A China-based hacking group linked to the Ministry of State Security is using a new tactic to spy on major organizations in North America. According to research from CrowdStrike, the group, known as Silk Typhoon, infiltrates victims by hacking their cloud service providers. This allows them to bypass traditional defenses by exploiting trusted relationships, giving them access to government, technology, and academic targets without attacking them directly.
A New Focus on Abusing Cloud Trust
Silk Typhoon, also known as Hafnium, is not a new threat. The group was responsible for the major Microsoft Exchange server hacks in 2021 that required emergency patches worldwide. Now, they have shifted their strategy. Instead of directly attacking their targets, they compromise third-party cloud services that their targets already use and trust.
This approach is highly effective because a single breach of a cloud provider can give the hackers access to hundreds of downstream customers. The hackers are slipping in through the “front door” by using the privileged access that these service providers already have. CrowdStrike’s research shows this campaign has been active since at least 2023, targeting a wide range of sectors.
- Government agencies
- Technology companies
- Major law firms
- Academic institutions
This method allows the espionage campaign to remain hidden under the cover of what looks like legitimate cloud activity.
Turning Convenience into a Cyber Weapon
Cloud services are designed to be convenient. Features like service principals and cross-tenant permissions allow different systems to connect and work together smoothly. However, this convenience creates a security risk. As one expert noted, these tools were built for easy integration, not to defend against attacks from powerful, state-backed hacking groups.
A single stolen password or a misconfigured permission can create a domino effect. Once attackers gain a foothold in a trusted provider, their access can spread across multiple cloud environments. This creates a systemic risk where the very tools meant to simplify IT management become a highway for spies.
Attack Methods and a Custom Malware
Silk Typhoon uses a mix of old and new techniques to achieve its goals. The group still targets common weak points like exposed small office and home office (SOHO) routers and vulnerable web appliances. For example, they exploited a critical flaw in Citrix NetScaler devices that allowed them to execute code remotely on unpatched systems.
In other cases, the group compromised cloud service providers in more direct ways. They stole credentials for software applications, allowing them to log into customer accounts by impersonating a trusted app. In one of the most severe instances, they compromised a Microsoft cloud solution provider’s main administrative account. This gave them global administrator rights over all of that provider’s customers, an extraordinary level of access.
| Technique | Description | Impact |
|---|---|---|
| Trusted-Relationship Compromise | Hacking a cloud or SaaS provider to access their customers. | Gains access to multiple victims through a single breach. |
| App Impersonation | Stealing app secrets to authenticate as a trusted application. | Bypasses security by appearing as legitimate traffic. |
| Appliance Exploitation | Using flaws like CVE-2023-3519 in network devices. | Establishes a foothold for further network access. |
To maintain control and steal data, the group uses its own custom malware called CloudedHope. This tool is a remote access trojan (RAT) designed for Linux systems. CloudedHope is notable for its defensive features, which can detect when it is being analyzed and launch decoy actions to confuse security researchers.
The Future of Cybersecurity Has Shifted
This campaign highlights a major shift in the cybersecurity landscape. Espionage groups are moving away from noisy, direct attacks and focusing on the invisible connections that hold the cloud together. By targeting trust itself, they can operate more quietly and for longer periods before being detected.
The core problem is that many organizations implicitly trust their third-party providers without enough verification. While cloud providers are getting better at patching vulnerabilities, the fundamental architecture of cloud trust remains a weak point. Experts warn that simply patching servers and monitoring endpoints is no longer enough. The new battlefield is centered on identity, permissions, and the complex web of trust relationships that define modern IT environments. For organizations across North America, this represents a new and challenging era of espionage risk.
