Article Details

China's Silk Typhoon, tied to US Treasury break-in, now hammers IT and govt targets. They're good at zero-day exploits, too. Silk Typhoon, the Chinese government crew believed to be behind the December US Treasury intrusions, has been abusing stolen API keys and cloud credentials in ongoing attacks targeting IT companies and state and local government agencies since late 2024, according to Microsoft Threat Intelligence. The timing of this campaign coincides with the December break-ins at the US Treasury Department, during which Beijing-backed cyberspies stole data from workstations belonging to the Office of Foreign Assets Control (OFAC), which administers economic and trade sanctions, as well as the Office of the Treasury Secretary. These intrusions were reportedly attributed to Silk Typhoon, according to a Bloomberg report citing unnamed sources, and the Chinese snoops are believed to have gained access after stealing a BeyondTrust digital key used for remote technical support. And now it appears that the group's victims extended beyond the federal government agency. "Since late 2024, Microsoft Threat Intelligence has conducted thorough research and tracked ongoing attacks performed by Silk Typhoon," Redmond said on Wednesday, noting that stolen API keys and credentials are Silk Typhoon's preferred means of breaking into victims' environments. After breaking in via the compromised API keys, the Beijing-backed cyberspies snoop around and collect data on devices using an administrative account, specifically looking for information that "overlaps with China-based interests," such as US government policy, legal processes, and documents related to law enforcement investigations. This espionage campaign also highlights Silk Typhoon's changing tactics, which now include targeting remote management tools and cloud applications to gain initial access, we're told. Silk Typhoon is the group that Microsoft previously tracked as Hafnium. Prior to the Treasury hacks, it was probably best known for the 2021 Microsoft Exchange Server breaches during which the miscreants exploited four zero-day vulnerabilities to steal data from US-based defense contractors, law firms, and infectious disease researchers. More recently, in January, Silk Typhoon was also observed exploiting CVE-2025-0282, a zero-day vulnerability in the public-facing Ivanti Pulse Connect VPN, according to Microsoft. In 2024, Redmond's threat intel crew reported spotting Silk Typhoon compromising CVE-2023-3519, a zero-day vulnerability in Citrix NetScaler ADC and NetScaler Gateways, along with CVE-2024-3400, a zero-day in Palo Alto Networks firewalls, to compromise "multiple organizations."