In the dynamic landscape of cyber security, state-sponsored hacking groups constantly evolve their tactics. Among them, Murky Panda (also known as Silk Typhoon and Hafnium) stands out for its sophisticated approach to exploiting trusted relationships within cloud environments. This group targets a wide array of critical sectors, leveraging supply chain vulnerabilities to gain deep access to sensitive data. Delve into their methods, understand the inherent risks to your organization, and discover proactive strategies to bolster your defenses against these advanced threat actors.
Understanding Murky Panda: A Persistent Threat Actor
Who is Murky Panda (Silk Typhoon)?
Murky Panda, also identified as Silk Typhoon by Microsoft and Hafnium, is a highly sophisticated Chinese state-sponsored hacking group. Their operational focus primarily targets government, technology, academic, legal, and professional services organizations across North America. This group has been implicated in numerous high-profile cyberespionage campaigns, demonstrating an advanced capability for exploiting critical vulnerabilities. Notably, they were linked to the widespread Microsoft Exchange breaches in 2021, which leveraged the infamous ProxyLogon vulnerability, and more recently, attacks on sensitive U.S. government entities like the Treasury’s Office of Foreign Assets Control (OFAC) and the Committee on Foreign Investment.
Initial Access Vectors: Beyond the Obvious
Traditionally, Murky Panda has gained initial access to corporate networks by exploiting internet-exposed devices and services. This includes known flaws such as CVE-2023-3519 in Citrix NetScaler devices and CVE-2025-0282 in Ivanti Pulse Connect VPN, alongside the aforementioned ProxyLogon in Microsoft Exchange. However, their tactics have evolved. Microsoft recently reported that Silk Typhoon has shifted towards targeting remote management tools and cloud services, initiating supply chain attacks to penetrate the networks of downstream customers. This represents a significant escalation, exploiting the inherent trust within digital ecosystems.
The Evolving Threat: Exploiting Trusted Cloud Relationships
A recent report by CrowdStrike has illuminated a particularly concerning tactic employed by Murky Panda: compromising cloud service providers to abuse the trust they share with their customers. Cloud providers often possess built-in administrative access to customer environments. By compromising a provider, attackers can pivot directly into these downstream networks and data, effectively bypassing many conventional security measures.
Abusing SaaS Provider Trust
In one documented instance, Murky Panda exploited zero-day vulnerabilities to breach a Software-as-a-Service (SaaS) provider’s cloud environment. Once inside, they gained access to the provider’s application registration secret within Entra ID (formerly Azure Active Directory). This critical secret allowed them to authenticate as a legitimate service, granting them unfettered access to downstream customer environments. With this elevated access, they were able to read sensitive customer emails and exfiltrate confidential data, demonstrating the profound impact of such a compromise.
Compromising Cloud Solution Providers
Another alarming scenario involved Murky Panda compromising a Microsoft Cloud Solution Provider (CSP) that held delegated administrative privileges (DAP). By successfully compromising an account within the Admin Agent group, the attackers were able to acquire Global Administrator rights across all associated downstream tenants. They then proceeded to create backdoor accounts in customer environments and escalate privileges, ensuring persistent access and the ability to access email and application data for an extended period. CrowdStrike emphasizes that while breaches via trusted relationships are rare, they are less frequently monitored than more common vectors like credential theft. This allows Murky Panda to blend seamlessly with legitimate traffic and activity, maintaining stealthy access for prolonged durations.
Advanced Tactics and Operational Security
Tools of the Trade: Web Shells and Custom Malware
Beyond their sophisticated initial access methods, Murky Panda employs a diverse arsenal of tools and custom malware to maintain access and evade detection. They frequently deploy the Neo-reGeorg open-source web shell and the China Chopper web shell, both widely recognized tools associated with Chinese espionage actors, to establish persistence on compromised servers. Furthermore, the group possesses a custom Linux-based Remote Access Trojan (RAT) known as CloudedHope. This potent malware enables them to take full control of infected devices and facilitate further lateral movement within compromised networks.
