China's Silk Typhoon, Tied To US Treasury Break-in, Now Hammers IT And Govt Targets

Updated Silk Typhoon, the Chinese government crew believed to be behind the December US Treasury intrusions, has been abusing stolen API keys and cloud credentials in ongoing attacks targeting IT companies and state and local government agencies since late 2024, according to Microsoft Threat Intelligence.

The timing of this campaign coincides with that break-in at the US Treasury Department, during which Beijing's cyberspies stole data from workstations belonging to the Office of Foreign Assets Control (OFAC), which administers economic and trade sanctions, as well as the Office of the Treasury Secretary.

These intrusions were attributed to Silk Typhoon, according to a Bloomberg report citing unnamed sources, and the Chinese snoops are believed to have gained access after stealing a BeyondTrust digital key used for remote technical support.

And now it appears that the group's victims extended beyond the federal government agency.

"Since late 2024, Microsoft Threat Intelligence has conducted thorough research and tracked ongoing attacks performed by Silk Typhoon," Redmond said Wednesday, noting that stolen API keys and credentials are Silk Typhoon's preferred means of breaking into victims' environments.

• Chinese cyber-spies reportedly targeted sanctions intel in US Treasury raid
• US Treasury Department outs the blast radius of BeyondTrust's key leak
• Microsoft: Another Chinese cyberspy crew targeting US critical orgs 'as of yesterday'
• China's cyber intrusions took a sinister turn in 2024

After slipping into organizations via compromised API keys, President Xi's agents snoop around and collect data on devices using an administrative account, specifically looking for information that "overlaps with China-based interests," such as US government policy, legal processes, and documents related to law enforcement investigations.

This espionage campaign also highlights Silk Typhoon's changing tactics, which now include targeting remote management tools and cloud applications to gain initial access, we're told.

Silk Typhoon is the team that Microsoft previously tracked as Hafnium. Prior to the Treasury snooping, it was probably best known for the 2021 Microsoft Exchange Server security breaches during which the spies exploited four zero-day vulnerabilities to get into the inboxes of US-based defense contractors, law firms, and infectious disease researchers, and steal their data.

More recently, in January, Silk Typhoon was observed exploiting CVE-2025-0282, a zero-day vulnerability in the public-facing Ivanti Pulse Connect VPN, according to Microsoft.

In 2024, Redmond's threat intel crew reported spotting Silk Typhoon compromising CVE-2023-3519, a zero-day vulnerability in Citrix NetScaler ADC and NetScaler Gateways, along with CVE-2024-3400, a zero-day in Palo Alto Networks firewalls, to compromise "multiple organizations." ®

Updated to add

Also today, US prosecutors charged 12 Chinese nationals over their alleged roles within the Silk Typhoon team.