Executive Summary
Microsoft Threat Intelligence has identified a shift in tactics for Silk Typhoon, a Chinese state-sponsored espionage group, to target remote management tools and cloud applications for initial access. The group has now shifted to exploiting unpatched vulnerabilities in IT infrastructure to elevate privileges and move laterally into cloud environments, enabling data exfiltration and espionage activities. Their latest campaigns involve stealing API keys, compromising multi-tenant applications, and abusing Microsoft Graph and Exchange Web Services APIs.
Community Impact
The retail and hospitality sectors, which increasingly rely on cloud-based applications, remote management tools, and third-party IT providers, are highly vulnerable to Silk Typhoon’s tactics. RH-ISAC Core Member Organizations should ingest the intelligence included in this report, the original Microsoft report, linked above.
Technical Analysis
Silk Typhoon’s recent shift toward cloud-based attacks and exploitation of remote management tools represents an evolution in state-sponsored cyber espionage tactics. Their ability to quickly weaponize zero-day vulnerabilities, such as Ivanti Pulse Connect VPN (CVE-2025-0282, demonstrates their technical sophistication and access to privileged intelligence.
Also exploited by the threat include:
- CVE-2024-3400, a command injection flaw in Palo Alto Networks firewalls
- CVE-2023-3519, An unauthenticated remote code execution (RCE) vulnerability affecting Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway
- CVE-2021-26855 (aka ProxyLogon), CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, a set of vulnerabilities impacting Microsoft Exchange Server
By targeting privileged access management (PAM) solutions, API keys, and service principal applications, Silk Typhoon can move seamlessly between on-premises and cloud environments, making detection and mitigation significantly more challenging.
The use of covert networks, including compromised Cyberoam appliances, Zyxel routers, and QNAP devices, allows Silk Typhoon to obfuscate command-and-control (C2) traffic, complicating traditional network monitoring. Furthermore, their ability to manipulate Microsoft Graph API, Exchange Web Services (EWS), and Entra ID (formerly Azure AD) suggests deep familiarity with cloud identity management. This allows them to exfiltrate sensitive data while maintaining long-term persistence.
Detection
Microsoft researchers provided the following detection recommendations:
- Inspect log activity related to Entra Connect serversfor anomalousactivity.
- Where these targeted applications have highly privileged accounts, inspect service principals for newly created secrets (credentials).
- Identify and analyze any activity related to newly created applications.
- Identify all multi-tenant applications and scrutinize authentications to them.
- Analyze any observed activity related to use of Microsoft Graph or eDiscovery particularly for SharePoint or email data exfiltration
- Look for newly created users on devices impacted by vulnerabilities targeted by Silk Typhoon and investigate virtual private network (VPN) logs for evidence of VPN configuration modifications or sign-in activity during the possible window of compromise of unpatched devices.
