Home Analysis Silk Typhoon: China's IT Supply Chain Pivot and the Downstream Threat to Every Sector
Deep Dive high FinanceHealthcareCritical InfrastructureCommunicationsTransport

Silk Typhoon: China's IT Supply Chain Pivot and the Downstream Threat to Every Sector

Adversary Wire · ·12 min read

Executive Summary

Silk Typhoon — the Chinese state espionage group that launched the Exchange ProxyLogon zero-day campaign in 2021 and breached the US Treasury in late 2024 — has undergone a significant tradecraft evolution. Rather than attacking government agencies, defence contractors, and healthcare organisations directly, the group has systematically shifted to compromising the IT service providers, MSPs, RMM vendors, and PAM solutions that already hold privileged access to those same organisations.

The strategic logic is sound: by compromising the entity with the keys to the kingdom, Silk Typhoon gains simultaneous access to hundreds or thousands of downstream targets without the operational overhead of breaching each one individually. Microsoft’s threat intelligence team published the clearest picture of this shift in March 2025. Thirteen months on, the methodology is mature and the indicator set is well-documented — but the targeting scope has only expanded.

Organisations in every sector Adversary Wire covers are exposed: not because Silk Typhoon is targeting them directly, but because the MSP managing their endpoints, the PAM vendor holding their privileged credentials, or the cloud management provider accessing their Azure tenant is in scope.

Threat Actor Profile

Common names: Silk Typhoon (Microsoft, current); HAFNIUM (Microsoft, legacy, 2021); tracked by various vendors under additional aliases.

Attribution: Chinese state — assessed with high confidence to be operating under the direction of China’s Ministry of State Security (MSS). The group’s targeting priorities align closely with MSS intelligence collection requirements: government agencies with foreign policy remit, defence industrial base, healthcare research (particularly COVID-era pharmaceutical and public health data), and financial intelligence.

Active since: At minimum 2019. The earliest documented Silk Typhoon campaigns targeted internet-facing systems for initial access, with post-compromise behaviour focused on email and document exfiltration.

Operational tempo: Continuous, persistent. The group operates with the patience and operational security of a well-resourced intelligence programme. Intrusions often persist undetected for months; the 2024 Treasury breach was not discovered until a BeyondTrust vulnerability disclosure prompted an internal investigation.

Silk Typhoon is technically sophisticated and operationally careful. It studies its target environments before acting — a characteristic that distinguishes it from more opportunistic Chinese groups and from financially motivated actors.

The Tradecraft Shift: From Direct Exploitation to Supply Chain

Before 2025, Silk Typhoon’s primary initial access method was direct exploitation of internet-facing infrastructure. The ProxyLogon campaign exploited a server-side request forgery vulnerability in Exchange (CVE-2021-26855) combined with a post-authentication arbitrary file write to deploy web shells — a capability that was almost certainly developed well before Microsoft’s advisory. The group hit tens of thousands of Exchange servers in a brief window before the patch.

The 2024 Treasury breach followed a similar pattern: exploitation of a zero-day in BeyondTrust’s privileged remote access appliance gave the group authenticated access to Treasury workstations and the ability to access unclassified documents. No credential theft from the Treasury itself — just a compromised vendor tool.

The thread running through both incidents is the exploitation of privileged access mechanisms. The supply chain shift formalises this: instead of finding a zero-day in a single vendor product to get one pivot, Silk Typhoon targets the companies whose business model is built on having privileged access to many organisations.

What the group targets in IT service providers:

  • API keys and credentials associated with PAM platforms, cloud management consoles, and identity providers. A single compromised PAM vendor API key can grant access to every customer tenant that vendor manages.
  • Remote monitoring and management (RMM) tool credentials. RMM platforms like ConnectWise and NinjaRMM are designed to have persistent, elevated access to managed endpoints. A compromised RMM credential is a foothold into every managed device on the platform.
  • Entra Connect servers. In hybrid Active Directory/Azure AD environments, the Entra Connect server synchronises identity between on-premises AD and the Entra ID tenant. Compromising this server allows the attacker to access both environments, inject credentials, and achieve persistent cloud identity access.
  • Microsoft Graph and EWS API access. Post-compromise, Silk Typhoon creates service principals with OAuth permissions and uses the Graph API to exfiltrate email, SharePoint documents, and OneDrive files without requiring direct access to individual inboxes.

TTPs and Tradecraft

Initial Access

Silk Typhoon uses multiple initial access paths, often exploiting the lowest-resistance entry point for a given target:

Exploit internet-facing appliances. The group has a demonstrated track record of exploiting zero-days and recent CVEs in VPN appliances and remote access tools. CVE-2025-0282 (Ivanti Pulse Connect VPN stack overflow) was attributed to Silk Typhoon exploitation against IT service provider targets in early 2025.

