(TLP:CLEAR) Silk Typhoon, Another Chinese-Affiliated Threat Actor, Targets IT Supply Chains

Summary: Yesterday, in a blog post, Microsoft Threat Intelligence shared new details about the Chinese-affiliated cyber threat actor known as Silk Typhoon. They warn that Silk Typhoon is targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers. Microsoft has confirmed breaches across multiple sectors including government, IT services, healthcare, defense, education, NGOs, and energy.  

Analyst Note: Silk Typhoon has gained notoriety in recent months after being linked to the U.S. Treasury Incident in late December, 2024. Microsoft has mentioned a shift in the group’s tactics away from focusing on organization-level breaches and towards Managed Service Provider (MSP) and cloud-level attacks allowing them to move within cloud environments, including stealing Active Directory credentials and abusing OAuth applications creating a much stealthier attack.

Members are encouraged to review Microsoft’s list of updated indicators of compromise (IOCs) and detection rules that reflect Silk Typhoon’s latest shift in tactics and add them to their security tools to timely detect and block any potential attacks. Utilities that outsource technology support are urged to consult with their support vendors for assistance in recognizing and searching for these indicators and with applying the detection rules mentioned.

Original Source: https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/

Additional Reading:

• Silk Typhoon hackers now target IT supply chains to breach networks
• US Treasury hack linked to Silk Typhoon Chinese state hackers

Mitigation Recommendations:

• Silk Typhoon targeting IT supply chain

Related WaterISAC PIRs: 6, 6.1, 7, 7.1, 10, 10.2, 11, 12