Cyber Threat Report: 'Silk Typhoon targeting IT supply chain'

Silk Typhoon is a sophisticated Chinese state-sponsored espionage group tracked by Microsoft Threat Intelligence. The group has been identified as an opportunistic and well-resourced actor with a history of exploiting zero-day vulnerabilities in public-facing devices. This blog post describes recent findings by Microsoft researchers which indicate that Silk Typhoon has shifted its tactics to target IT supply chains, specifically abusing stolen API keys and credentials associated with privilege access and cloud applications. These efforts enabled them to infiltrate downstream customer environments of the initially compromised companies, with a focus on sectors such as state and local government, IT services, and other critical industries. The group has employed a variety of techniques, including password spray attacks, resetting default admin accounts, implanting web shells, and leveraging their access to perform data exfiltration, often aligning with China's strategic interests. These activities demonstrate an advanced understanding of cloud environments and an ability to laterally move, maintain persistence, and exploit multi-tenant applications for data theft. The group's tactics, techniques, and procedures (TTPs) include the exploitation of zero-day vulnerabilities, credential theft, lateral movement to cloud environments, and the use of covert networks to obfuscate their operations. Microsoft Threat Intelligence observed Silk Typhoon manipulating service principals and OAuth applications to access sensitive data through APIs, as well as leveraging compromised infrastructure and short lease virtual private servers for covert activities. According to Microsoft's reporting, targets of this campaign span multiple sectors, including healthcare, defense, higher education, and energy, with geographic footprints extending across the United States and globally. To mitigate these threats, organizations are advised to implement robust patch management, enforce multi-factor authentication, monitor cloud applications for anomalous activity, and scrutinize privilege levels of all identities within their environments.