- Chinese threat actor Silk Typhoon spotted targeting common IT apps
- Microsoft’s Threat Intelligence has identified new tactics from the group
- Silk Typhoon was allegedly behind recent US Treasury hack
A new report from Microsoft’s Threat Intelligence has identified a move from Chinese threat actor Silk Typhoon towards targeting “common IT solutions” such as cloud applications and remote management tools in order to gain access to victim’s systems.
The group has been observed attacking a wide range of sectors, including IT services and infrastructure, remote monitoring and management (RMM) companies, healthcare, legal services, defense, government agencies, and many more.
By exploiting zero-day vulnerabilities in edge devices and showcasing technical efficiency, the group has established itself as one of the Chinese threat actors with the “largest targeting footprints,” Microsoft says.
Successful operations
The report outlines a number of detected threats from Silk Typhoon, including using stolen API keys and credentials used for privilege access management, cloud providers, and cloud management firms – these allowed the group to access the downstream customer environments of the targeted company.
“Silk Typhoon has shown proficiency in understanding how cloud environments are deployed and configured, allowing them to successfully move laterally, maintain persistence, and exfiltrate data quickly within victim environments,” the report said.
“Since Microsoft Threat Intelligence began tracking this threat actor in 2020, Silk Typhoon has used a myriad of web shells that allow them to execute commands, maintain persistence, and exfiltrate data from victim environments.”
Silk Typhoon is said to be the group behind the US Treasury hack, a ‘major incident’ in which third party cybersecurity partner BeyondTrust, a remote access software provider was compromised, allowing the attackers access to key systems.
China has always strenuously denied any ties to the group, or to any cyberattackers, and has called on the US to stop spreading “disinformation” about the state’s alleged ties to the threat actors.
Leave a comment