.”
Supply Chain Attacks: The Weakest Link
Silk Typhoon’s new tradecraft bears an alarming resemblance to high-profile supply chain breaches such as SolarWinds and MOVEit. The group has been observed targeting privilege access management (PAM) systems, cloud app providers, and cloud data management firms to gain unauthorized access to downstream customers. Their tactics include resetting admin accounts via stolen API keys, deploying web shells, creating additional users, and clearing activity logs to cover their tracks.
“Third party as an attack vector is reminiscent of high-profile supply chain breaches like SolarWinds and MOVEit,” Seker noted. “Threat actors recognize that exploiting a single vendor can open doors to a wide range of targets, making IT supply chains one of the biggest cybersecurity weak points.”
Credential Abuse and Lateral Movement
Silk Typhoon has also been leveraging password spray attacks and leaked corporate credentials found on public repositories like GitHub. Once inside a network, they extract data from key vaults, dump Active Directory credentials, and compromise Microsoft Entra Connect (formerly AADConnect) servers. This strategy allows them to escalate privileges and maintain persistence across both on-premises and cloud environments.
A particularly concerning aspect of their tactics is the abuse of service principals and OAuth applications to siphon off email, OneDrive, and SharePoint data through Microsoft Graph API. By exploiting consented applications, they can exfiltrate sensitive information without triggering traditional security alerts.
“While Microsoft states that Silk Typhoon hasn’t directly targeted its cloud services, the group is leveraging unpatched applications to escalate privileges and move laterally within networks,” Seker added. “This highlights the ongoing challenge of securing cloud environments, where stolen credentials can grant adversaries persistent access.”
Exploiting Zero-Day Vulnerabilities
Silk Typhoon’s history of zero-day exploitation remains a key component of its operations. The group has successfully compromised vulnerabilities in Ivanti Pulse Connect VPN, Palo Alto Networks GlobalProtect Gateway, Citrix NetScaler ADC, and Microsoft Exchange Servers. Their ability to swiftly operationalize newly discovered exploits has positioned them as one of the most technically advanced Chinese state actors.
In early 2025, Microsoft detected Silk Typhoon exploiting CVE-2025-0282, a critical flaw in Ivanti Pulse Connect VPN. The vulnerability was reported to Ivanti, prompting a rapid patch rollout. However, the group’s consistent exploitation of unpatched systems highlights the importance of timely security updates.
The Road Ahead: Strengthening Defenses
Microsoft is urging organizations to adopt a proactive security posture to counter Silk Typhoon’s evolving tactics. Key recommendations include:
Patch management: Ensure all public-facing devices and applications are up to date.
Monitor service principals: Regularly audit permissions and activity related to OAuth applications.
Enhance identity protection: Implement multifactor authentication (MFA) and conditional access policies.
Secure privileged accounts: Restrict admin-level access and monitor anomalous sign-ins.
Inspect log activity: Analyze VPN logs, Entra Connect activity, and cloud API access patterns.
Seker emphasized the need for a paradigm shift in cybersecurity strategies:
“This development is yet another wake-up call that nation-state cyber operations are becoming more refined, leveraging trusted IT solutions to remain stealthy and persistent. Organizations must move beyond traditional perimeter defenses and adopt a proactive security posture to counter this evolving threat landscape.”
As Silk Typhoon continues to adapt its tactics, organizations must remain vigilant against the ever-expanding cyber threat landscape. The era of nation-state cyber espionage is evolving, and only those who anticipate the next move will stand a chance against adversaries operating in the digital shadows.