Microsoft warns about Chinese hackers from Silk Typhoon seeking to steal corporate data through cloud applications and technology.
Microsoft has warned about a shift in the strategies of threat actors.
Microsoft Threat Intelligence has published a report revealing new tactics from the Chinese threat actor group known as Silk Typhoon. This group has begun focusing its efforts on common IT applications, such as cloud solutions and remote management tools, with the aim of infiltrating the systems of its victims.
Silk Typhoon has been tracked attacking a variety of sectors, including IT services and infrastructure, remote monitoring and management (RMM) companies, as well as the fields of healthcare, legal services, defense, and government agencies, among others. Leveraging zero-day vulnerabilities in edge devices and demonstrating remarkable technical efficiency, the group has positioned itself as one of the most prominent Chinese threat actors, with a wide spectrum of targets.
The report details various detected threats involving the use of stolen API keys and credentials for managing privileged access in cloud service providers. These tactics allowed the group to access the customer environments of the companies they attacked. It is noted that Silk Typhoon has outstanding skills in understanding how cloud environments are deployed and configured, enabling them to move laterally within networks, maintain their presence, and exfiltrate data quickly from the victims' systems.
Since it began to be monitored in 2020, Silk Typhoon has employed a variety of web shells to execute commands, maintain access, and exfiltrate sensitive information. This group has been identified as responsible for the hacking of the U.S. Department of the Treasury, a significant incident in which remote access software provided by BeyondTrust was compromised, allowing attackers access to crucial systems.
The Chinese government has repeatedly denied any links to Silk Typhoon or to cyberattack actors in general, urging the U.S. to cease spreading what it describes as "disinformation" regarding its alleged ties to these threat groups.