 "Chinese espionage group Silk Typhoon has new tactics to target US networks")
Chinese state-sponsored cyber espionage group Silk Typhoon has evolved its tactics to continue targeting US government agencies, businesses, and critical infrastructure.
The group, known for exploiting zero-day vulnerabilities, has expanded its focus on cloud-based attacks and supply chain compromises, demonstrating increasing sophistication in its operations.
Since late 2024, Silk Typhoon has been observed leveraging stolen API keys and credentials to infiltrate IT providers, managed service providers (MSPs), and cloud data management firms.
This access has enabled the group to move into downstream customer environments, conducting data collection on US government policy, legal documents, and law enforcement investigations, according to a Microsoft Threat Intelligence report.
Escalating attacks on cloud networks
Recent findings indicate Silk Typhoon has improved its ability to pivot from on-premises breaches to cloud environments, targeting Microsoft’s Entra ID (formerly Azure AD) and privileged access management systems.
The group has been observed stealing credentials from Active Directory, manipulating service principals and OAuth applications to extract sensitive emails, and even creating deceptive applications within compromised cloud environments to maintain long-term access.
In January 2025, the group exploited a zero-day vulnerability in Ivanti Pulse Connect VPN (CVE-2025-0282), a critical flaw that allowed them to breach corporate and government networks. Microsoft reported the activity to Ivanti, leading to a rapid patch, but the attack showed Silk Typhoon’s capability to operationalize exploits faster than many organizations can respond.
Infiltrating networks through password attacks
Beyond exploiting software vulnerabilities, Silk Typhoon has intensified password-based attacks, using password spraying and leaked corporate credentials from public repositories like GitHub to gain unauthorized access. The group has also reset admin accounts via compromised API keys and implanted web shells to maintain persistence within victim environments.
Impact Shorts
More ShortsUse of covert networks
To mask its activities, Silk Typhoon has been observed using a covert network of compromised appliances, including Cyberoam firewalls, Zyxel routers, and QNAP storage devices. These devices act as egress points for Silk Typhoon’s operations, helping the group evade detection by cybersecurity defences.
 "Russian drones over Poland: Trump’s tepid reaction a wake-up call for Nato?")
 "As Russia pushes east, Ukraine faces mounting pressure to defend its heartland")
 "Why Mossad was not on board with Israel’s strike on Hamas in Qatar")
 "Turkey: Erdogan's police arrest opposition mayor Hasan Mutlu, dozens officials in corruption probe")
 "Russian drones over Poland: Trump’s tepid reaction a wake-up call for Nato?")
 "As Russia pushes east, Ukraine faces mounting pressure to defend its heartland")
 "Why Mossad was not on board with Israel’s strike on Hamas in Qatar")
 "Turkey: Erdogan's police arrest opposition mayor Hasan Mutlu, dozens officials in corruption probe")
