• Cyber Syrup
  • Posts
  • Microsoft Warns of Chinese Cyber Espionage Group Targeting Global IT Supply Chain

Microsoft Warns of Chinese Cyber Espionage Group Targeting Global IT Supply Chain

Microsoft’s threat intelligence team has identified a significant shift in tactics by Silk Typhoon known for its role in hacking the U.S. Treasury

March 12, 2025

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Microsoft Warns of Chinese Cyber Espionage Group Targeting Global IT Supply Chain

Microsoft’s threat intelligence team has identified a significant shift in tactics by Silk Typhoon, a Chinese government-backed cyber espionage group, known for its role in hacking the U.S. Treasury. The group is now focusing on companies in the global IT supply chain, including IT service providers, remote monitoring and management firms, and managed service providers (MSPs).

Rather than directly attacking high-profile cloud service providers, Silk Typhoon is exploiting stolen API keys and compromised credentials to infiltrate IT supply chain organizations. These breaches allow the attackers to extend their reach into downstream customer environments, gaining access to sensitive data and critical infrastructure.

How the Attack Works

According to Microsoft’s analysis, Silk Typhoon employs a multi-faceted approach to compromising its targets:

  1. Supply Chain Infiltration – The attackers breach IT service providers and MSPs, which serve as access points to multiple downstream clients.

  2. Credential Theft & API Key Abuse – The hackers leverage stolen API keys and compromised credentials to move laterally within networks.

  3. Privilege Escalation via Microsoft Entra Connect – The attackers exploit Microsoft’s Entra Connect (formerly AADConnect) to elevate their privileges and gain deeper control over victim environments.

  4. Exploitation of Zero-Day Vulnerabilities – Silk Typhoon is known for its rapid exploitation of newly discovered software vulnerabilities to breach on-premises and cloud environments.

  5. Abuse of Cloud Applications – The group gains unauthorized access to cloud-based services like Microsoft OneDrive, SharePoint, and Exchange Web Services (EWS) to steal email data and confidential files.

Historical Attacks & Expanding Capabilities

Silk Typhoon has been linked to multiple past exploits, including:

  • Microsoft Exchange server vulnerabilities

  • VPN product and firewall appliance compromises

  • The 2023 U.S. Treasury breach, where the group targeted the foreign investment and sanctions offices by exploiting flaws in BeyondTrust and PostgreSQL software.

Microsoft warns that Silk Typhoon has one of the largest targeting footprints among Chinese cyber actors and is well-equipped to rapidly adopt new attack methods.

New Techniques Observed

Password-Based Attacks

  • The hackers use password spraying and credential stuffing techniques to gain unauthorized access.

  • They leverage leaked corporate credentials from public repositories like GitHub to authenticate into enterprise environments.

  • Once inside, they move laterally using OAuth applications and service principals to access email, cloud storage, and sensitive corporate data.

Weaponizing Microsoft Cloud Services

  • Silk Typhoon was observed using Microsoft Graph API (MSGraph) and Exchange Web Services (EWS) to exfiltrate data.

  • The group exploits pre-consented applications within Microsoft tenants, adding their own credentials to maintain persistence and siphon off email communications.

Multi-Tenant Cloud Attacks

  • The attackers compromise multi-tenant cloud applications, allowing them to move across different tenants and access additional resources.

  • If the compromised application has high-level privileges, it can facilitate deeper infiltration and data exfiltration across multiple organizations.

Mitigation Strategies

Microsoft is urging organizations—particularly IT service providers, MSPs, and cloud-dependent enterprises—to adopt proactive security measures to combat Silk Typhoon’s tactics. Recommended steps include:

  1. Enhancing API Security – Regularly audit API keys and enforce strict access controls.

  2. Strengthening Credential Protection – Implement multi-factor authentication (MFA) and require strong, frequently rotated passwords.

  3. Securing Cloud Applications – Monitor OAuth applications and limit permissions to the least privilege necessary.

  4. Monitoring for Lateral Movement – Use behavior-based anomaly detection to identify suspicious authentication attempts and unauthorized API calls.

  5. Patching Vulnerabilities Promptly – Regularly update Microsoft Entra Connect, VPN software, and cloud applications to prevent exploitation of known security flaws.

Conclusion

Microsoft’s latest warning underscores the growing risk to IT supply chain companies as threat actors shift their focus from direct cloud service attacks to more indirect, yet highly effective supply chain infiltration techniques. Organizations must take immediate action to harden their cloud and on-premises environments against this evolving cyber threat.

By staying vigilant, implementing robust security policies, and closely monitoring API and credential activities, enterprises can mitigate the risks posed by Silk Typhoon and similar state-sponsored cyber threats.