China-linked ‘Silk Typhoon’ hackers accessed Commvault cloud environments, person familiar says
The hacking unit responsible for the intrusions is known as Silk Typhoon, said the person, who was granted anonymity to be candid about non-public details surrounding the breach. On Thursday, the Cybersecurity and Infrastructure Security Agency and Commvault released a critical joint advisory about the hacking activity. The intrusion’s connection to Silk Typhoon has not been previously reported.
In the advisory, CISA said it believes “the threat activity may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions.”
In late February, Microsoft notified Commvault about unauthorized access into its systems from a “nation-state threat actor” that was spotted because Commvault’s “Metallic” data-protection product is hosted in Microsoft’s Azure cloud offering.
Silk Typhoon sits among a syndicate of Chinese government-backed hacking collectives tracked by Microsoft, whose threat intelligence arm uses a “Typhoon” moniker to label cyber activity affiliated with Beijing. The Typhoon units have made waves over the past year amid their broad intrusions into global telecommunications networks and a variety of U.S. critical infrastructure.
In March, after receiving new information about the penetrations, Commvault said it was in touch with the FBI, CISA and others.
“This activity has affected a small number of customers we have in common with Microsoft, and we are working with those customers to provide assistance,” Commvault said in a blog post at the time, which added that there has been “no unauthorized access to customer backup data that Commvault stores and protects.”
In late April, CISA also issued a warning to patch vulnerabilities in Commvault, Broadcom and Qualitia products that were being actively exploited, though it’s not immediately clear if those vulnerabilities are connected to Silk Typhoon activity.
“There are no new developments in this CISA alert since the advisory we posted on May 4,” a Commvault spokesperson said. “CISA is merely reporting on activity we published and alerted them to from then. As noted in prior advisories, we acted on information Microsoft provided to us, but we have not independently attributed the activity to a particular threat actor.”
CISA declined to comment. The FBI did not return a request for comment.
The breach could have major implications for companies and government agencies that store copies of their most important data in the cloud, putting emails, documents or sensitive customer information at risk.
Commvault’s client base includes major enterprise firms like Sony, 3M, Deloitte and AstraZeneca, according to a customer webpage. It also has a vast government services arm and achieved GovRAMP — formerly StateRAMP — authorization in April for meeting security verification requirements for U.S. federal business uses.
In March, Microsoft said it observed Silk Typhoon targeting “common IT solutions like remote management tools and cloud applications to gain initial access.” The group infiltrates customer networks using stolen credentials, then exploits tools like Microsoft services to carry out espionage operations.
Silk Typhoon was found to have infiltrated Treasury Department networks late last year and compromised some of the agency’s most sensitive systems, including its assets control office, as well as the Committee on Foreign Investment in the United States, which conducts national security reviews of foreign acquisitions.
In January, Shanghai-based hacker Yin Kecheng was sanctioned in connection to that Treasury intrusion, and is believed to be tied to China’s Ministry of State Security, deemed Beijing’s primary civilian intelligence service.
“Silk Typhoon has shown proficiency in understanding how cloud environments are deployed and configured, allowing them to successfully move laterally, maintain persistence, and exfiltrate data quickly within victim environments,” Microsoft said in its March blog, adding that it’s been tracking the hackers since 2020.
China has been widely deemed by experts as the top cyberespionage threat to the United States, with a history of targeting government agencies, defense contractors and major tech firms to steal sensitive data and intellectual property.
]]>