A highly sophisticated China-linked hacking group, known as Murky Panda, is exploiting the inherent trust within cloud environments to execute supply chain attacks and breach downstream customers. This new tactic bypasses conventional security measures, allowing the group to move laterally from a compromised cloud provider to its clients.
In a recent report by cybersecurity firm CrowdStrike, Murky Panda’s shift in strategy was detailed. Instead of directly targeting their ultimate victims, the group first compromises a cloud service provider (CSP) or a software-as-a-service (SaaS) provider. By exploiting zero-day and other vulnerabilities in these upstream providers, they gain a foothold in an environment with high-level access to a multitude of clients. This approach leverages the trusted relationships that are fundamental to the cloud ecosystem.
Once inside, the hackers use their access to pivot into the environments of the provider’s downstream customers. In one case, the group compromised a Microsoft cloud solution provider with delegated administrative privileges (DAP), which granted them Global Administrator rights over their customers’ tenants. Using this elevated access, they created a backdoor user and escalated privileges to maintain persistent, undetected access. In another instance, they breached a SaaS provider, stole a critical application secret from Entra ID, and used it to impersonate the service and access their customers’ emails.
This method of attack is particularly alarming because it is a rare and often under-monitored attack vector. While many organizations are focused on defending against more common threats like phishing or exploiting internet-facing applications, the abuse of trusted cloud relationships remains a blind spot. Murky Panda’s operations, which are believed to be for intelligence gathering, demonstrate a high level of expertise in navigating complex cloud infrastructures and identity management platforms.
The group also employs advanced operational security (OPSEC), including deleting logs and using compromised home office devices as exit nodes to conceal their activities and make attribution difficult. This high level of sophistication allows them to remain undetected for long periods, potentially enabling extensive data exfiltration and cyberespionage.
The discovery of these tactics highlights a critical vulnerability in the modern interconnected digital landscape. Organizations, especially those in government, technology, and professional services, must now reconsider their security posture to include the risks posed by their trusted cloud providers. The security of a company is only as strong as the security of its supply chain, and in the cloud era, this extends to every vendor with administrative access to a network. To combat this evolving threat, experts recommend that businesses enforce multi-factor authentication, monitor for unusual service principal activity in their cloud environments, and work closely with their providers to ensure shared security responsibilities are being met.