Stealth and Evasion Techniques
Murky Panda exhibits strong operational security (OPSEC), meticulously modifying timestamps and deleting logs to hinder forensic analysis and obscure their tracks. This attention to detail makes attribution and incident response significantly more challenging. The group is also known for using compromised small office/home office (SOHO) devices as proxy servers. This tactic allows them to launch attacks as if originating from within a targeted country’s infrastructure, enabling their malicious traffic to blend in with normal network activity and evade detection by traditional security solutions.
Defending Against Sophisticated Cloud Attacks
CrowdStrike unequivocally warns that Murky Panda/Silk Typhoon represents a sophisticated adversary, possessing advanced skills and the capacity to rapidly weaponize both zero-day and n-day vulnerabilities. Their exploitation of trusted cloud relationships poses a significant, often underestimated, risk to organizations heavily reliant on SaaS and other cloud providers.
Proactive Measures for Robust Cloud Security
To effectively defend against Murky Panda’s evolving attack methodologies, organizations must adopt a proactive and multi-layered approach to cloud security:
- Monitor Entra ID Activity: Vigilantly monitor for unusual Entra ID service principal sign-ins and other anomalous activities within your identity fabric.
- Enforce Multi-Factor Authentication (MFA): Mandate and strictly enforce MFA for all cloud provider accounts, especially those with delegated administrative privileges. This is a foundational control against credential theft.
- Monitor Cloud Logs: Regularly review and analyze Entra ID logs and other cloud service logs for suspicious behavior, privilege escalations, and unauthorized changes.
- Prompt Patch Management: Ensure all cloud-facing infrastructure and applications are promptly patched to mitigate known vulnerabilities.
- Implement Zero Trust: A unique tip for enhanced defense is to fully embrace a “Zero Trust” security model, particularly for third-party access to your cloud environment. This involves continuously verifying identities, devices, and privileges, even for trusted partners, rather than assuming trust. This minimizes the blast radius if a provider’s system is compromised.
CrowdStrike concludes, “MURKY PANDA poses a significant threat to government, technology, legal, and professional services entities in North America and to their suppliers with access to sensitive information.” Organizations deeply integrated with cloud environments are inherently vulnerable to these trusted-relationship compromises. China-nexus adversaries like MURKY PANDA will continue to leverage sophisticated tradecraft to facilitate their espionage operations across global sectors.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
Get the Blue Report 2025
FAQ
Question 1: What makes trusted cloud relationships a prime target for groups like Murky Panda?
Answer 1: Trusted cloud relationships, where providers have legitimate administrative or deep access to customer environments, are attractive targets because they offer a stealthy pathway to bypass traditional perimeter defenses. By compromising a cloud provider or SaaS vendor, threat actors inherit this trust. This allows them to operate with elevated privileges, blend their activities with legitimate traffic, and remain undetected for longer periods, often with access to highly sensitive data that would otherwise be difficult to reach.
Question 2: Beyond patching and MFA, what advanced monitoring practices are crucial for detecting cloud-based supply chain attacks?
Answer 2: For sophisticated cloud attacks, advanced monitoring should involve deep scrutiny of Entra ID logs for unusual service principal sign-ins, anomalous privilege escalations, and unauthorized changes to application registrations. Implementing robust Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) solutions is vital to correlate activities across cloud services, endpoints, and identity platforms. Focus on deviations from baseline behavior, particularly concerning third-party or delegated administrative accounts, and leverage threat intelligence to identify indicators of compromise (IoCs) associated with groups like Murky Panda.
Question 3: How does Multi-Factor Authentication (MFA) specifically help against these sophisticated cloud attacks, even if a provider is compromised?
Answer 3: While Murky Panda’s tactics include zero-day exploits and abusing trusted relationships, MFA remains a critical foundational defense layer. It significantly mitigates the risk of initial access via stolen credentials, which is a common fallback for threat actors. Even if an attacker compromises a service provider’s system, enforcing MFA on all human administrator and user accounts (especially those with delegated access to your environment) makes it much harder for them to use stolen passwords to log in directly or escalate privileges. MFA adds a necessary friction point, requiring a second verification factor that the attacker is unlikely to possess.