Cybersecurity researchers report that the Chinese state-sponsored hacking group Silk Typhoon is intensifying attacks on organizations across North America, targeting multiple sectors including government, technology, academia, legal, and professional services. CrowdStrike, which tracks the group under the alias Murky Panda, links them to high-profile espionage operations such as the 2024 US Treasury hack.

Silk Typhoon has been observed quickly exploiting both n-day and zero-day vulnerabilities to gain initial access to victim systems. Their operations also involve compromising SOHO routers, which are then abused as part of their attack infrastructure. The group demonstrates advanced operational security, including modifying timestamps and removing traces to avoid detection and complicate attribution.

The hackers have targeted Citrix NetScaler ADC and NetScaler Gateway instances affected by CVE-2023-3519 and rely on methods such as RDP, web shells, and malware like CloudedHope—a Golang-based remote access tool—for lateral movement and maintaining persistence.

Frequent access to victims’ cloud environments appears to support intelligence collection. In some cases, Silk Typhoon has compromised SaaS providers to gain access to downstream customer environments, including email inboxes. CrowdStrike notes that in at least two instances, zero-day vulnerabilities allowed the group to infiltrate SaaS cloud environments, map the logic of the software, and move laterally to compromise additional targets.

Silk Typhoon emphasizes exploiting rarely monitored access points and demonstrates expertise in niche cloud technologies such as Entra ID, while actively sanitizing system logs to erase signs of their presence.

CrowdStrike highlights that organizations relying heavily on cloud services remain particularly vulnerable to trusted-relationship compromises, and state-linked actors like Murky Panda continue to leverage sophisticated tradecraft to execute global espionage campaigns across multiple industries.

Source: https://www.securityweek.com/chinese-silk-typhoon-hackers-exploited-commvault-zero-day