The cyber threat group known as Silk Typhoon, previously identified as Hafnium, has shifted its focus towards exploiting the information technology (IT) supply chain to gain initial access to corporate networks. This development follows their earlier exploitation of zero-day vulnerabilities in Microsoft Exchange servers.

Silk Typhoon's Evolving Tactics

According to recent insights from Microsoft's Threat Intelligence team, Silk Typhoon is now targeting IT solutions such as remote management tools and cloud applications. By compromising these systems, the group aims to infiltrate customer networks and exploit various applications, including Microsoft services, to fulfill their espionage goals.

Technical Proficiency and Resourcefulness

The group is recognized for being well-resourced and technically adept, quickly leveraging zero-day vulnerabilities in edge devices. This capability allows them to conduct widespread attacks across multiple sectors and regions, including IT services, healthcare, legal services, and government entities globally.

  • Web Shell Utilization: Silk Typhoon employs web shells to execute commands, maintain persistence, and exfiltrate data from compromised environments.
  • Cloud Infrastructure Expertise: Their understanding of cloud systems enables lateral movement and data harvesting.

New Attack Vectors and Methods

Since late 2024, Silk Typhoon has adopted new strategies, notably the misuse of stolen API keys and credentials linked to privilege access management (PAM) and cloud services. These tactics facilitate supply chain compromises affecting downstream customers.

Exploitation Techniques

The group has been linked to several initial access methods, including exploiting a zero-day vulnerability in Ivanti Pulse Connect VPN (CVE-2025-0282) and conducting password spray attacks using credentials from leaked passwords.

  • CVE-2024-3400: A command injection flaw in Palo Alto Networks firewalls.
  • CVE-2023-3519: An unauthenticated remote code execution vulnerability in Citrix NetScaler ADC and Gateway.
  • Microsoft Exchange Vulnerabilities: Exploiting CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, known collectively as ProxyLogon.

Advanced Techniques for Obfuscation

Silk Typhoon employs a "CovertNetwork" of compromised devices, including Cyberoam appliances, Zyxel routers, and QNAP devices, to obscure the origins of their attacks. This strategy is characteristic of several state-sponsored actors from China.

By maintaining persistence through web shells, Silk Typhoon ensures continuous remote access to victim environments, further complicating detection and mitigation efforts.

The link has been copied!