Silk Typhoon Threat Actor Profile

Home / Threat Actors / Silk Typhoon Threat Actor Profile

Silk Typhoon Overview

Silk Typhoon (also known as HAFNIUM) is a Chinese based state-sponsored group, first recognised as active in January 2021, that focuses on the theft of information for the purposes of state-level espionage. The group has been known for targeting industry sectors in the US such as higher education institutions and military defence contractors among several others, conducting operations using US-based virtual private networks (VPNs).

They were responsible for a highly publicised attack on Microsoft Exchange Server in early 2021. The attack affected tens of thousands of organisations worldwide and was attributed to a series of zero-day vulnerabilities in the Exchange Server software. Silk Typhoon was accused of exploiting these vulnerabilities to steal sensitive data and install backdoors on the compromised systems, allowing them to maintain persistent access to the networks of the target’s organisations. The attack was considered highly sophisticated and posed a serious threat to global cyber security.

In September 2021, the US Department of Justice indicted four Chinese nationals who were allegedly members of Silk Typhoon. The individuals were accused of being involved in the 2021 Microsoft Exchange Server attack.

The group is known to use a range of tools and techniques to conduct their attacks. Some of the tools that have been attributed to the group include:

  1. China Chopper: A web shell that allows attackers to remotely access and control a compromised system
  2. Mimikatz: A tool that can be used to extract passwords and other sensitive data from a compromised system
  3. Cobalt Strike: A legitimate penetration testing tool that can be used by attackers to evade detection and
    maintain persistent access to compromised systems
  4. Metasploit: An open-source penetration testing tool that can be used to exploit vulnerabilities in a target system
  5. PowerShell Empire: A post-exploitation framework that allows attackers to perform a range of malicious
    activities on compromised systems
  6. ProcDump: A command-line utility for Windows. It is used to generate crash dumps of application and processes
    when they crash or encounter unexpected behaviour
  7. Nishang: This tool is designed to facilitate the development of offensive PowerShell scripts and aids in
    penetration testing and red teaming activities
  8. Powercat: This tool is designed to facilitate network communication and data transfer over TCP and UDP
    protocols.

Targeted Sectors

Silk Typhoon primarily targets several US-based industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and non-governmental organisations (NGOs).

Threat Actor Motivations

The motives of Silk Typhoon can be evaluated by observing the strategies they apply within the context of their campaigns. The group is known for its interest in sensitive information gathering for espionage purposes on a state sponsored basis. The group’s motives also are focused on stealing sensitive information, such as intellectual property, trade secrets, and government and corporate data.

Threat Actor Activity Timeline

Incident Date Description
Microsoft Exchange Server data breach April 2021 Over five hundred Windows Exchange servers were targeted using four zero-day exploit techniques
Tarrask Malware spread August 2021 to February 2022 Targeting telecommunication, internet service provider and data services sectors, the malware was found to be linked to Silk Typhoon and exploits Windows scheduled tasks system

Silk Typhoon Associated Malwar

DoejoCrypt.A (DearCry): A type of ransomware that first appeared in March 2021. An infected system’s files are encrypted by DearCry, which then demands payment in exchange for the decryption key. One distinctive feature of DearCry is how it bypasses authentication to encrypt and leak the ransomware data by using the Microsoft Exchange Online ProxyLogon vulnerability.

Tarrask: Detection avoidance malware was first observed in August 2021 that uses the inbuilt Windows scheduled tasks by deletion of registry values and use of command-line to hide active processes or files; this is done through initially using ‘token theft’ to gain the required privileges to execute.

ASPXSpy: An open-source malware first seen in the group’s attacks on the Microsoft Exchange Online servers with the main purpose of persistence. The version used by the group is modified but is used to create malicious ASPX files that allow for remote execution of commands to control an infected system, or for lateral movement among several other functions.

China Chopper: A small web shell backdoor that cybercriminals frequently exploit for a variety of harmful tasks, including gaining unauthorised access to a targeted computer system, stealing confidential information, and conducting additional attacks. Attackers can remotely operate the server using a straightforward web interface due to the tool, which is intended to be installed on a compromised web server.

Impacket: A set of Python scripts and modules that enables interaction with several network protocols, including SMB, NetBIOS, MSRPC, and LDAP, and low-level network packet manipulation. Cybercriminals and researchers primarily use it to create and evaluate security tools and exploits as well as to audit and access the security of networked systems.

