Advertisement

CrowdStrike warns of uptick in Silk Typhoon attacks this summer

The China-affiliated espionage group, which CrowdStrike tracks as Murky Panda, has been linked to more than a dozen incident response cases since late spring.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
The Chinese national flag flies outside the Ministry of Foreign Affairs in Beijing on July 26, 2023. (Photo by GREG BAKER/AFP via Getty Images)
The Chinese national flag flies outside the Ministry of Foreign Affairs in Beijing on July 26, 2023. (Photo by GREG BAKER/AFP via Getty Images)

The Chinese state-backed threat group Silk Typhoon has raised the pace of attacks targeting government, technology, legal and professional services in North America since late spring, according to CrowdStrike.

“We were calling this jokingly, ‘the summer of Murky Panda,’ because we’ve seen so much activity from them over the last couple of months,” said Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, using the firm’s nomenclature for the cyberespionage group.

CrowdStrike has worked on more than a dozen cases involving Murky Panda during the past few months, including two active incident response cases, Meyers said. The group, which has been active since at least 2023, is “one of the top-tier Chinese threats that we’ve been seeing a lot this summer,” he said.

Murky Panda exemplifies how Chinese attackers are gaining access to victim networks and infrastructure via vulnerabilities, unmanaged devices, the cloud and pivots between cloud services. 

Advertisement

The group’s advanced techniques in cloud environments are evident, as it enables prolonged access and lateral movement to downstream victims by abusing delegated administrative privileges in cloud solution providers, CrowdStrike said in a research report released Thursday.

Once Murky Panda compromises a cloud solutions provider it can access any cloud tenant that has granted them access, Meyers said. These types of ”trusted-relationship compromises” in the cloud are rare and only conducted by a few groups, including Murky Panda, which makes this method of initial access less monitored and harder to detect.

“A lot of organizations have rushed to implement cloud over the last couple of years, and they may have done so without fully understanding or appreciating how the cloud works,” Meyers added.

Murky Panda’s attack pathways are assorted. The group has rapidly exploited n-day and zero-day vulnerabilities, including CVE-2023-3519 affecting Citrix NetScaler products and CVE-2025-3928 affecting Commvault Web Server, according to CrowdStrike. (Editor’s note: After this story’s initial publication, CrowdStrike removed the reference to the Commvault CVE. When asked why by CyberScoop, the company did not elaborate further.)

Researchers have also observed Murky Panda exploiting internet-facing appliances, including small office/home office devices, for initial access. 

Advertisement

CrowdStrike’s findings expand upon research Microsoft Threat Intelligence released in March indicating Silk Typhoon shifted tactics in late 2024 to broaden access and enable follow-on attacks against downstream customers of its initial targets.

The Justice Department in March unsealed indictments charging 12 Chinese nationals for their alleged involvement in a vast espionage campaign, including multiple attacks on U.S. government agencies. Two alleged members of Silk Typhoon, Yin Kecheng and Zhou Shuai, were among those indicted.

Yet, attacks from China-sponsored threat groups haven’t waned. CrowdStrike tracked a 40% year-over-year increase in cloud-intrusion activity from China-sponsored threat groups through June, including attacks linked to Murky Panda. Intrusions of all sorts linked to China jumped 150% over the same period.

“A lot of the activity we’ve seen from China is tied to geopolitical issues and initiatives that they’re following, and Murky Panda is a subset of that,” Meyers said. As China continues to “use offensive cyber tools to position their own geopolitical initiatives, you’ll see more intrusions.”

Update, Aug. 22, 2025: This story has been updated to reflect a change in the information shared by CrowdStrike.

Latest Podcasts