From CISO Marketplace — the hub for security professionals Visit

Silk Typhoon

Threat Intelligence

Definition

A Chinese state-sponsored APT group (formerly tracked as Hafnium) responsible for the late 2024 compromise of the US Treasury Department via a third-party cloud provider, as well as targeting of government email systems and foreign policy institutions.

Technical Details

Silk Typhoon, previously known as Hafnium, is assessed to be a Chinese Ministry of State Security (MSS) cyber espionage unit. The group gained notoriety in March 2021 when it was attributed to the mass exploitation of Microsoft Exchange Server zero-days (ProxyLogon vulnerabilities — CVE-2021-26855 and related CVEs), which affected hundreds of thousands of Exchange servers globally. Microsoft rebranded the group as Silk Typhoon as part of its new threat actor naming taxonomy. In late 2024, Silk Typhoon conducted one of the most significant intrusions into US government systems in years. The group compromised BeyondTrust, a privileged access management vendor used by the US Treasury Department. Using a stolen API key from BeyondTrust's cloud-based remote support software, the attackers bypassed authentication controls and accessed unclassified Treasury workstations and documents. The Treasury classified the incident as a 'major cybersecurity incident' and attributed it to a Chinese state-sponsored actor. The Office of Foreign Assets Control (OFAC) and the Treasury Secretary's office were among the areas accessed. The attack methodology demonstrates a sophisticated supply chain approach: rather than attacking the Treasury directly — a high-security target — the group compromised a trusted third-party vendor whose software had privileged access to Treasury systems. This technique of 'island hopping' through trusted service providers has become a hallmark of sophisticated nation-state intrusion campaigns. The BeyondTrust API key likely provided the ability to impersonate legitimate remote support sessions, making the intrusion difficult to distinguish from authorized activity. Silk Typhoon has also been linked to targeting of think tanks, research universities with government contracts, defense industrial base contractors, and law firms specializing in international trade and policy — targets that collectively provide insight into US policy deliberations and negotiations.

Practical Usage

The Treasury compromise via BeyondTrust illustrates the critical importance of third-party risk management, particularly for vendors who have privileged access to sensitive systems. Security teams should audit every vendor that holds API keys, OAuth tokens, or remote access credentials to their environments and verify that those vendors implement controls at least as rigorous as the organization's own. Vendors providing remote support or privileged access management tools represent the highest-risk category and warrant continuous monitoring of their access patterns. For government contractors and organizations that may be Silk Typhoon targets, the group's focus on email systems and document repositories means that data loss prevention (DLP) controls on email and file sharing platforms are critical. Monitoring for bulk email access via APIs, unusual attachment downloads, or mail forwarding rule creation are key detection signals. Exchange Online audit logs (when properly configured) can reveal unauthorized access to mailboxes even when credentials are valid. The group's evolution from exploiting on-premises Exchange servers (ProxyLogon) to targeting cloud-based PAM vendors reflects a broader trend: as organizations migrate to cloud, sophisticated APTs pivot to attacking the identity and access management layer rather than the underlying infrastructure. This reinforces the importance of treating identity as the new perimeter — monitoring OAuth token usage, API key activity, and service account behavior with the same rigor as traditional network perimeter monitoring.

Examples

Related Terms

Salt Typhoon Volt Typhoon Supply Chain Attack Third-Party Risk Hafnium
← Back to Glossary