Microsoft cautions that the Chinese cyber-espionage threat organization “Silk Typhoon” has changed its strategy and is now attacking cloud services and remote management tools in supply chain attacks that allow it to reach downstream clients.

The tech giant has verified breaches in some sectors, including energy, government, IT services, healthcare, defence, education, and non-governmental organizations.

“They [Silk Typhoon] exploit unpatched applications that allow them to elevate their access in targeted organizations and conduct further malicious activities,” says the study from Microsoft.

“After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives.”

Silk Typhoon storms IT supply chains

In early December 2024, a Chinese state-sponsored espionage outfit called Silk Typhoon gained notoriety for breaking into the U.S. Office of Foreign Assets Control (OFAC) and collecting information from the Committee on Foreign Investment in the United States (CFIUS).

Around that time, according to Microsoft, Silk Typhoon changed its strategy and began misusing credentials for identity management, privileged access management, IT providers, and RMM solutions that were stolen and compromised. These credentials were then used to get access to downstream client networks and data.

According to Microsoft, the hackers look through GitHub repositories and other open sources to find credentials or authentication keys that have been released, then exploit them to compromise systems. Password spray attacks are another well-known tactic used by threat actors to obtain legitimate credentials.

In the past, threat actors mostly used n-day and zero-day vulnerabilities in edge devices that were visible to the public to obtain initial access, plant web shells, and then migrate laterally via compromised RDPs and VPNs.

The attackers can roam around cloud environments, steal Active Directory sync credentials (AADConnect), and abuse OAuth applications for a far more covert attack when they shift from organization-level intrusions to MSP-level compromises.

Threat actors no longer use web shells and malware; instead, Silk Typhoon uses cloud apps to take data and then delete records, leaving very little evidence behind.

Microsoft has noted that Silk Typhoon still uses vulnerabilities, commonly known as zero days, to gain early access in addition to its new strategies.

As a zero-day penetration of corporate networks, the threat organization was most recently seen taking use of a major Ivanti Pulse Connect VPN privilege escalation issue (CVE-2025-0282).

Earlier in 2024, Silk Typhoon took advantage of CVE-2023-3519, a remote code execution vulnerability in Citrix NetScaler ADC and NetScaler Gateway, and CVE-2024-3400, a command injection vulnerability in Palo Alto Networks GlobalProtect.

Microsoft claims that to conduct attacks and hide malicious activity, the threat actors have established a “CovertNetwork” made up of compromised Cyberoam appliances, Zyxel routers, and QNAP devices.

At the bottom of its report, Microsoft has included updated indications of compromise and detection criteria that take into account Silk Typhoon’s most recent change in strategy. Defenders are advised to incorporate the information into their security tools to promptly identify and stop any attacks.