A China-linked group, Silk Typhoon (formerly Hafnium) is now targeting IT supply chains, breaking into corporate networks through remote management tools and cloud applications.
Instead of attacking directly, they use third-party IT service providers. This makes it easier to breach multiple businesses at once without raising red flags.
Here’s what we know about Silk Typhoon’s latest approach, the vulnerabilities they’re exploiting, and who’s at risk.
What’s Going On?
Microsoft’s Threat Intelligence team recently uncovered these new strategies, warning that Silk Typhoon’s cyber-espionage activities are increasing. This means businesses that use IT service providers and cloud platforms are more at risk.
How Are They Doing It?
Silk Typhoon has been exploiting vulnerabilities in IT service providers, managed service providers (MSPs), and remote monitoring and management (RMM) platforms. They use stolen keys and credentials to gain access to customer environments, then use cloud applications—including Microsoft services—to steal sensitive data and expand their espionage efforts.
Recent Attack Methods
Since late 2024, Silk Typhoon has been using new attack techniques, such as:
- Abusing stolen API keys and credentials from privileged access management (PAM) and cloud applications.
- Zero-day exploits in critical systems, including:
- Ivanti Pulse Connect VPN (CVE-2025-0282)
- Palo Alto Networks firewalls (CVE-2024-3400)
- Citrix NetScaler ADC and Gateway (CVE-2023-3519)
- Microsoft Exchange Server (ProxyLogon vulnerabilities)
- Password spraying attacks using leaked credentials
- Leveraging OAuth applications with admin permissions to exfiltrate data from email, OneDrive, and SharePoint via the MSGraph API
Once inside, Silk Typhoon moves laterally from on-premises to cloud environments. This ensures they have deeper access and prolonged espionage.
Who’s Being Targeted?
The group’s attacks have affected different industries like;
- IT services and infrastructure
- Managed service providers (MSPs)
- Healthcare and legal sectors
- Higher education and government agencies
- Defense, energy, and NGOs
Latest Threat Intelligence
On March 6, 2025, cybersecurity firm GreyNoise reported that over 90 unique threat IPs were actively exploiting Silk Typhoon-related vulnerabilities in just 24 hours. Attack sources were traced back to multiple countries:
- 1,191 IPs targeting CVE-2021-26855 from Singapore, France, Germany, the U.S., and China
- 435 IPs exploiting CVE-2021-44228 from the U.S., Iran, India, Germany, and Japan
- 121 IPs using CVE-2024-3400 from the U.S., Singapore, Germany, the Netherlands, and Hong Kong
Silk Typhoon has also been using compromised Zyxel routers, Cyberoam appliances, and QNAP devices as part of a CovertNetwork infrastructure, allowing them to hide their attack origins.
How to Protect Your Business
With these threats increasing, organizations must act now to prevent breaches. Here’s what you can do:
- Apply security patches for all known vulnerabilities
- Disable unnecessary internet-facing services to reduce attack surfaces.
- Implement multi-factor authentication (MFA) to prevent credential theft.
- Enforce network segmentation to limit the spread of attacks.
- Monitor API key and credential usage for any suspicious activity.
Final Thoughts
Silk Typhoon’s strategies highlight the increasing risk of supply chain cyberattacks. If businesses don’t tighten cloud security and access controls, they risk exposing sensitive data.
At Cyberkach, we help organizations strengthen their defenses through expert cyber awareness programs that protect businesses. Contact us today and subscribe to our blog to stay informed about the latest cybersecurity trends.