Pierluigi Paganini
March 05, 2025
Microsoft reported that China-linked APT group Silk Typhoon has shifted tactics to target IT solutions like remote management tools and cloud apps for initial access.
Silk Typhoon is a China-linked cyber espionage group involved in the cyber attack against the US Treasury.
Though not directly attacking Microsoft cloud services, they exploit unpatched apps to escalate privileges and gain access to customer networks. Using stolen credentials, they abuse various applications for espionage.
This Chinese APT has one of the widest targeting scopes. Microsoft experts observed the group exploiting vulnerabilities opportunistically by swiftly acting on scanning discoveries.
Silk Typhoon targets multiple sectors worldwide, including information technology (IT) services and infrastructure, remote monitoring and management (RMM) companies, managed service providers (MSPs) and affiliates, healthcare, legal services, higher education, defense, government, non-governmental organizations (NGOs), and energy. The group has been active since 2020, they use web shells for command execution and data theft.
Silk Typhoon demonstrates a deep knowledge of cloud environments that allow the group to move laterally, maintain persistence, and exfiltrate data. The group has been active since at least 2020, they use web shells for command execution and data theft. Microsoft has notified affected customers and is raising awareness to help mitigate Silk Typhoon’s threats, offering guidance to disrupt their operations and enhance security defenses.
The APT group gains initial access to target infrastructure via zero-day exploits, vulnerable third-party services, and compromised credentials, targeting IT providers and RMM solutions. In January 2025, they exploited a zero-day in Ivanti Pulse Connect VPN (CVE-2025-0282).
Then, the threat actors move laterally from on-premises to cloud environments by dumping Active Directory, stealing passwords from key vaults, and escalating privileges. The group targets AADConnect (now Entra Connect) servers, which sync on-prem AD with Entra ID. The attackers used to compromise these servers to escalate privileges, access both environments, and expand their reach.
Silk Typhoon abuses service principals and OAuth applications with admin permissions to exfiltrate email, OneDrive, and SharePoint data via MSGraph. They hijack consented applications, add their own passwords, and steal email data. They also compromise multi-tenant apps, enabling lateral movement across tenants. In some cases, they create Entra ID apps disguised as legitimate services to facilitate data theft.
Microsoft also observed the APT group using covert networks to hide their activities. Attackers rely on a collection of egress IPs consisting of compromised or leased devices to make the attribution hard.
“Silk Typhoon was observed utilizing a covert network that is comprised of compromised Cyberoam appliances, Zyxel routers, and QNAP devices.” reads the analysis published by Microsoft. “The use of covert networks has become a common tactic among various threat actors, particularly Chinese threat actors.”
Microsoft has alerted affected customers and is raising awareness, offering guidance to mitigate Silk Typhoon’s threats and disrupt their operations.
“Silk Typhoon is not known to use their own dedicated infrastructure in their operations. Typically, the threat actor uses compromised covert networks, proxies, and VPNs for infrastructure, likely to obfuscate their operations.” concludes the report. “However, they have also been observed using short-lease virtual private server (VPS) infrastructure to support their operations”
The IT giant also published recommendations to allow customers to detect and mitigate the APT’s activity.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT)
