Silk Typhoon abusing IT providers and stolen credentials in supply chain attacks

What Happened?

Microsoft Threat Intelligence revealed that Silk Typhoon, a sophisticated Chinese espionage group, is increasingly exploiting stolen API keys, OAuth credentials, and Privileged Access Management (PAM) credentials in supply chain attacks. The group specifically targets service services, cloud applications, and IT providers to gain unauthorized access and compromise downstream customers, particularly affecting state and local governments, as well as IT sector entities.

‍

Exploitation Methods

• Initial Access: Leveraging zero-day vulnerabilities, compromised third-party services, and password spraying.
• Credential Abuse: Utilizing stolen corporate credentials exposed in public GitHub repositories.
• API Key Misuse: Employing stolen API keys to infiltrate customer environments, access sensitive data, and maintain persistent access.
• OAuth App Manipulation: Hijacking existing OAuth apps with administrative privileges, adding attacker-controlled passwords, and extracting email, OneDrive, and SharePoint data via the Microsoft Graph API.

‍

Persistence and Evasion

• Resetting administrative accounts through compromised API keys.
• Deploying web shells and creating unauthorized user accounts.
• Methodically clearing logs to evade detection and obscure activities.

‍

Notable Incidents

• Exploited Ivanti Pulse Connect VPN zero-day vulnerability (CVE-2025-0282).
• Compromised Treasury Department using stolen BeyondTrust API keys in the December 2024 breach.

‍

Recommended Actions

• Immediate Credential Review: Rotate and secure exposed API keys, OAuth credentials, and PAM credentials.
• Monitor OAuth Applications: Regularly audit OAuth applications and service principals for unauthorized access or modifications.
• Patch Management: Rapidly apply security patches, particularly for publicly exposed  applications and edge devices.
• Enhance Security Monitoring: Implement advanced threat detection measures, especially around API access, credential use, and abnormal OAuth app behavior.
• Awareness and Training: Ensure cybersecurity teams understand Silk Typhoon's tactics and indicators of compromise (IOCs), and implement zero-trust strategies to minimize risk exposure.
• Supply Chain Visibility: Conduct regular assessments and audits of third-party suppliers and SaaS service providers to proactively identify and mitigate risks within your supply chain.