Microsoft Warns: Chinese Espionage Group Silk Typhoon Escalates Attacks
Microsoft has issued urgent guidance to help organizations combat the increasing threat posed by the Chinese espionage group, Silk Typhoon, also known as Hafnium. The group is exploiting vulnerabilities and abusing credentials to infiltrate networks worldwide.
Silk Typhoon is known for its sophisticated tactics, including the use of covert networks comprising compromised devices to disguise its activities. It has been leveraging unpatched applications to escalate privileges and gain initial access to networks. Recently, Google researchers have warned that organizations in various sectors, such as US technology, legal, and SaaS, have been targeted by BRICKSTORM campaigns attributed to the APT group UNC5221, which is believed to be associated with Silk Typhoon.
The group is abusing stolen API keys, credentials, and conducting password spray attacks to gain access to networks. Once inside, it moves laterally from on-premises environments to cloud infrastructures using techniques like credential theft and compromising Active Directory. To mitigate these risks, Microsoft 365 advises organizations to patch public-facing devices, secure privileged accounts, and monitor for anomalous activity. Companies are also urged to audit service principals, scrutinize multi-tenant applications, and enforce zero-trust principles to limit exposure.
Silk Typhoon has a large targeting footprint, affecting sectors such as IT services, healthcare, government, and higher education, with victims spanning the US and beyond. The group has exploited common IT solutions and cloud applications for initial access, including zero-day vulnerabilities like the one in Ivanti Pulse Connect VPN (CVE-2025-0282). Organizations are advised to stay vigilant and follow Microsoft 365's guidance to protect against these evolving threats.
