Profiling Silk Typhoon: Tactics, History & Defenses

14.11.2025

De blogs zijn enkel beschikbaar in het Engels.

Summary

  • Threat Actor: Silk Typhoon (China-nexus) a.k.a., HAFNIUM, timmy
  • Motivation: State-affiliated espionage
  • Targeting: Azure and M365 enviornments, Government, IT, MSPs, defense, healthcare, and NGOs
  • Attack Types: Zero-days, Entra Connect, abuse OAuth/Graph/EWS for email/data theft
  • Defenses: Lock Entra Connect, audit OAuth apps, monitor Graph/EWS, enforce MFA, and segment on-prem/cloud.
If you enjoy reading about cloud threat actors, you might also enjoy our training or investigating your own cloud incidents with Cloud Labs.

Overview

Silk Typhoon, also known as HAFNIUM, is assessed to be a Chinese state-affiliated threat actor first identified in early 2021, driven by espionage motives and targeting sectors such as defense, transportation, media, NGOs, and healthcare. The threat actor gained prominence for exploiting four zero-day vulnerabilities in Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) in March 2021, enabling unauthenticated remote code execution and widespread compromise of on-premises Exchange servers. This campaign allowed Silk Typhoon to deploy web shells for persistent access and data exfiltration, targeting thousands of organizations globally. 

In February 2025, the threat actor exploited a zero-day vulnerability (CVE-2025-3928) in Commvault’s Metallic Microsoft 365 backup SaaS platform on Microsoft Azure, using web shells to access client secrets and infiltrate customers’ Microsoft 365 environments, showcasing their focus on cloud-based supply chain attacks. By targeting IT supply chains, Silk Typhoon leverages trusted vendor relationships to compromise downstream cloud environments.

Silk Typhoon demonstrates cloud-fluent tactics by exploiting on-premises footholds to pivot into cloud environments, targeting Microsoft Entra Connect servers to synchronize and escalate privileges between Active Directory and Entra ID for lateral movement. Once in the cloud, the group manipulates service principals and OAuth applications with administrative consents to abuse Microsoft Graph and Exchange Web Services (EWS) APIs for targeted exfiltration of email, OneDrive, and SharePoint data.

TTPs

All of the details below are also available in our GitHub repository, which provides background on each observed technique along with corresponding MITRE ATT&CK mappings, making it easy to map these insights directly to your cloud logs.

General: The threat actor abuses service principals and OAuth applications with administrative permissions to exfiltrate data from SharePoint via the MSGraph API.
Collection
T1114.002
Email Collection: Remote Email Collection
General: The threat actor uses compromised applications with access to the Exchange Web Services (EWS) API or MSGraph API to steal email data.
Collection
T1213.003
Data from Cloud Storage: OneDrive
General: The threat actor leverages service principals and OAuth applications to exfiltrate data from OneDrive via the MSGraph API.
Command and Control
T1071.001
Application Layer Protocol: Web Protocols
Commvault Campaign: The exploitation of CVE-2025-3928 involved creating and executing web shells, indicating the use of web-based protocols (e.g., HTTP requests) for command and control within the compromised Azure environment.

Incident Response Steps

Below are several high-impact steps to prepare for and respond to the TTPs mentioned above. The list isn’t exhaustive, but it highlights key areas where defenders can focus their efforts. Click each step to view additional details.

1. Exploit Public-Facing Application
Detect and mitigate unauthorized access via web server vulnerability.
InvestigateHarden
  • Review Azure Activity Logs and web server logs (IIS/Nginx) for suspicious calls or requests.
  • Correlate alerts from Microsoft Defender for Cloud.
  • Analyze affected Azure VMs for post-exploitation activity.
  • Patch known vulnerabilities and isolate compromised instances.
  • Deploy WAF rules and enforce least-privilege access with Azure RBAC.
2. Supply Chain Compromise
Detect and neutralize misuse of stolen API keys/credentials.
InvestigateHarden
  • Audit Entra ID and Azure IAM logs for unauthorized access or unusual app activity.
  • Review Defender for Identity alerts for anomalous credential use.
  • Trace credential origin and scope using Azure Resource Graph.
  • Rotate compromised credentials and enforce MFA across all accounts.
  • Restrict access by IP and enforce credential hygiene policies with Azure Policy.
3. Server Software Component: Web Shell
Detect and eradicate web shell deployments.
InvestigateHarden
  • Analyze IIS/Nginx logs and Microsoft Defender File Integrity Monitoring for suspicious script activity.
  • Check EDR logs for unusual processes or web server behavior.
  • Investigate script upload patterns and access anomalies.
  • Block script uploads using Web Application Firewall (WAF) and enforce execution policies.
  • Deploy EDR and enable real-time log streaming into Microsoft Sentinel.
4. Data Exfiltration from Repositories
Detect and prevent data exfiltration from cloud repositories.
InvestigateHarden
  • Monitor Unified Audit Logs for file access, downloads, and Graph API activity.
  • Use Defender for Cloud Apps to detect abnormal downloads or OAuth abuse.
  • Review Entra ID and Exchange Mailbox Audit Logs for suspicious sharing or forwarding.
  • Enforce Conditional Access and Data Loss Prevention (DLP) policies across M365 services.
  • Apply encryption and integrate audit logs with Microsoft Sentinel.

Getting Help

If you spot any of these TTPs or indicators in your environment, or just want to become incident-ready in the cloud, contact our team. We’ll help you tighten your Azure, M365 or Entra defenses, refine your IR runbook, and stay ahead of Silk Typhoon or other cloud-focused adversaries.

About Invictus Incident Response

We are an incident response company and we ❤️ the cloud and specialize in supporting organizations in preparing and responding to a cyber attack. We help our clients stay undefeated!

🆘 Incident Response support reach out to cert@invictus-ir.com or go to https://www.invictus-ir.com/24-7

Meer nieuws

11.8.2021

Responding to macOS attacks — Part I

Lees meer
2.9.2021

Responding to a Cobalt Strike attack — Part I

Lees meer