Salt Typhoon’s Strategic Pivot: Targeting IT Vendors and Supply Chain

Microsoft Threat Intelligence recently released critical information about a significant shift in tactics by Salt Typhoon (also known as Silk Typhoon and APT27), a sophisticated Chinese state-sponsored threat actor. Since late 2024, this group has strategically pivoted to target IT service providers and management companies to gain broader access to downstream customers.

 The Supply Chain Attack Strategy

According to Microsoft’s March 2025 security blog, Salt Typhoon has been actively abusing stolen API keys and credentials from privilege access management (PAM) solutions, cloud application providers, and data management companies. This approach allows the threat actors to infiltrate not just the initial victim’s environment but also their downstream customers’ networks, effectively multiplying their reach through trusted relationships.

 Targeted Vendors and Timeline

Salt Typhoon has demonstrated a pattern of exploiting various IT infrastructure components over time:

 Recent Targets (Late 2024 – Early 2025)

• IT Management Companies – Targeting third-party IT services to enable follow-on attacks against their customers
• Remote Monitoring and Management (RMM) Tools – Exploiting management platforms used by service providers
• Privileged Access Management Solutions – Stealing API keys to gain elevated permissions
• Identity Management Platforms – Compromising authentication systems
• Ivanti Pulse Connect VPN – Exploited a zero-day vulnerability (CVE-2025-0282) in January 2025

 Historical Targets

• Palo Alto Networks Firewalls (March 2024) – Exploited CVE-2024-3400 in GlobalProtect Gateway
• Citrix NetScaler ADC and NetScaler Gateway (Early 2024) – Exploited CVE-2023-3519
• Microsoft Exchange Servers (January 2021) – Exploited multiple vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)

 Impact and Techniques

The impact of Salt Typhoon’s supply chain attacks has been significant:

1. Downstream Compromise – After initial compromise, the threat actor uses stolen credentials to infiltrate the victim’s customer networks
2. Data Exfiltration – The group has particularly focused on stealing data related to:
   • US government policy and administration
   • Law enforcement investigations
   • Legal process documents
3. Lateral Movement Techniques:
   • Dumping Active Directory credentials
   • Stealing passwords from key vaults
   • Targeting Microsoft Entra Connect (formerly AADConnect) servers that sync on-premises AD with cloud environments
   • Manipulating service principals/OAuth applications with administrative permissions
   • Abusing Microsoft Graph API and Exchange Web Services for email, OneDrive, and SharePoint data exfiltration
4. Covert Operations:
   • Using compromised devices (Cyberoam appliances, Zyxel routers, QNAP devices) as proxies
   • Disguising malicious activities behind seemingly legitimate application names

 Microsoft’s Guidance

Microsoft has provided comprehensive recommendations to detect and mitigate Salt Typhoon’s activities:

Critical Actions

1. Patch Immediately:
   • Ensure all public-facing devices are patched
   • Run Ivanti’s Integrity Checker Tool for systems that might have been vulnerable to CVE-2025-0282
   • Terminate active sessions following patch cycles
2. Protect Identity Infrastructure:
   • Audit privilege levels of all identities, users, and service principals
   • Review applications with sensitive permissions like EWS.AccessAsUser.All
   • Monitor for service principal sign-ins from unusual locations
   • Implement multifactor authentication (MFA) on all accounts
3. Implement Zero Trust Principles:
   • Ensure VPN access is protected using modern authentication
   • Prevent on-premises service accounts from having direct rights to cloud resources
   • Configure “break glass” account protections
   • Enable risk-based user sign-in protection
4. Enhanced Monitoring:
   • Inspect log activity related to Entra Connect servers
   • Analyze use of Microsoft Graph or eDiscovery
   • Monitor newly created users on vulnerable devices
   • Identify and scrutinize multi-tenant applications

 How CinchOps Can Assist

CinchOps can help organizations protect against Salt Typhoon and similar threat actors through:

1. Comprehensive Security Assessments:
   • Identify vulnerable systems in your environment
   • Audit privilege levels and permission assignments
   • Review multi-tenant application security
2. Supply Chain Risk Management:
   • Evaluate third-party vendor security postures
   • Implement monitoring for API key and credential misuse
   • Develop incident response plans for supply chain attacks
3. Proactive Threat Hunting:
   • Deploy Microsoft’s recommended hunting queries
   • Monitor for indicators of compromise from Salt Typhoon
   • Analyze authentication patterns to identify anomalies
4. Security Posture Hardening:
   • Implement Microsoft’s recommended mitigations
   • Deploy conditional access policies
   • Enforce MFA and strengthen password controls

By working with CinchOps, your organization can build resilience against sophisticated supply chain attacks and minimize the risk of becoming either a direct victim or a downstream target of threat actors like Salt Typhoon.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

 

FREE SECURITY ASSESSMENT