Silk Typhoon is a China-linked advanced persistent threat (APT) group that has escalated its cyber operations, now actively targeting IT supply chains. Reports from Microsoft, Bleeping Computer, and Dark Reading highlight a surge in attacks exploiting third-party dependencies, software vendors, and cloud infrastructure providers.
These attacks mark a significant shift in the tactics of the Silk Typhoon. Instead of directly targeting enterprises, they are infiltrating trusted third-party vendors, leveraging supply chain weaknesses to gain stealthy and long-term access to critical enterprise systems. This tactic allows them to bypass traditional security measures, escalate privileges, maintain persistence and exfiltrate sensitive data across multiple victims at once.
Attackers are breaching organizations through their SaaS integrations, APIs, and non-human identities (NHI). To combat this, security teams must shift from isolated security solutions to an ecosystem-wide security approach.
Silk Typhoon’s attack methods: Exploiting the IT supply chain
Microsoft’s latest research indicates that Silk Typhoon has successfully compromised a wide range of sectors and geographic regions by exploiting zero-day vulnerabilities in edge devices or abusing stolen credentials of widely used software such as privileged access management (PAM), remote monitoring and management tools (RMM), and other IT-based services. These attacks allowed the group to gain an initial foothold within the targeted organization and subsequently pivot to downstream customers/targets.
Post compromise, the group laterally moves across interconnected SaaS applications and cloud environments leveraging pre-trusted NHIs such as service principals, Oauth applications with admin privileges, to exfiltrate sensitive data and cleared audit logs of the performed action. All while remaining undetected for extended periods of time.
This attack strategy highlights how compromised pre-trusted third-party applications could lead to infiltration of enterprise environments with stealth, enabling long-term espionage and data exfiltration.
Who Silk Typhoon is targeting
Silk Typhoon is focusing on:
IT service providers & MSPs – Compromising MSPs grants access to multiple downstream clients.
Enterprise SaaS vendors – Manipulating software integrations and authentication mechanisms.
Cloud infrastructure providers – Exploiting misconfigurations in cloud-based environments.
Government contractors & critical infrastructure – Conducting long-term espionage operations.
How Silk Typhoon is attacking the supply chain
Silk Typhoon has shifted tactics to focus on MSP-level intrusions, allowing them to move within cloud environments stealthily. By breaching managed service providers, they gain access to Active Directory sync credentials (AADConnect) and abuse OAuth applications to maintain persistence.
1. Supply chain compromise and zero-day exploits
Since late 2024, Silk Typhoon has been abusing stolen API keys and credentials from privileged access management (PAM) solutions, cloud app providers, and cloud data management companies. They have also been observed exploiting zero-day vulnerabilities, including a critical flaw in the Ivanti Pulse Connect VPN (CVE-2025-0282), which allowed them to gain initial access to high-value targets. By leveraging these methods, they gain unauthorized access to these companies’ downstream customer environments, conducting reconnaissance, resetting admin accounts, and implanting web shells to maintain persistence. Microsoft has observed them using stolen API keys to access multiple customer tenants, perform reconnaissance, and exfiltrate sensitive data. Their activity has primarily targeted the IT sector and state and local governments.
2. Exploiting API credentials and privileged access
Silk Typhoon scans public repositories like GitHub to locate leaked authentication keys and credentials. They conduct password spray attacks and steal privileged access credentials to infiltrate IT providers, identity management solutions, and cloud environments. Once inside, Silk Typhoon resets default admin accounts, implants web shells, and creates additional user accounts to maintain persistence while covering their tracks by clearing logs. OAuth tokens are then exploited to maintain long-term access and facilitate lateral movement across interconnected SaaS applications without triggering traditional security alerts.
3. Abusing non-human identities (NHI), OAuth applications, and Entra ID (Azure AD) persistence
Silk Typhoon exploits machine accounts, service accounts, and automation tools to maintain persistent access to enterprise environments. Silk Typhoon abuses OAuth applications and service principals to escalate privileges, maintain persistence, and gain access to cloud-based email, OneDrive, and SharePoint. They have also been observed creating malicious Entra ID (formerly Azure AD) applications disguised as legitimate services, allowing them to exfiltrate data and move laterally across tenants. They have been observed compromising multi-tenant applications and modifying Entra ID (formerly Azure AD) applications to maintain persistence and facilitate data exfiltration via MSGraph and Exchange Web Services (EWS).
How Vorlon secures against supply chain threats
Vorlon introduces an industry-first approach to SaaS ecosystem security, ensuring that attackers can’t hide within interconnected SaaS platforms. Unlike legacy solutions focused on static configurations, Vorlon provides real-time monitoring of API activity and SaaS interactions.
1. Detection and response for your connected SaaS ecosystem
Vorlon continuously maps and monitors your SaaS integrations, detecting unauthorized connections and revoking compromised third-party access before an attack spreads.
2. Non-human identity and OAuth security
Vorlon’s NHI monitoring identifies suspicious OAuth token usage, compromised API keys, and excessive permissions granted to machine accounts, stopping attackers before they can exploit these access points.
3. Real-time breach detection and automated response
Unlike traditional security solutions, Vorlon detects and automatically responds to anomalies, such as:
- OAuth token refreshes from unusual locations
- Unauthorized API requests accessing sensitive data
- New SaaS-to-SaaS connections forming without IT oversight
Final thoughts
Silk Typhoon’s latest campaign underscores the urgency of securing the entire SaaS ecosystem. Attackers are no longer targeting individual endpoints. They are weaponizing the IT supply chain to move laterally across interconnected environments.
Security teams must move beyond traditional tools and adopt a SaaS ecosystem security approach that detects and responds to third-party threats in real time.
Want to see how Vorlon can protect your SaaS ecosystem from this kind of threat?
Get your questions answered with a personal demo:
See how it works with a self-serve tour:
About the Author
Anil Agrawal
Security Researcher at Vorlon
Anil Agrawal is a security researcher at Vorlon specializing in SOC optimization and has over eight years of experience in cybersecurity. Before joining Vorlon, he served as a Solutions Architect at Palo Alto Networks, where he designed advanced automation solutions and cybersecurity strategies for Fortune 500 clients. His career includes technical roles at Syracuse University, where he streamlined incident response processes and conducted malware analysis. Anil holds a Master’s degree in Management Information Systems from Syracuse University with a specialization in Information Security Management. Passionate about mitigating third-party application risks, he focuses on pioneering R&D to address evolving cybersecurity challenges. Connect with Anil on LinkedIn to explore collaborations in security innovation and stay updated on his latest contributions.