Chinese Hackers Silk Typhoon Escalate Cloud and Telecom Espionage

August 27, 2025

In the last year, cybersecurity researchers have called significant attention to the cyberespionage group tracked as Silk Typhoon, also known as Murky Panda and as HAFNIUM. The group has achieved prominence for its attacks on cloud environments, particularly against the government and tech sectors. Silk Typhoon has shown extensive capabilities in the exploitation of zero-day and n-day vulnerabilities to achieve compromise even against extremely high-value targets. In particular, Silk Typhoon appear to be masters of the supply chain attack, as a recent report from CrowdStrike made clear.

It is notable that Silk Typhoon is one of only a few tracked threat groups known to conduct trusted-relationship compromises in the cloud. In at least two known cases, the group has made use of zero-day vulnerabilities to achieve initial access to SaaS providers’ cloud environments, leveraging that access to achieve lateral movement into the networks of their clients. In one of the known instances, Silk Typhoon was able to obtain access to the SaaS provider’s registration secret, allowing them to authenticate as the service principals of that application and freely log into downstream customers’ environments. In the other known instance, Silk Typhoon compromised a Microsoft cloud solution provider’s admin agent account, gaining global administration privileges in all downstream customers’ tenants. Both cases involved the use of Entra ID.

Similar to other China-nexus threat actors, Silk Typhoon makes extensive use of SOHO routers as infrastructure for their operations, and this is one of the primary ways they can be detected. In order to detect Silk Typhoon activity, it is strongly recommended to closely monitor any and all edge devices, particularly cloud appliances. It is also crucial that security personnel apply all patches to vulnerable devices and software in the cloud environment, prioritizing known remote code execution and server-side request forgery vulnerabilities in public-facing applications.

More from Blackwired

August 20, 2025

For $40, you can buy stolen police and government email accounts

Compromised government emails sold cheaply online risk major abuse; MFA & behavior analysis needed to detect and prevent misuse.

Read more
August 13, 2025

Exploring the Top Cyber Threats Facing Agentic AI Systems

Agentic AI boosts efficiency but brings new security risks; key issues are context corruption, tool sourcing, and authorization flaws.

Read more
August 6, 2025

Foreign adversaries are trying to weaponize open-source software, report finds

Nation-states exploit open-source software, posing global risks; trust, security, and code vetting are now more crucial than ever.

Read more

© 2024 Blackwired. All Rights Reserved.