The China-linked advanced persistent threat (APT) group Silk Typhoon has shown a rare ability to compromise trusted relationships in the cloud.
That’s one of the key takeaways from new research by CrowdStrike, which calls the Silk Typhoon group “Murky Panda.” Another is the APT group’s ability to rapidly weaponize n-day and zero-day vulnerabilities, gaining initial access to systems through vulnerabilities such as CVE-2023-3519 in Citrix NetScaler ADC and NetScaler Gateway and CVE-2025-3928 in Commvault.
CrowdStrike detailed some of the group’s tactics, techniques and procedures (TTPs) – in addition to two compromises of Software as a Service (SaaS) providers.
Among Silk Typhoon’s tactics is using compromised SOHO devices as a final exit node, which is also used by other Chinese APT groups to mask their activity “as legitimate activity originating from the same country in which the victim is located.”
The group has used RDP, web shells such as Neo-reGeorg, and occasionally malware such as CloudedHope to move laterally within compromised networks and establish persistence, pivoting to cloud environments from there.
Silk Typhoon Supply Chain Attacks
Silk Typhoon is one of only “a few tracked adversaries that conduct trusted-relationship compromises in the cloud,” CrowdStrike researchers said in their blog post. “Due to the activity’s rarity, this initial access vector to a victim’s cloud environment remains relatively undermonitored compared to more prominent initial access vectors such as valid cloud accounts and exploiting public-facing applications.”
Through that rarely used initial access vector, the group “likely intends for their access to downstream victims to remain undetected, enabling prolonged access.”
CrowdStrike detailed two examples of the group’s software supply chain attacks.
The group exploited zero-day vulnerabilities for initial access to the SaaS providers’ cloud environments, then “determined the compromised SaaS cloud environments’ logic, enabling them to leverage their access to that software to move laterally to downstream customers.”
At least one of the SaaS providers was using Entra ID to manage its application’s access to downstream customers’ data. The threat actors likely gained access to the SaaS provider’s application registration secret, which the group was able to use to authenticate as the service principals of the application and log into customer environments and then access customer emails.
In the other incident, Silk Typhoon compromised a Microsoft cloud solution provider, using access to customer Entra tenants via delegated administrative privileges (DAP). The threat actors had compromised a user in the Admin Agent group “and thus had Global Administrator privileges in all downstream customers’ tenants,” and escalated their privileges from there.
Defending Against Silk Typhoon
CrowdStrike offered several recommendations for detecting Silk Typhoon activity, such as auditing Entra ID service principals’ credentials, particularly newly added credentials.
Another recommendation is to enable Microsoft Graph activity logs to monitor resources accessed via Microsoft Graph, including which service principal accessed them.
Other recommendations include hunting for service principal activities that deviate from expected actions, and hunting for Entra ID service principal sign-ins from unexpected networks.
