The group known as Silk Typhoon—previously referred to as Hafnium—has shifted its focus from exploiting vulnerabilities in Microsoft Exchange servers to targeting the information technology (IT) supply chain. This change in strategy aims to gain initial access to corporate networks, according to the Microsoft Threat Intelligence team’s recent report.
Silk Typhoon is reportedly employing tactics that involve compromising IT solutions, including remote management tools and cloud applications. Once inside a victim’s network, they leverage stolen credentials to infiltrate customer networks, exploiting a range of applications, including various Microsoft services, to pursue espionage objectives. Microsoft outlined the efficacy of this well-resourced and technically adept group, highlighting their ability to capitalize on zero-day vulnerabilities in edge devices for opportunistic attacks.
Their operations extend across various sectors, including IT services, healthcare, legal services, higher education, and government agencies in the United States and globally. Notably, Silk Typhoon has incorporated multiple web shells into their toolkit to facilitate command execution, persistence, and data exfiltration from compromised environments. Their demonstrated proficiency with cloud infrastructure enhances their lateral movement capabilities, allowing for effective data harvesting.
Since late 2024, new tactics have emerged, particularly in the misuse of stolen API keys and credentials associated with privilege access management systems. Through this access, Silk Typhoon is able to conduct reconnaissance and data collection from targeted devices, with their primary targets comprising state and local governments as well as entities within the IT sector.
Initial access methods for Silk Typhoon include the exploitation of zero-day vulnerabilities, such as a recently identified flaw in Ivanti Pulse Connect VPN (CVE-2025-0282), along with password-spraying attacks utilizing leaked credentials from various repositories. They have also taken advantage of significant security vulnerabilities in widely used technologies, including several impacting Microsoft Exchange Server.
Upon successfully breaching a network, Silk Typhoon executes lateral movements from on-premises systems to cloud environments, where they exploit OAuth applications with administrative privileges to extract sensitive data via the MSGraph API. To mask their activities, they employ a covert network comprised of compromised devices like Cyberoam appliances and Zyxel routers, a tactic commonly utilized by state-sponsored actors in China.
In a recent development, the cybersecurity firm GreyNoise reported that over 90 unique threat IPs have been actively exploiting vulnerabilities linked to Silk Typhoon in the past 24 hours. The vulnerabilities under active exploitation include CVE-2021-26855 and CVE-2021-44228, indicating a persistent and evolving threat landscape.
Given the ongoing nature of these exploits, it is imperative for organizations to promptly apply security patches, disable unnecessary internet-facing services, implement multi-factor authentication, and enforce network segmentation to mitigate the risk of lateral movement by these adversaries. As this situation continues to unfold, business leaders must prioritize cybersecurity measures to safeguard their operations against increasingly sophisticated threats.
