China-Backed Hackers Behind US Treasury Breach Now Targeting Global IT Supply Chains
A dangerous new chapter has opened in the ongoing cyber-espionage campaigns carried out by Silk Typhoon, a Chinese government-backed hacking group recently linked to the US Treasury Department breach. Microsoft’s threat intelligence team has issued a stark warning, revealing that Silk Typhoon is now actively exploiting the global IT supply chain to infiltrate businesses, conduct surveillance, and steal sensitive data.
This latest activity marks a concerning shift in Silk Typhoon’s tactics. Rather than directly attacking well-defended cloud platforms, the group is turning its attention to IT services providers, remote monitoring and management firms, and managed service providers (MSPs)—the very companies responsible for securing and maintaining corporate networks worldwide.
Table of Contents
How Silk Typhoon Infiltrates Through the IT Supply Chain
Microsoft’s researchers uncovered that Silk Typhoon is using stolen API keys, compromised credentials, and privileged access to silently breach IT companies. Once inside, the attackers can extend their reach into downstream customer environments, putting countless organizations at risk.
These attacks are more than just opportunistic. Silk Typhoon demonstrates a high-level understanding of hybrid environments, skillfully navigating both on-premises infrastructure and cloud services. Microsoft observed the group exploiting legitimate tools like Entra Connect (formerly AADConnect) to escalate privileges and maintain long-term access.
Through these entry points, Silk Typhoon conducts:
- Extensive reconnaissance to map out internal systems
- Lateral movement across networks
- Data exfiltration from emails, file shares, and cloud storage
- Persistent access using web shells and OAuth applications
No One Is Safe Without Strong Defenses
Microsoft warns that even organizations that aren’t direct targets could become collateral damage through their IT providers. If your business relies on shared IT services, weak credential management, or outdated software, you may already be vulnerable.
Historically, Silk Typhoon has successfully breached a wide range of products, including Microsoft Exchange servers, VPN appliances, and firewalls. The group was behind the US Treasury Department breach, where it spied on offices handling foreign investments and sanctions, exploiting vulnerabilities in software like BeyondTrust and PostgreSQL.
Advanced Tactics Used by Silk Typhoon
Silk Typhoon’s recent campaigns highlight their growing sophistication. According to Microsoft, the group has been observed using:
- Password spray attacks and reconnaissance to uncover reused corporate passwords found in public repositories like GitHub
- Compromised OAuth applications with high-level permissions to steal emails, OneDrive files, and SharePoint data via MSGraph
- Multi-tenant application compromises, allowing them to pivot across cloud environments and access sensitive resources in different organizations
- Exchange Web Services (EWS) API abuse to exfiltrate email communications
What makes these attacks especially dangerous is Silk Typhoon’s ability to hijack applications that already have user consent, making their malicious activity blend in with normal operations.
The Growing Threat of Silk Typhoon
Microsoft describes Silk Typhoon as one of the most expansive Chinese threat groups in the world. With strong backing and the resources to exploit zero-day vulnerabilities quickly, they pose a significant threat across sectors, including state and local governments, financial institutions, and IT services providers.
How to Protect Your Organization
In light of these developments, Microsoft urges organizations to:
- Audit API keys and OAuth applications to ensure no suspicious or over-privileged access
- Enforce strong credential hygiene, including regular password changes and multi-factor authentication (MFA)
- Patch all systems promptly, especially software commonly targeted by advanced persistent threats (APTs)
- Monitor for unusual access patterns, particularly involving service accounts and cloud applications
The targeting of IT supply chains proves that cyber-espionage is no longer just a risk for high-profile government entities. Today, every organization that depends on shared infrastructure or third-party providers must treat itself as a potential target.
Cybersecurity vigilance is no longer optional—it's the only defense against adversaries like Silk Typhoon who are always one step away from your most sensitive data.