How ‘Murky Panda’ Hackers Breach Cloud Customers
▼ Summary
– Murky Panda (also known as Silk Typhoon or Hafnium) is a Chinese state-sponsored hacking group targeting organizations in North America, including government, technology, and legal sectors.
– The group exploits trusted relationships in cloud environments, compromising service providers to gain access to downstream customers’ networks and data.
– They use various tools and techniques, such as web shells like Neo-reGeorg and China Chopper, and a custom Linux-based RAT called CloudedHope, to maintain persistence and evade detection.
– Murky Panda demonstrates strong operational security by modifying timestamps, deleting logs, and using compromised SOHO devices as proxy servers to blend in with legitimate traffic.
– CrowdStrike warns that the group poses a significant espionage threat and recommends monitoring Entra ID logs, enforcing multi-factor authentication, and patching cloud infrastructure to defend against their attacks.
A sophisticated Chinese state-sponsored hacking collective operating under names like Murky Panda and Silk Typhoon has been systematically exploiting trusted cloud service relationships to infiltrate the networks of downstream customers. This group, which Microsoft also refers to as Hafnium, has a well-documented history of targeting government bodies, technology firms, academic institutions, and legal or professional service organizations across North America.
The threat actors are known for high-profile cyberespionage campaigns, including the widespread 2021 Microsoft Exchange Server breaches that leveraged the ProxyLogon vulnerability. More recent operations have involved intrusions into systems belonging to the U.S. Treasury’s Office of Foreign Assets Control and the Committee on Foreign Investment.
Earlier this year, Microsoft disclosed that Silk Typhoon had shifted tactics to focus on remote management tools and cloud services as part of supply chain attacks. By compromising these services, the group gains a foothold in the networks of their ultimate targets, the customers relying on those cloud providers.
Murky Panda often gains initial access by targeting internet-exposed services and known vulnerabilities, such as flaws in Citrix NetScaler, Microsoft Exchange, or Ivanti Pulse Connect VPN. However, a recent CrowdStrike analysis reveals an increasingly concerning method: the group compromises cloud service providers themselves to abuse the inherent trust between these providers and their clients.
Because cloud providers are sometimes granted administrative access to customer systems, attackers who infiltrate a provider can pivot directly into client networks. In one instance, hackers used zero-day vulnerabilities to breach a SaaS provider’s cloud environment. They then stole an application registration secret from Entra ID, allowing them to authenticate as a trusted service and access customer accounts. This access was used to read private emails and exfiltrate sensitive data.
In another attack, the group compromised a Microsoft cloud solution provider that had delegated administrative privileges. By breaching an account in the Admin Agent group, the attackers obtained Global Administrator rights across all client tenants. They proceeded to create hidden backdoor accounts, escalate privileges, and maintain persistent access to email and application data.
While breaches through trusted relationships are less common than credential theft or phishing, they are often harder to detect. By blending in with legitimate administrative traffic, Murky Panda can operate stealthily for extended periods without raising alarms.
Beyond cloud-focused attacks, the group employs an array of tools and custom malware to maintain access and avoid detection. They frequently deploy open-source web shells like Neo-reGeorg and China Chopper, tools commonly associated with Chinese cyberespionage operations, to ensure persistence on compromised servers.
The attackers also use a custom Linux-based remote access trojan named CloudedHope, which provides full control over infected devices and supports lateral movement within networks. Strong operational security practices, such as tampering with timestamps and systematically deleting logs, further complicate forensic investigations.
To mask their origin, Murky Panda often routes malicious traffic through compromised small office or home office devices, making it appear as if attacks are originating from within the target country’s infrastructure. This technique helps evade geo-based security controls and detection mechanisms.
CrowdStrike emphasizes that Murky Panda represents a highly capable and persistent espionage threat with the skills to rapidly weaponize both unknown and known vulnerabilities. Their exploitation of trusted cloud models introduces serious risks for any organization using SaaS or cloud infrastructure.
To defend against these incursions, experts recommend monitoring for anomalous Entra ID service principal sign-ins, enforcing multi-factor authentication on all cloud provider accounts, maintaining vigilant log review practices, and applying security patches to cloud-facing infrastructure without delay.
Organizations in government, technology, legal, and professional services, especially those in North America or working with sensitive data, are considered primary targets. As reliance on cloud environments grows, so does the potential impact of trusted-relationship compromises. Groups like Murky Panda continue to refine their methods, posing an ongoing global espionage challenge across multiple sectors.
(Source: Bleeping Computer)
