Microsoft Threat Intelligence has released a detailed report on Silk Typhoon, a sophisticated Chinese state-sponsored espionage group that has evolved its attack methods to focus on IT supply chain targets. The group now exploits common IT solutions like remote management tools and cloud applications to gain initial access to targeted networks.
According to Microsoft's research, the Silk Typhoon is "a well-resourced and technically efficient group" with one of the largest targeting footprints among Chinese threat actors. The group operates opportunistically, rapidly exploiting vulnerabilities discovered during scanning operations.
Since late 2024, Microsoft has observed Silk Typhoon abusing stolen API keys and credentials associated with privileged access management (PAM) systems, cloud providers, and data management companies. This technique allows them to access downstream customer environments after compromising an initial target.
"After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives," the report states.
The group targets a wide range of sectors including IT services, healthcare, legal services, higher education, defense, government organizations, NGOs, and energy companies primarily in the United States but also worldwide.
In January 2025, Microsoft observed the Silk Typhoon exploiting a zero-day vulnerability (CVE-2025-0282) in Ivanti Pulse Connect VPN. The group has previously exploited vulnerabilities in Microsoft Exchange Servers, Palo Alto Networks firewalls, and Citrix NetScaler appliances.
Microsoft recommends organizations implement several mitigation strategies, including:
- Patching all public-facing devices
- Auditing privilege levels of applications and service principals
- Monitoring for unusual service principal sign-ins
- Building strong credential hygiene with least-privilege access
- Implementing multi-factor authentication
- Using Microsoft's detection and hunting capabilities
The report emphasizes the importance of robust security practices as the Silk Typhoon continues to demonstrate sophisticated cloud environment knowledge and supply chain exploitation techniques.