China's Silk Typhoon, tied to US Treasury break-in, now hammers IT and govt targets
(2025/03/05)
- Reference: 1741195323
- News link: https://www.theregister.co.uk/2025/03/05/china_silk_typhoon_update/
- Source link:
Silk Typhoon, the Chinese government crew believed to be behind the December US Treasury intrusions, has been abusing stolen API keys and cloud credentials in ongoing attacks targeting IT companies and state and local government agencies since late 2024, according to Microsoft Threat Intelligence.
The timing of this campaign coincides with that break-in at the [1]US Treasury Department , during which Beijing's cyberspies stole data from workstations belonging to the Office of Foreign Assets Control (OFAC), which administers economic and trade sanctions, as well as the Office of the Treasury Secretary.
These intrusions were attributed to Silk Typhoon, according to a Bloomberg [2]report citing unnamed sources, and the Chinese snoops are believed to have gained access after [3]stealing a BeyondTrust digital key used for remote technical support.
[4]
And now it appears that the group's victims extended beyond the federal government agency.
[5]
[6]
"Since late 2024, Microsoft Threat Intelligence has conducted thorough research and tracked ongoing attacks performed by Silk Typhoon," Redmond [7]said Wednesday, noting that stolen API keys and credentials are Silk Typhoon's preferred means of breaking into victims' environments.
[8]Chinese cyber-spies reportedly targeted sanctions intel in US Treasury raid
[9]US Treasury Department outs the blast radius of BeyondTrust's key leak
[10]Microsoft: Another Chinese cyberspy crew targeting US critical orgs 'as of yesterday'
[11]China's cyber intrusions took a sinister turn in 2024
After slipping into organizations via compromised API keys, President Xi's agents snoop around and collect data on devices using an administrative account, specifically looking for information that "overlaps with China-based interests," such as US government policy, legal processes, and documents related to law enforcement investigations.
This espionage campaign also highlights Silk Typhoon's changing tactics, which now include targeting remote management tools and cloud applications to gain initial access, we're told.
Silk Typhoon is the team that Microsoft previously tracked as Hafnium. Prior to the Treasury snooping, it was probably best known for the 2021 Microsoft Exchange Server security breaches during which the spies exploited four zero-day vulnerabilities to get into the inboxes of US-based defense contractors, law firms, and infectious disease researchers, and steal their data.
[12]
More recently, in January, Silk Typhoon was observed exploiting [13]CVE-2025-0282 , a zero-day vulnerability in the public-facing Ivanti Pulse Connect VPN, according to Microsoft.
In 2024, Redmond's threat intel crew reported spotting Silk Typhoon compromising [14]CVE-2023-3519 , a zero-day vulnerability in Citrix NetScaler ADC and NetScaler Gateways, along with CVE-2024-3400, a zero-day in Palo Alto Networks firewalls, to compromise "multiple organizations." ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2025/01/02/chinese_spies_targeted_sanctions_intel/
[2] https://www.bnnbloomberg.ca/business/international/2025/01/08/white-house-rushes-to-finish-cyber-order-after-china-hacks/
[3] https://www.theregister.com/2024/12/31/us_treasury_department_hacked/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z8jXjtJudNbAEDmQc2z1NgAAABg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8jXjtJudNbAEDmQc2z1NgAAABg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z8jXjtJudNbAEDmQc2z1NgAAABg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/
[8] https://www.theregister.com/2025/01/02/chinese_spies_targeted_sanctions_intel/
[9] https://www.theregister.com/2024/12/31/us_treasury_department_hacked/
[10] https://www.theregister.com/2024/12/06/chinese_cyberspy_us_data/
[11] https://www.theregister.com/2024/12/31/china_cyber_intrusions_2024/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8jXjtJudNbAEDmQc2z1NgAAABg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://www.theregister.com/2025/01/09/zeroday_exploits_ivanti/
[14] https://www.theregister.com/2023/08/17/citrix_mft_exploit/
[15] https://whitepapers.theregister.com/
The timing of this campaign coincides with that break-in at the [1]US Treasury Department , during which Beijing's cyberspies stole data from workstations belonging to the Office of Foreign Assets Control (OFAC), which administers economic and trade sanctions, as well as the Office of the Treasury Secretary.
These intrusions were attributed to Silk Typhoon, according to a Bloomberg [2]report citing unnamed sources, and the Chinese snoops are believed to have gained access after [3]stealing a BeyondTrust digital key used for remote technical support.
[4]
And now it appears that the group's victims extended beyond the federal government agency.
[5]
[6]
"Since late 2024, Microsoft Threat Intelligence has conducted thorough research and tracked ongoing attacks performed by Silk Typhoon," Redmond [7]said Wednesday, noting that stolen API keys and credentials are Silk Typhoon's preferred means of breaking into victims' environments.
[8]Chinese cyber-spies reportedly targeted sanctions intel in US Treasury raid
[9]US Treasury Department outs the blast radius of BeyondTrust's key leak
[10]Microsoft: Another Chinese cyberspy crew targeting US critical orgs 'as of yesterday'
[11]China's cyber intrusions took a sinister turn in 2024
After slipping into organizations via compromised API keys, President Xi's agents snoop around and collect data on devices using an administrative account, specifically looking for information that "overlaps with China-based interests," such as US government policy, legal processes, and documents related to law enforcement investigations.
This espionage campaign also highlights Silk Typhoon's changing tactics, which now include targeting remote management tools and cloud applications to gain initial access, we're told.
Silk Typhoon is the team that Microsoft previously tracked as Hafnium. Prior to the Treasury snooping, it was probably best known for the 2021 Microsoft Exchange Server security breaches during which the spies exploited four zero-day vulnerabilities to get into the inboxes of US-based defense contractors, law firms, and infectious disease researchers, and steal their data.
[12]
More recently, in January, Silk Typhoon was observed exploiting [13]CVE-2025-0282 , a zero-day vulnerability in the public-facing Ivanti Pulse Connect VPN, according to Microsoft.
In 2024, Redmond's threat intel crew reported spotting Silk Typhoon compromising [14]CVE-2023-3519 , a zero-day vulnerability in Citrix NetScaler ADC and NetScaler Gateways, along with CVE-2024-3400, a zero-day in Palo Alto Networks firewalls, to compromise "multiple organizations." ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2025/01/02/chinese_spies_targeted_sanctions_intel/
[2] https://www.bnnbloomberg.ca/business/international/2025/01/08/white-house-rushes-to-finish-cyber-order-after-china-hacks/
[3] https://www.theregister.com/2024/12/31/us_treasury_department_hacked/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z8jXjtJudNbAEDmQc2z1NgAAABg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8jXjtJudNbAEDmQc2z1NgAAABg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z8jXjtJudNbAEDmQc2z1NgAAABg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/
[8] https://www.theregister.com/2025/01/02/chinese_spies_targeted_sanctions_intel/
[9] https://www.theregister.com/2024/12/31/us_treasury_department_hacked/
[10] https://www.theregister.com/2024/12/06/chinese_cyberspy_us_data/
[11] https://www.theregister.com/2024/12/31/china_cyber_intrusions_2024/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8jXjtJudNbAEDmQc2z1NgAAABg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://www.theregister.com/2025/01/09/zeroday_exploits_ivanti/
[14] https://www.theregister.com/2023/08/17/citrix_mft_exploit/
[15] https://whitepapers.theregister.com/
Well there is an easy fix...
IGotOut
...fire even more of the department tasked with stopping this
Of course where the Chinese government do this sort of thing, it is a despicable action. When it is the NSA listening in on the German prime minister mobile phone that is something completely OK.