Silk Typhoon, the Chinese state-backed hacking group responsible for breaching the US Treasury Department, has been caught targeting the global IT supply chain, including managed service providers, IT services firms, and remote monitoring companies. This shift in tactics was revealed by Microsoft’s threat intelligence team on Wednesday.
Instead of directly attacking high-profile cloud services, Silk Typhoon now exploits compromised API keys and stolen credentials to infiltrate IT supply chain companies. Once inside these organizations, the hackers can extend their reach to customer networks, conducting extensive reconnaissance, siphoning off sensitive data, and moving laterally across victim networks.
Microsoft’s researchers highlighted the group’s deep understanding of both on-premises and cloud environments, enabling them to escalate privileges and infiltrate deeper into systems. They’ve even been observed using Microsoft’s Entra Connect tool to enhance their access. Though the group has not directly targeted Microsoft cloud services, this new focus on the IT supply chain raises concerns about vulnerabilities in commonly used IT solutions, especially those lacking proper patching and secure credential management.
Silk Typhoon has been behind a number of major exploits in the past, including the successful breach of Microsoft Exchange servers, VPN products, and firewalls. In the breach of the US Treasury, the group targeted critical offices, including those focused on foreign investments and sanctions, exploiting flaws in software like BeyondTrust and PostgreSQL.
Microsoft’s researchers also noted that the hacking group has been using various techniques to escalate their attacks. This includes password spray attacks and leveraging leaked corporate passwords found on public repositories like GitHub. The group has also exploited OAuth applications and service principals to steal data, including emails, OneDrive files, and SharePoint data via the MSGraph API.
The group’s growing ability to target and exploit IT supply chains underscores the broader risks posed to organizations that lack strong cybersecurity defenses. Microsoft’s report serves as a warning for all companies using common IT services to bolster their security measures against these advanced cyber-espionage threats.
For further information, read the full article by Ryan Naraine on SecurityWeek here.