PsExec: A command-line tool created by the Sysinternals suite of Microsoft that is used to run tasks on remote Windows computers. Without installing any software on the remote system, it enables administrators to execute instructions or programmes on the machines. Users can start and stop services and processes, access and execute instructions on Windows systems remotely, and even install software on remote devices.

Indicators of Compromise

Silk Typhoon Associated IP Addresses:

  • 103.77.192[.]219
  • 104.140.114[.]110
  • 104.250.191[.]110
  • 108.61.246[.]56
  • 149.28.14[.]163
  • 157.230.221[.]198
  • 167.99.168[.]251
  • 185.250.151[.]72
  • 192.81.208[.]169
  • 203.160.69[.]66
  • 211.56.98[.]146
  • 5.254.43[.]18
  • 5.2.69[.]14
  • 80.92.205[.]81
  • 91.192.103[.]43

Silk Typhoon Associated Web Shell Hashes (SHA256):

These hashes indicate the presence of the ASP web shells used in the attack on Microsoft Exchange Servers in 2021:

  • b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
  • 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
  • 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
  • 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
  • 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
  • 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
  • 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
  • 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

Exploited Vulnerabilities

CVE-2021-26855 (CVSSv3 Score 9.8 – Critical Severity) A server-side request forgery (SSRF) in Exchange which allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 (CVSSv3 Score 7.8– High Severity) is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a programme. Exploiting this vulnerability gave Silk Typhoon the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 (CVSSv3 Score 7.8– High Severity) is a post-authentication arbitrary file write vulnerability in Exchange. If Silk Typhoon could authenticate with the Exchange server, then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065 (CVSSv3 Score 7.8– High Severity) is a post-authentication arbitrary file write vulnerability in Exchange. If Silk Typhoon could authenticate with the Exchange server, then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Mitre Methodologies

Reconnaissance
T1592.004 – Gather Victim Host Information: Client Configurations
T1589.002 – Gather Victim Identity Information: Email Addresses
T1590.005 – IP Addresses
T1590 – Gather Victim Network Information

Resource Development
T1583.003 – Acquire Infrastructure: Virtual Private Server
T1583.006 – Acquire Infrastructure: Web Services

Initial Access
T1190 – Exploit Public-Facing Application
T1078.003 – Valid Accounts: Local Accounts

Execution
T1059.001 – Command and Scripting Interpreter: PowerShell

Persistence
T1136.002 – Create Account: Domain Account
T1505.003 – Server Software Component: Web Shell
T1078.003 – Valid Accounts: Local Accounts

Privilege Escalation
T1078.003 – Valid Accounts: Local Accounts

Defence Evasion
T1218.011 – System Binary Proxy Execution: Rundll32
T1078.003 – Valid Accounts: Local Accounts

Credential Access
T1003.001 – OS Credential Dumping: LSASS Memory
T1003.003 – OS Credential Dumping: NTDS

Collection
T1560.001 – Archive Collected Data: Archive via Utility
T1114.002 – Email Collection: Remote Email Collection

Command and Control
T1071.001 – Application Layer Protocol: Web Protocols
T1132.001 – Data Encoding: Standard Encoding
T1105 – Ingress Tool Transfer
T1095 – Non-Application Layer Protocol

Exfiltration
T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage

Containment, Mitigations and Remediations

It is strongly recommended that the following National Cyber Security Centre (NCSC) mitigation strategies are followed to enhance the security posture of a network environment against the threat of Silk Typhoon:

  • Businesses can use Microsoft endpoint security plans like Microsoft Defender for Endpoint and Microsoft 365 Defender to help them stop, identify, investigate, and respond to sophisticated cyber-attacks. Similar features, tailored for small and medium-sized enterprises, are offered by Microsoft Defender for Business and Microsoft 365 Business Premium. These plans offer centralised management and reporting, enhanced threat prevention, antivirus and antimalware defence, ransomware mitigation, and more.
  • Apply layers of phishing defences. Detect and quarantine as many malicious email attachments and as much spam as possible before they reach end users. Multiple layers of defence will significantly diminish the possibility of compromise. It is crucial to offer security awareness training and advise staff members of the dangers of opening malicious documents, clicking on harmful links, or disclosing confidential information in emails.
  • Regular patching cycles for all systems to counter known exploits.

Additional information

Microsoft Exposes Evasive Chinese Tarrask Malware Attacking Windows Computers (thehackernews.com)
Exchange email hack: Hundreds of UK firms compromised – BBC News
HAFNIUM, Operation Exchange Marauder, Group G0125 | MITRE ATT&CK®

 

An Intelligence Terminology Yardstick to showing the likelihood of events