Murky Panda hackers leverage cloud trust vulnerabilities to compromise downstream customers.
Murky Panda, also known as Silk Typhoon and Hafnium, is a Chinese state-sponsored hacking group that exploits trusted relationships within cloud environments to gain initial access to the networks and data of downstream customers. This group primarily targets government, technology, academic, legal, and professional services organisations in North America. Murky Panda has been linked to various cyberespionage campaigns, including the significant Microsoft Exchange breaches in 2021 that leveraged the ProxyLogon vulnerability. More recent attacks have included operations against the U.S. Treasury’s Office of Foreign Assets Control and the Committee on Foreign Investment. In March, Microsoft reported that Silk Typhoon had begun focusing on remote management tools and cloud services in supply chain attacks to infiltrate downstream customer networks.
The group typically gains initial access to corporate networks by exploiting internet-exposed devices and services, such as the CVE-2023-3519 flaw in Citrix NetScaler devices, ProxyLogin in Microsoft Exchange, and CVE-2025-0282 in Ivanti Pulse Connect VPN. A recent report by CrowdStrike reveals that Murky Panda also compromises cloud service providers to exploit the inherent trust these companies have with their customers. By gaining built-in administrative access to customer environments, attackers can pivot directly into downstream networks and data. In one instance, they exploited zero-day vulnerabilities to infiltrate a SaaS provider’s cloud environment, accessing the provider’s application registration secret in Entra ID. This access allowed them to authenticate as a service and log into downstream customer environments, where they could read emails and steal sensitive data. Additionally, by compromising a Microsoft cloud solution provider with Delegated Administrative Privileges, the attackers gained Global Administrator rights across all downstream tenants, creating backdoor accounts and escalating privileges for persistent access. CrowdStrike notes that breaches via trusted relationships are rare and less monitored than more common vectors like credential theft, enabling Murky Panda to blend in with legitimate traffic and maintain stealthy access. The group also employs various tools and custom malware, including the Neo-reGeorg open-source web shell and the China Chopper web shell, both associated with Chinese espionage activities.
Categories: Cybersecurity Threats, Cloud Exploitation, Cyberespionage Campaigns
Tags: Murky Panda, Silk Typhoon, Cyberespionage, Cloud Services, Trusted Relationships, Vulnerabilities, Administrative Access, Supply Chain Attacks, Data Breaches, Malware