Introduction
Silk Typhoon [1] [2] [3] [4] [5], also known as HAFNIUM [5], is a cyber-espionage group linked to China, active since at least 2020 [3]. This state-sponsored entity has demonstrated a sophisticated evolution in its tactics, shifting from exploiting zero-day vulnerabilities to targeting IT supply chain providers. Their activities reflect a broader trend among advanced espionage groups globally.
Description
Silk Typhoon has historically exploited vulnerabilities such as CVE-2021-26855, CVE-2021-26857 [5], CVE-2021-26858 [5], CVE-2021-27065 [5], and more recently, CVE-2025-0282 in Ivanti Pulse Connect VPNs [1] [4], CVE-2023-3519 in Citrix NetScaler Gateway [1], and CVE-2024-3400 in Palo Alto Networks GlobalProtect Gateway endpoints [1].
Recent activities indicate a focus on unpatched applications and the use of compromised API keys and stolen credentials from privilege access management (PAM) systems, cloud application providers [2] [4], and managed service providers to infiltrate customer environments and exfiltrate sensitive data related to US government policy and intelligence [4]. The group specifically targets sectors such as government, healthcare [3] [5], IT services [1] [3] [5], legal services [2] [3], higher education [3], defense [3], NGOs [3], and energy [3], exploiting everyday applications that organizations may overlook despite having updated security measures [5].
Once inside a network [5], Silk Typhoon employs techniques such as lateral movement, accessing sensitive data [5], and manipulating email and data storage services [5]. They demonstrate a deep understanding of cloud environments [3], particularly targeting AADConnect (now Entra Connect) servers to escalate privileges and access both on-premises and cloud environments [3]. The group conducts reconnaissance [2], implants web shells for persistence [2], and abuses service principals and OAuth applications with administrative permissions to exfiltrate data from platforms like email [2] [3], OneDrive [2] [3], and SharePoint via the Microsoft Graph API [2]. They hijack consented applications [3], add their own passwords [2] [3], and compromise multi-tenant apps to facilitate lateral movement across tenants [3], often creating Entra ID apps disguised as legitimate services for data theft [3].
Silk Typhoon also utilizes covert networks, relying on compromised devices such as Cyberoam appliances [3], Zyxel routers [3], and QNAP devices to obfuscate their activities [3]. They operate through compromised networks [3], proxies [3], and VPNs [3], using a collection of egress IPs from compromised or leased devices [3], which complicates attribution. The group has been observed employing short-lease virtual private server (VPS) infrastructure to support their operations [3].
Conclusion
To mitigate risks [5], organizations are advised to maintain strong password hygiene, implement multi-factor authentication (MFA) [4] [5], keep all systems and software updated [5], monitor network activity for unusual behavior [5], and carefully manage API keys and service credentials to restrict access [5]. As Silk Typhoon continues to refine its tactics and target IT infrastructure at the supply chain level [1], vigilance and timely application of security updates are essential to patch known vulnerabilities and protect sensitive information. The ongoing evolution of such cyber-espionage groups underscores the need for robust cybersecurity measures and proactive threat management strategies.
References
[1] https://cyberinsider.com/microsoft-chinese-hackers-silk-typhoon-now-target-the-it-supply-chain/
[2] https://cybersecuritynews.com/microsoft-warns-of-silk-typhoon-hackers/
[3] https://securityaffairs.com/174962/apt/china-linked-apt-silk-typhoon-targets-it-supply-chain.html
[4] https://www.infosecurity-magazine.com/news/silk-typhoon-exploits-common/
[5] https://hackread.com/chinese-silk-typhoon-group-it-tools-network-breaches/
