Microsoft Details Silk Typhoon’s IT Supply Chain Attacks

New Microsoft threat research on Wednesday detailed the IT supply chain compromise tactics of a well-known Chinese cyber-espionage group. The actor, Silk Typhoon, abused stolen API keys and credentials related to privilege access management, cloud app providers, and cloud data management firms in order to attack these companies’ downstream customers, said researchers.

Microsoft outlined the Silk Typhoon techniques it observed since late 2024, which showed that the victims of the downstream compromise activity largely involved state and local governments as well as the IT sector. 

“Microsoft Threat Intelligence identified a shift in tactics by Silk Typhoon, a Chinese espionage group, now targeting common IT solutions like remote management tools and cloud applications to gain initial access,” said researchers. “While they haven’t been observed directly targeting Microsoft cloud services, they do exploit unpatched applications that allow them to elevate their access in targeted organizations and conduct further malicious activities.”

Key Details: 

• Silk Typhoon’s initial access vectors included zero-day exploit attacks and the targeting of third-party services and software providers. The group also leveraged compromised credentials (via password spray attacks or the discovery of passwords through reconnaissance). In some cases, the group used corporate passwords that were leaked on public repositories like GitHub

• After compromising certain companies, the threat actors first used API keys stolen from these firms to then access their downstream customers, performing reconnaissance and data collection (specifically for data related to China-based interests, U.S. government policy or information related to law enforcement investigations) on targeted devices through admin accounts

• Additionally, threat actors took several persistence and detection evasion measures, including resetting default admin accounts via API keys, executing web shells, creating additional users and clearing the logs related to their activity

The Background: The threat group, which Microsoft has tracked since 2020 and categorized as Silk Typhoon (also known as Hafnium), has one of the largest targeting footprints among Chinese state actors, due in part to its ability to rapidly operationalize exploits for zero-day flaws. 

“As a result, Silk Typhoon has been observed targeting a wide range of sectors and geographic regions, including but not limited to information technology (IT) services and infrastructure, remote monitoring and management (RMM) companies, managed service providers (MSPs) and affiliates, healthcare, legal services, higher education, defense,  government, non-governmental organizations (NGOs), energy, and others located in the United States and throughout the world,” said researchers with Microsoft.

Why It Matters: In addition to its techniques centered around IT supply-chain compromise, researchers found Silk Typhoon leveraging several other tactics. In more recent attacks, the group utilized newer zero-day exploits to target networks. For instance, in January Silk Typhoon was seen exploiting a zero-day flaw in public facing Ivanti Pulse Connect VPNs (CVE-2025-0282).

Microsoft researchers also found the group abusing service principals and OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via MSGraph.

"Throughout their use of this technique, Silk Typhoon has been observed gaining access to an application that was already consented within the tenant to harvest email data and adding their own passwords to the application,” said researchers. “Using this access, the actors can steal email information via the MSGraph API.”

The Big Picture: Several Chinese threat actors have been linked to substantial espionage incidents over the past year impacting sensitive U.S. data, including a major breach of telecom networks by Salt Typhoon, a separate Chinese threat actor, last year. 

Earlier this year, Silk Typhoon was linked by a Bloomberg report to a December 2024 hack on the Office of Foreign Assets Control (OFAC) agency, which is part of the Department of Treasury. In the attack, the threat actors were able to use a stolen API key through third-party security company BeyondTrust to launch the attack.