Chinese state-sponsored hacking group Silk Typhoon has been intensifying its attacks against entities in North America, CrowdStrike says.
The APT, which has been blamed for the 2024 US Treasury hack, was seen attacking high-profile targets within the government, technology, academic, legal, and professional services sectors, for intelligence gathering.
CrowdStrike, which tracks the group as Murky Panda, observed the hackers rapidly weaponizing n-day and zero-day vulnerabilities for initial access to victims’ environments. They also appear to have compromised SOHO routers, to abuse them as infrastructure in attacks.
“The adversary has leveraged trusted-relationship compromises in the cloud and demonstrated a high level of operations security (OPSEC), including modifying timestamps and deleting indicators of their presence in victim environments to avoid detection and hinder attribution efforts,” CrowdStrike notes.
Silk Typhoon was seen targeting Citrix NetScaler ADC and NetScaler Gateway instances affected by CVE-2023-3519, CrowdStrike reports.
The hackers have been relying on RDP, web shells, and, occasionally, on malware such as CloudedHope, for lateral movement and persistence. Developed in Golang, CloudedHope has basic remote access tool (RAT) functionality.
They frequently access the victims’ cloud environments, likely for information harvesting, and were seen compromising service providers to access downstream customers’ environments, including email inboxes.
“In at least two cases analyzed by CrowdStrike, Murky Panda exploited zero-day vulnerabilities to achieve initial access to software-as-a-service (SaaS) providers’ cloud environments. Following the compromise, Murky Panda determined the compromised SaaS cloud environments’ logic, enabling them to leverage their access to that software to move laterally to downstream customers,” CrowdStrike explains.
Silk Typhoon, CrowdStrike says, targets rarely monitored access vectors to evade defenses, shows knowledge of niche Entra ID concepts, and focuses on sanitizing logs on victim systems.
“Organizations that rely heavily on cloud environments are innately vulnerable to trusted-relationship compromises in the cloud. China-nexus adversaries such as Murky Panda continue to leverage sophisticated tradecraft to facilitate their espionage operations, targeting numerous sectors globally,” CrowdStrike notes.
*Updated to remove mentions of Commvault zero-day exploitation, after CrowdStrike updated their report.
Related: Report Links Chinese Companies to Tools Used by State-Sponsored Hackers
Related: Web Hosting Firms in Taiwan Attacked by Chinese APT for Access to High-Value Targets
Related: Chinese Researchers Suggest Lasers and Sabotage to Counter Musk’s Starlink Satellites
Related: Companies Warned of Commvault Vulnerability Exploitation
