In one such incident, Silk Typhoon used stolen API keys to access devices from an organization’s downstream customers and tenants through an admin account. Using the access provided by the stolen API keys, the attackers reset the default admin account, created additional users, deployed web shells, and deleted log entries to hide their tracks.
The downstream victims were primarily from the state and local government, as well as the IT sector, and the information stolen from their systems was related to US government policy and administration, law enforcement investigations and other legal processes.
“Silk Typhoon has shown proficiency in understanding how cloud environments are deployed and configured, allowing them to successfully move laterally, maintain persistence, and exfiltrate data quickly within victim environments,” the researchers said.