A Chinese state-sponsored hacking group known as Murky Panda is at the forefront of a new wave of sophisticated cyber espionage, targeting cloud providers and telecommunications networks in an escalating campaign, according to recent reports from cybersecurity researchers.
The group, also identified as Silk Typhoon, has pivoted its tactics, moving beyond traditional methods to exploit trusted relationships between organizations and their cloud service providers (CSPs). This new approach allows them to breach a single cloud environment and then move laterally to access the data of multiple downstream customers. Cybersecurity firm CrowdStrike noted that Murky Panda has a “significant” ability to weaponize zero-day and n-day vulnerabilities, often using internet-facing appliances as their initial point of entry.
In a recent case, researchers observed Murky Panda compromising a software-as-a-service (SaaS) provider by exploiting a zero-day vulnerability. From there, the hackers leveraged the provider’s privileged access to a downstream customer’s Entra ID tenant to create a backdoor account. This allowed them to access sensitive data, including emails and other confidential documents, demonstrating a high level of expertise in navigating complex cloud environments.
The targeting of telecommunications providers is another critical element of Murky Panda’s operations. The group, and others like it, have shown a deep understanding of telecom networks and their interconnections. By compromising these networks, they can collect network telemetry, subscriber information, and even access private communications, which aligns with intelligence-gathering objectives.
CrowdStrike’s research highlights that Murky Panda’s operations are characterized by a high degree of operational security, including the use of compromised small office/home office (SOHO) devices as exit nodes to hide their origin. This makes attribution and detection significantly more difficult for defenders. The group’s intelligence-driven motivations, coupled with their refined tactics, pose a significant and persistent threat to government, technology, and professional services entities in North America and their suppliers.
The findings underscore a broader trend of Chinese state-sponsored actors becoming increasingly adept at targeting the digital supply chain. As organizations continue to move their critical infrastructure and sensitive data to the cloud, these “trusted relationship” compromises will likely become a more common and concerning vector for cyber espionage.
