Home / Threat Actors / Silk Typhoon Threat Actor Profile

Silk Typhoon Overview

Silk Typhoon (also known as HAFNIUM) is a Chinese based state-sponsored group, first recognised as active in January 2021, that focuses on the theft of information for the purposes of state-level espionage. The group has been known for targeting industry sectors in the US such as higher education institutions and military defence contractors among several others, conducting operations using US-based virtual private networks (VPNs).

They were responsible for a highly publicised attack on Microsoft Exchange Server in early 2021. The attack affected tens of thousands of organisations worldwide and was attributed to a series of zero-day vulnerabilities in the Exchange Server software. Silk Typhoon was accused of exploiting these vulnerabilities to steal sensitive data and install backdoors on the compromised systems, allowing them to maintain persistent access to the networks of the target’s organisations. The attack was considered highly sophisticated and posed a serious threat to global cyber security.

In September 2021, the US Department of Justice indicted four Chinese nationals who were allegedly members of Silk Typhoon. The individuals were accused of being involved in the 2021 Microsoft Exchange Server attack.

The group is known to use a range of tools and techniques to conduct their attacks. Some of the tools that have been attributed to the group include:

  1. China Chopper: A web shell that allows attackers to remotely access and control a compromised system
  2. Mimikatz: A tool that can be used to extract passwords and other sensitive data from a compromised system
  3. Cobalt Strike: A legitimate penetration testing tool that can be used by attackers to evade detection and
    maintain persistent access to compromised systems
  4. Metasploit: An open-source penetration testing tool that can be used to exploit vulnerabilities in a target system
  5. PowerShell Empire: A post-exploitation framework that allows attackers to perform a range of malicious
    activities on compromised systems
  6. ProcDump: A command-line utility for Windows. It is used to generate crash dumps of application and processes
    when they crash or encounter unexpected behaviour
  7. Nishang: This tool is designed to facilitate the development of offensive PowerShell scripts and aids in
    penetration testing and red teaming activities
  8. Powercat: This tool is designed to facilitate network communication and data transfer over TCP and UDP
    protocols.

Targeted Sectors

Silk Typhoon primarily targets several US-based industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and non-governmental organisations (NGOs).

Threat Actor Motivations

The motives of Silk Typhoon can be evaluated by observing the strategies they apply within the context of their campaigns. The group is known for its interest in sensitive information gathering for espionage purposes on a state sponsored basis. The group’s motives also are focused on stealing sensitive information, such as intellectual property, trade secrets, and government and corporate data.

The Quorum Cyber Threat Intelligence team provides threat actor profiles so that you can better understand cybercriminals’ tactics, techniques, and procedures (TTPs).

Download your Silk Typhoon report to read more details today.