Credential stuffing and password spray. Silk Typhoon systematically scrapes public repositories (GitHub, Pastebin, code hosting sites) for leaked corporate credentials. When credentials match valid accounts, they authenticate directly to SaaS platforms, cloud consoles, and web-facing admin portals. Password spraying against corporate SSO endpoints is used where credential reuse is likely but not confirmed.

Purchasing access via initial access brokers. In cases where IT service provider environments are already compromised by financially motivated actors, Silk Typhoon has been assessed to purchase that access — a capability that commoditises the initial access phase and reduces their attribution footprint.

Lateral Movement and Privilege Escalation

Once inside a target IT service provider, the group moves toward the highest-value credential stores:

  • Dumps credentials from key vaults and PAM databases
  • Searches documentation systems and file shares for plaintext passwords stored by engineers
  • Targets Entra Connect servers specifically — the server that syncs identities is the highest-privilege system in a hybrid environment
  • Resets default admin accounts via API key where PAM platforms allow programmatic account management

Within cloud environments, the group demonstrates sophisticated knowledge of Azure identity architecture. Service principal manipulation — creating new principals with high-privilege OAuth consents — provides persistent access that survives password resets and device wipes.

Data Exfiltration

The primary objective is intelligence collection. Silk Typhoon focuses on:

  • Diplomatic and foreign policy correspondence
  • Defence and procurement data
  • Healthcare research and public health policy data
  • Treasury and financial intelligence

Exfiltration typically uses the Graph API and Exchange Web Services to access email and document repositories. This approach generates less anomalous traffic than bulk file transfers and blends with legitimate cloud service activity.

Operational Security

Silk Typhoon clears logs following high-sensitivity operations and uses infrastructure that blends with the IT environment of the victim — routing through cloud infrastructure, compromised small office routers, and Operational Relay Boxes (ORBs) that obscure true origin. The ORB network technique, documented in relation to multiple Chinese APT groups, has been observed in Silk Typhoon campaigns.

Target Sectors and Historical Incidents

US Federal Government: The US Treasury breach (December 2024) compromised workstations in the Office of the Comptroller of the Currency and, reportedly, CFIUS (the foreign investment review body). The breach exploited a BeyondTrust appliance vulnerability, consistent with Silk Typhoon’s appliance exploitation pattern.

IT Services and MSPs: Since 2025, IT management companies have become primary targets rather than stepping stones. The downstream value of MSP access has made this category the highest-priority sector for the group.

Healthcare: Silk Typhoon extensively targeted infectious disease research institutions during 2020-2021, consistent with COVID-era intelligence collection requirements. Healthcare organisations remain a secondary target.

Legal and Financial Services: Law firms with M&A or foreign policy exposure, and financial institutions with Treasury or sovereign wealth fund counterparty relationships, are persistently targeted for the intelligence value of their correspondence.

Defence Industrial Base: US and allied defence contractors are in scope, consistent with the broader pattern of Chinese state espionage targeting technology transfer opportunities.

Defensive Implications

For IT service providers: The threat model has fundamentally changed. If you hold API keys, credentials, or persistent agent access to customer environments, you are a priority target for Silk Typhoon and similar groups. Segregate customer credentials at the infrastructure level, not just logically. Apply MFA to all management APIs. Audit service principal permissions aggressively.

For organisations using MSPs: Ask your managed service provider for evidence of their identity security architecture. How are your API keys stored? Can a compromise of the MSP’s management environment reach your tenant without triggering alerts on your side? What monitoring does the MSP perform on access from their platforms to your environment?

For hybrid cloud environments: Entra Connect servers must be treated as Tier 0 assets — equivalent in sensitivity to your domain controllers. Access should be restricted, audited, and monitored with the same rigour as any privileged system.

Detection priorities:

  • Service principal creation events in Entra ID, particularly those granting Mail.Read, Files.ReadWrite, or similar sensitive Graph API permissions
  • Entra Connect server authentication events from unusual sources
  • PAM platform API calls that do not match normal management tooling behaviour
  • Graph API calls originating from service principals not associated with recognised applications

Threat intelligence integration: Silk Typhoon’s ORB network infrastructure has been partially mapped by Microsoft and Recorded Future. Incorporating current Silk Typhoon indicators into your perimeter and proxy detection capability provides marginal but meaningful coverage for the initial access phase.

The broader lesson from the Silk Typhoon pivot is structural. The security model that assumes your perimeter is what you directly control has always been incomplete — but in 2026, it is a strategic blind spot. If you’re not assessing the security posture of the entities with privileged access to your environment, you’re not assessing your risk.

Sources

Related Intelligence

Briefing Finance

Android Zero-Day Exploitation Confirmed: June 2026 Bulletin Signals Commercial Spyware Activity

Analysis Communications

Harvester APT: South Asia Espionage Expands to Linux With Graph API Command-and-Control

Briefing Finance

Operation Dragon Weave: China-Linked APT Abuses Azure Blob Storage as C2 to Target European Governments and Finance