The Chinese state-sponsored hacking group **Murky Panda (Silk Typhoon)** exploited trusted cloud relationships and zero-day vulnerabilities to breach the **U.S. Treasury’s Office of Foreign Assets Control (OFAC)**. By compromising a SaaS provider’s cloud environment, the attackers gained access to application registration secrets in **Entra ID (formerly Azure AD)**, allowing them to authenticate as a legitimate service and infiltrate downstream networks. This enabled them to **read sensitive emails, steal confidential government data, and maintain persistent access** through backdoor accounts with escalated privileges.The attack leveraged **supply chain vulnerabilities**, abusing delegated administrative privileges (DAP) granted to cloud providers, which allowed Murky Panda to move laterally across multiple tenants. Their use of **custom malware (CloudedHope RAT), web shells (Neo-reGeorg, China Chopper), and compromised SOHO devices as proxies** ensured stealthy, long-term access while evading detection. The breach posed a **severe risk to national security**, given OFAC’s role in enforcing economic sanctions and combating financial threats. The attackers’ **operational security (OPSEC) measures**, including log tampering and timestamp manipulation, further obscured forensic traces, amplifying the threat’s sophistication and impact.
TPRM report: https://www.rankiteo.com/company/us-treasury
"id": "us-526082425",
"linkid": "us-treasury",
"type": "Cyber Attack",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'financial regulation',
'location': 'United States',
'name': "U.S. Treasury's Office of Foreign Assets "
'Control (OFAC)',
'type': 'government agency'},
{'industry': 'national security',
'location': 'United States',
'name': 'Committee on Foreign Investment in the United '
'States (CFIUS)',
'type': 'government committee'},
{'customers_affected': 'downstream customers (number '
'unspecified)',
'industry': 'technology',
'name': 'Unnamed SaaS provider (compromised via '
'zero-day)',
'type': 'cloud service provider'},
{'customers_affected': 'multiple tenants (Global '
'Administrator access obtained)',
'industry': 'technology',
'name': 'Unnamed Microsoft Cloud Solution Provider '
'(CSP)',
'type': 'managed service provider'},
{'industry': ['public sector',
'technology',
'education',
'legal',
'professional services'],
'location': 'primarily North America',
'name': 'Government, technology, academic, legal, and '
'professional services organizations',
'type': ['government agencies', 'private sector']}],
'attack_vector': ['exploitation of trusted cloud relationships (SaaS '
'providers, Microsoft CSPs)',
'zero-day vulnerabilities (e.g., Citrix NetScaler '
'CVE-2023-3519, Ivanti Pulse Connect CVE-2025-0282)',
'ProxyLogon (Microsoft Exchange)',
'compromised SOHO devices as proxies',
'web shells (Neo-reGeorg, China Chopper)',
'custom Linux RAT (CloudedHope)'],
'customer_advisories': ['Organizations relying on cloud/SaaS providers '
'advised to review trust models and monitoring '
'practices.'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'high (government, legal, and '
'professional services data)',
'type_of_data_compromised': ['emails',
'sensitive organizational data',
'application data']},
'date_publicly_disclosed': '2024-03',
'description': 'A Chinese state-sponsored hacking group known as Murky Panda '
'(Silk Typhoon) exploits trusted relationships in cloud '
'environments to gain initial access to the networks and data '
'of downstream customers. The group targets government, '
'technology, academic, legal, and professional services '
'organizations in North America, leveraging zero-day '
'vulnerabilities, compromised cloud service providers, and '
'custom malware to maintain stealthy access for espionage '
'purposes.',
'impact': {'brand_reputation_impact': 'high risk for targeted organizations '
'(government, legal, professional '
'services)',
'data_compromised': ['emails',
'sensitive organizational data',
'application data'],
'operational_impact': 'long-term stealthy access for data '
'exfiltration, persistence via backdoor '
'accounts',
'systems_affected': ['cloud environments (Microsoft Entra ID, SaaS '
