Threats

Silk Typhoon shifted to specifically targeting IT management companies

The Chinese state-backed espionage group started targeting third-party IT services in late 2024, Microsoft researchers said.

By Matt Kapko

March 6, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

(Getty)

The Chinese state-backed threat group Silk Typhoon shifted tactics in late 2024 to broaden access and enable follow-on attacks against downstream customers of its initial targets, Microsoft Threat Intelligence said in a blog released Wednesday.

The Chinese espionage group, which is also known as APT27, has abused stolen API keys and credentials for privileged access management, cloud-based application providers and data management companies to intrude networks operated by state and local governments and organizations in the IT sector.

“After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives,” Ann Johnson, corporate vice president at Microsoft Security, said in a LinkedIn post.

Silk Typhoon has performed reconnaissance aided by using stolen API keys and leaked corporate passwords found on publicly-accessible sites like GitHub. This has allowed them to access administrative accounts and steal data from edge devices.

Microsoft Threat Intelligence said it observed Silk Typhoon gained access through password-spray attacks, zero-day exploits, and unpatched third-party services. Recently, the threat group exploited a critical, zero-day vulnerability — CVE-2025-0282 — in Ivanti Pulse Connect VPN.

Silk Typhoon has primarily set its sights on gaining access to IT providers, identity management platforms, privileged access management and remote monitoring and management tools, researchers said.

The group moves from on-premises to cloud environments by stealing Active Directory credentials, accessing passwords in key vaults, and targeting Entra Connect servers, a tool organizations use to synchronize on-premises Active Directory databases with Entra ID, to escalate privileges.

Microsoft Threat Intelligence also observed Silk Typhoon abusing OAuth applications with administrative permissions to steal email, OneDrive and SharePoint data via MSGraph.

The threat group’s technical prowess, displayed by its ability to pivot quickly and exploit vulnerabilities with efficiency, gives it “one of the largest targeting footprints among Chinese threat actors,” Microsoft Threat Intelligence said in the blog.

Researchers link Silk Typhoon to attacks targeting IT services, managed service providers, and organizations in the energy, healthcare, higher education, legal, defense and government sectors.

Microsoft released its latest research on Silk Typhoon as a flurry of unsealed indictments charged 12 Chinese nationals for their alleged involvement in a vast espionage campaign, including multiple attacks on U.S. government agencies. Two alleged members of Silk Typhoon, Yin Kecheng and Zhou Shuai, were among those indicted by federal prosecutors on Wednesday.