Microsoft Threat Intelligence warns that the Chinese state-linked threat actor Silk Typhoon is targeting the IT supply chain to compromise primary organizations and access their downstream customers.
The Redmond, Washington-based tech giant says the group abused “stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies” to access downstream customers.
It also utilized conventional tactics such as exploiting zero-day vulnerabilities and password-spraying attacks to gain initial entry and exfiltrate data relevant to the Chinese government’s interests.
Silk Typhoon exploits the IT supply chain for cyberespionage
Silk Typhoon actively scans GitHub repositories and other public resources to find any exposed authentication keys and credentials it could use to compromise primary organizations. It also carries out password-spraying attacks to obtain valid login credentials for initial access.
Silk Typhoon then uses the stolen API keys from initially compromised organizations to access their downstream customers. The cyberespionage group then performs reconnaissance on targeted devices via an admin account, collecting data that aligns with the Chinese government’s interests.
“The group typically seeks data aligned with Chinese geopolitical interests, focusing on sensitive materials such as government policies, legal documentation, intellectual property, and strategic intelligence across multiple sectors including government, healthcare, IT infrastructure, and energy,” said Casey Ellis, Founder at Bugcrowd.
Microsoft says its current wave of IT supply chain attacks primarily targets state and local government agencies and the IT sector. The group was attributed to the US Treasury Department breach that leveraged a stolen third-party SaaS API key and resulted in data exfiltration at the department’s Office of Foreign Assets.
Microsoft also observed the group carrying out additional actions to evade detection and maintain persistence. They included resetting the default admin account via a compromised API key, implanting web shells, creating additional users, and clearing logs to hide its activity.
According to Microsoft, the Chinese-backed cyberespionage group is also adept in exploiting cloud environments, escalating privileges, and moving laterally. Once it compromises an on-premises environment, it attempts to locate an Active Directory dump to steal keys and escalate privileges.
The threat group also compromises multi-tenant applications to move laterally across tenants, access additional resources, and exfiltrate data.
“If the compromised application had privileges to interact with the Exchange Web Services (EWS) API, the threat actors were seen compromising email data via EWS,” Microsoft warned.
Redmond states that Silk Typhoon’s IT supply chain attacks represent a significant shift from its traditional methods of compromise. However, it continues to deploy its conventional tactics alongside the new IT supply chain exploits.
In January 2025, Microsoft observed Silk Typhoon exploiting Ivanti Pulse Connect VPN (CVE-2025-0282) and reported the activity, resulting in prompt resolution and mitigation. In 2021, the Chinese hacking group was also observed exploiting unpatched Microsoft Exchange servers, Palo Alto’s GlobalProtect Gateway devices, and Citrix NetScaler appliances.
Measures to protect against potential IT supply chain attacks
Meanwhile, Microsoft listed Silk Typhoon’s Tactics, Techniques, and Procedures (TTPs), and indicators of compromise (IoC) to assist network defenders in protecting their organizations from potential IT supply chain attacks.
They include inspecting logs for anomalies, monitoring service principals for newly-created secrets, scrutinizing multi-tenant applications and their authentications, and looking for newly created users on vulnerable devices. They should also monitor activity related to Microsoft Graph or eDiscovery for Sharepoint of email-related data exfiltration.
“The identification of this threat actor, Silk Typhoon, and its tactics helps us understand the implications for enterprise protection,” said Jim Routh, Chief Trust Officer at Saviynt. “The key takeaway for an enterprise is to shrink the attack surface over time by moving to passwordless authentication where it is feasible. The second step is to limit the storage of credentials to specific data stores that have additive controls in place (PAM, continuous validation). The third is to seek network/endpoint capabilities that identify patterns to detect token usage and exploitation.”
The tech giant also recommended implementing additional security measures to prevent IT supply chain attacks by the Chinese cyberespionage group.
They include patching all public-facing devices, monitoring security identities to prevent abuse, reviewing service principals for sign-ins from unknown locations, building proper credential hygiene, protecting VPNs with multi-factor authentication, and analyzing all multi-tenant applications and their permissions.