'providers)',
'downstream customer networks',
'compromised SOHO devices (used as proxies)',
'servers with deployed web shells '
'(Neo-reGeorg, China Chopper)']},
'initial_access_broker': {'backdoors_established': ['custom backdoor accounts '
'in customer Entra ID '
'environments',
'Neo-reGeorg/China '
'Chopper web shells',
'CloudedHope RAT'],
'entry_point': ['compromised cloud service '
'providers (SaaS, Microsoft CSPs)',
'zero-day vulnerabilities in cloud '
'environments',
'internet-exposed devices (Citrix '
'NetScaler, Ivanti VPN, Microsoft '
'Exchange)',
'compromised SOHO devices (as '
'proxies)'],
'high_value_targets': ['government agencies (e.g., '
'OFAC, CFIUS)',
'technology and legal firms',
'academic institutions',
'professional services with '
'sensitive data']},
'investigation_status': 'ongoing (per CrowdStrike and Microsoft reports)',
'lessons_learned': ['Trusted cloud relationships (e.g., SaaS providers, CSPs '
'with DAP) are high-value targets for APT groups.',
'Zero-day exploits in cloud environments enable stealthy '
'lateral movement to downstream customers.',
'Monitoring for unusual Entra ID service principal '
'activity is critical for detecting abuse of trusted '
'relationships.',
'Compromised SOHO devices can be repurposed as proxies to '
'evade geographic-based detection.',
'Custom malware (e.g., CloudedHope RAT) and open-source '
'tools (e.g., Neo-reGeorg) are used for persistence.'],
'motivation': 'cyberespionage (targeting government, technology, legal, and '
'professional services for sensitive data)',
'post_incident_analysis': {'corrective_actions': ['Implement stricter access '
'controls for cloud '
'provider accounts (e.g., '
'least privilege, MFA).',
'Enhance logging and '
'monitoring for Entra ID '
'and other identity '
'providers.',
'Conduct regular audits of '
'third-party cloud provider '
'access and permissions.',
'Deploy advanced threat '
'detection for '
'post-exploitation tools '
'(e.g., RATs, web shells).',
'Isolate SOHO devices from '
'corporate networks to '
'prevent proxy abuse.'],
'root_causes': ['Over-reliance on trusted cloud '
'relationships without sufficient '
'monitoring.',
'Lack of visibility into delegated '
'administrative privileges (DAP) '
'in cloud environments.',
'Delayed patching of zero-day '
'vulnerabilities in cloud-facing '
'infrastructure.',
'Insufficient detection for web '
'shells and custom malware in '
'compromised systems.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Monitor Entra ID logs for anomalous service principal '
'sign-ins.',
'Enforce multi-factor authentication (MFA) for all cloud '
'provider accounts, especially those with administrative '
'privileges.',
'Promptly patch cloud-facing infrastructure, including '
'zero-day vulnerabilities.',
'Restrict delegated administrative privileges (DAP) and '
'review Admin Agent group memberships.',
'Segment cloud environments to limit lateral movement via '
'trusted relationships.',
'Deploy behavioral detection for web shells (e.g., '
'Neo-reGeorg, China Chopper) and custom malware.',
'Audit and rotate application registration secrets in '
'Entra ID.',
'Monitor for traffic originating from compromised SOHO '
'devices.'],
'references': [{'date_accessed': '2024-03',
'source': 'CrowdStrike Report on Murky Panda/Silk Typhoon'},
{'source': 'Microsoft Threat Intelligence (Silk Typhoon)'}],
'response': {'enhanced_monitoring': ['recommended: monitor Entra ID service '
'principal sign-ins, enforce MFA for '
'cloud accounts, patch cloud '
'infrastructure'],
'third_party_assistance': ['CrowdStrike '
'(investigation/reporting)']},
'threat_actor': ['Murky Panda', 'Silk Typhoon (Microsoft)', 'Hafnium'],
'title': 'Murky Panda (Silk Typhoon) Exploits Trusted Cloud Relationships for '
'Cyberespionage',
'type': ['cyberespionage', 'supply chain attack', 'cloud compromise'],
'vulnerability_exploited': ['CVE-2023-3519 (Citrix NetScaler)',
'ProxyLogon (Microsoft Exchange)',
'CVE-2025-0282 (Ivanti Pulse Connect VPN)',
'zero-day vulnerabilities in SaaS provider cloud '
'environments',
'Entra ID application registration secrets',
'Delegated Administrative Privileges (DAP) in '
'Microsoft cloud solutions']}