Attention to Everyday IT Tools: New Tactic of a Chinese Spy Group

Cybersecurity experts at Microsoft have observed that the Chinese espionage group known as Silk Typhoon has started using publicly available IT solutions to infiltrate networks. Instead of solely targeting vulnerabilities in critical systems, they are now focusing on everyday tools such as remote management applications and cloud services.

This shift in tactics aligns with trends observed among other advanced espionage groups worldwide. Previously, in May 2024, it was reported that Russian hackers were moving away from custom-developed malware in favor of more accessible malicious software. A similar trend was recorded in Iran in August 2024, where local hackers collaborated with ransomware groups in attacks against the United States.

Exploiting Vulnerabilities

Previously, Silk Typhoon relied on rare zero-day vulnerabilities, scanning weakly protected devices such as firewalls and VPNs. However, they have now also set their sights on widely used solutions that many organizations rely on, including remote management tools and cloud applications.

While Microsoft confirms that its own cloud services have not been directly attacked, Silk Typhoon exploits unpatched applications to infiltrate systems. The group is known for abusing stolen keys and login credentials to compromise target systems, then leveraging this access to penetrate further into networks—including those used by Microsoft—in pursuit of information related to U.S. policy and legislation.

Tactical Shift

This change in tactics affects multiple sectors, from government and healthcare institutions to IT services and educational organizations. By targeting everyday IT tools, Silk Typhoon takes advantage of the fact that many organizations may overlook these applications even when they have up-to-date security measures. Once inside, they employ various techniques to move laterally within networks, access confidential data, and even interfere with email and data storage operations.

Microsoft recommends several key steps to protect against Silk Typhoon:

Always update systems and software, as unpatched vulnerabilities are often the easiest entry points for attackers.

Use strong authentication methods, such as multi-factor authentication and unique passwords, to enhance protection against unauthorized access.

For system administrators, monitoring network activity is crucial to detecting unusual behavior, such as unexpected changes to administrative data that may indicate a security breach. Additionally, organizations should carefully manage API keys and service credentials, restricting access to prevent their exploitation by threat actors.