Silk Typhoon Shifts Tactics to Exploit Common IT Solutions
A new shift in tactics by the Chinese espionage group Silk Typhoon, also known as Hafnium, has been identified by security researchers.
According to Microsoft Threat Intelligence, the group is increasingly exploiting common IT solutions, such as remote management tools and cloud applications, to gain initial access. While they have not been observed directly targeting Microsoft cloud services, they have leveraged unpatched applications to escalate privileges and infiltrate networks.
Silk Typhoon, a well-resourced and technically adept state-sponsored threat actor, has one of the largest targeting footprints among Chinese espionage groups.
They opportunistically exploit vulnerabilities in public-facing devices, quickly moving from vulnerability scanning to active exploitation. Their operations have affected sectors including IT services, healthcare, government agencies and higher education institutions, with victims spanning the US and beyond.
Credential Abuse and Cloud Exploitation
Recent activity by Silk Typhoon includes abusing stolen API keys and credentials from privilege access management (PAM) systems, cloud application providers and cloud data management companies. This tactic has enabled the group to infiltrate downstream customer environments, conduct reconnaissance and exfiltrate data related to US government policy, legal processes and other areas of strategic interest.
Another tactic involves password spray attacks and other credential abuse methods. The group scans public repositories like GitHub for leaked corporate passwords and has successfully authenticated to corporate accounts. This underscores the importance of strong password hygiene and multi-factor authentication (MFA).
Silk Typhoon has also exploited zero-day vulnerabilities, such as the one found in the Ivanti Pulse Connect VPN (CVE-2025-0282), which Microsoft reported in January 2025. They have targeted identity management, privileged access management and remote monitoring solutions to gain footholds within IT providers and managed service environments.
Lateral Movement and Stealth Techniques
Once inside a network, Silk Typhoon moves laterally from on-premises environments to cloud infrastructures by:
- Stealing credentials
- Compromising Active Directory
- Targeting Microsoft AADConnect servers
- Manipulating service principals and OAuth applications
- Exfiltrating data from Microsoft services like OneDrive, SharePoint and Exchange
To obscure their activities, Silk Typhoon uses covert networks comprising compromised Cyberoam appliances, Zyxel routers and QNAP devices. This aligns with broader trends among Chinese threat actors seeking to disguise their operations.
Mitigation Strategies for Organizations
Microsoft has issued guidance to help organizations mitigate the risks posed by Silk Typhoon. Recommendations include patching all public-facing devices, securing privileged accounts and monitoring for anomalous activity.
Companies are also urged to audit service principals, scrutinize multi-tenant applications and enforce zero-trust principles to limit exposure.
