Silk Typhoon: Chinese APT Escalates Attacks on US Government and IT Supply Chain

Chinese state-sponsored threat group Silk Typhoon continues escalating operations against US government entities and IT supply chains, with researchers documenting a staggering 150% year-over-year increase in China-linked cyber intrusions. The group's recent activities include the compromise of the US Treasury Department through a third-party vendor breach.

Treasury Department Breach

The Silk Typhoon connection to the Treasury Department incident became clear after security software provider BeyondTrust notified the agency that threat actors had stolen an API key to access a cloud-based technical support service.

According to a Treasury letter to lawmakers: "With access to the stolen key, the threat actor was able to override the service's security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users."

The stolen documents reportedly related to potential sanctions actions—intelligence of significant value to China's Ministry of State Security (MSS).

Who Is Silk Typhoon?

Silk Typhoon, also tracked as Hafnium and Murky Panda, is a sophisticated threat actor linked to China's MSS. The group first gained worldwide notoriety for exploiting Microsoft Exchange zero-days in a massive attack campaign in 2021.

Their capabilities and targeting profile indicate a well-resourced operation with nation-state backing:

• Targets: Government agencies, defense contractors, technology companies, academic institutions, legal firms
• Methods: Zero-day exploitation, supply chain compromise, cloud infrastructure attacks
• Geographic focus: Primarily United States, with secondary targeting of allied nations

Shift to Supply Chain Attacks

Since 2023, Silk Typhoon has increasingly leveraged IT- and cloud-based supply chain attacks rather than direct targeting. This approach offers several advantages:

Access multiplication: Compromising a single IT service provider can yield access to hundreds of downstream organizations.

Attribution challenges: Attacks through third parties complicate forensic investigation and attribution.

Trust exploitation: Organizations inherently trust their IT vendors, often granting extensive access permissions.

The BeyondTrust incident exemplifies this strategy—rather than attacking Treasury directly, Silk Typhoon compromised a vendor with privileged access.

Recent Activity Surge

CrowdStrike's threat intelligence reveals alarming acceleration in Chinese cyber operations:

• 40% year-over-year increase in cloud-intrusion activity from China-sponsored groups through mid-2025
• 150% increase in overall intrusions linked to Chinese threat actors
• Multiple campaigns targeting IT supply chains across North America

Microsoft researchers have documented Silk Typhoon exploiting zero-day vulnerabilities in Ivanti Pulse Connect VPN (CVE-2025-0282) and other edge devices as initial access vectors.

DOJ Indictments

In March 2025, the Justice Department unsealed indictments against 12 Chinese nationals for their alleged involvement in espionage campaigns, including two alleged Silk Typhoon members:

• Yin Kecheng
• Zhou Shuai

Both remain fugitives. The indictments detail attacks against US government agencies, technology companies, and political organizations spanning years of operations.

Technical Indicators

Organizations should monitor for:

• Unusual BeyondTrust Remote Support or Privileged Remote Access activity
• Anomalous access patterns from IT vendor accounts
• Exploitation attempts against edge devices (VPNs, firewalls, remote access tools)
• Cloud infrastructure access from unexpected geographic locations
• Lateral movement following vendor access compromise

Defensive Recommendations

Given Silk Typhoon's focus on supply chain compromise:

1. Audit third-party access: Review and minimize vendor access to sensitive systems
2. Implement zero trust: Treat vendor connections with the same scrutiny as external access
3. Monitor cloud infrastructure: Deploy robust logging and anomaly detection for cloud services
4. Patch edge devices urgently: VPNs and remote access tools are primary initial access vectors
5. Segment vendor access: Limit what vendors can reach even after authentication
6. Review API key management: Implement rotation policies and monitor for unusual API activity

The Bigger Picture

Silk Typhoon's operations represent a sustained, strategic effort by Chinese intelligence to penetrate US government systems and gather intelligence relevant to geopolitical competition. The focus on sanctions-related information at Treasury underscores how cyber operations support broader state objectives.

The shift toward supply chain attacks complicates defense. Organizations can't simply harden their own perimeters—they must also evaluate the security posture of every vendor with privileged access.

Resources

• CISA China Cyber Threat Advisory
• Microsoft Silk Typhoon Profile
• DOJ Indictment Announcement

---

Organizations with government contracts or sensitive data should treat Silk Typhoon activity as a persistent threat and prioritize supply chain security assessments.