XeniCore

Category: Cyber Incidents

  • Silk Typhoon: The APT That Weaponised Trust – A Deep Dive into China’s Premier Supply Chain Attack Group

    In the pantheon of nation-state cyber threats, few groups have demonstrated the systematic evolution of attack methods as thoroughly as Silk Typhoon. From their explosive debut with the 2021 Microsoft Exchange zero-day campaign that compromised over 60,000 organisations globally, to their recent infiltration of the US Treasury Department, this Chinese state-sponsored Advanced Persistent Threat (APT) group has consistently redefined the boundaries of supply chain warfare.

    What distinguishes Silk Typhoon — also known as Hafnium, APT27, and Murky Panda — across different threat intelligence communities is not merely its technical sophistication but also its strategic patience and architectural understanding of modern digital trust relationships. Unlike opportunistic cybercriminal groups or even other nation-state actors who focus on individual high-value targets, Silk Typhoon has mastered the art of leveraging trust infrastructure to achieve scalable, persistent access across entire sectors simultaneously.

    To understand why this group represents the future of nation-state cyber operations, we must examine their evolution from opportunistic vulnerability exploitation to systematic compromise of trust infrastructure — and why their methodology poses an existential challenge to the foundational assumptions of enterprise cybersecurity.

    (more…)

  • The Trusted Path to Breach: How China’s APT Turned Cybersecurity Infrastructure Against the US Treasury

    In our ongoing examination of supply chain compromises—from the Shai-Hulud worm’s ecosystem-wide assault on npm to the systematic exploitation of GitHub Personal Access Tokens—we’ve consistently observed how attackers weaponise the trust relationships that underpin modern digital infrastructure. On December 30, 2024, this pattern reached a new zenith when the US Treasury Department disclosed that Chinese state-sponsored actors had compromised its systems through BeyondTrust, a cybersecurity vendor specifically tasked with protecting privileged access.

    This breach represents more than another supply chain compromise – it exemplifies the sophisticated evolution of Advanced Persistent Threat (APT) operations where security infrastructure itself becomes the attack vector. The incident, attributed to the Chinese APT group known as Silk Typhoon, demonstrates how threat actors have moved beyond breaking through security perimeters to systematically exploiting the very tools designed to enforce them.

    (more…)

  • Shai-Hulud Weaponisation of npm’s Trust Model

    In our ongoing analysis of supply chain compromises, we’ve examined how attackers exploit the fundamental trust relationships that power modern software development. From dependency confusion attacks to compromised build systems, threat actors have consistently demonstrated that the most devastating breaches don’t break through defences—they walk through open doors marked “trusted.”

    On September 23, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert that crystallises this threat: a self-replicating worm named “Shai-Hulud” has compromised over 500 packages in the npm ecosystem, the world’s largest JavaScript registry. This isn’t merely another supply chain attack; it’s a systematic exploitation of the trust architecture that underpins modern web development.

    The significance of this compromise extends far beyond its immediate impact. Shai-Hulud represents an evolution in supply chain attacks—from opportunistic package poisoning to automated, self-propagating ecosystem compromise. To understand why this attack succeeded so spectacularly, and how to defend against its successors, we must examine how it weaponised the very mechanisms designed to make software development seamless.

    (more…)

  • The Silent Breach: Why Stolen Tokens Are More Dangerous Than Stolen Passwords

    In our previous briefings, we dissected the campaigns of UNC6040’s vishing attacks and UNC6395’s supply chain compromise. The common thread weaving through these devastating breaches wasn’t a software zero-day or a brute-forced password; it was the abuse of a legitimate, fundamental component of the modern cloud: the OAuth token.

    This isn’t a problem limited to a few threat actors. Throughout 2024 and 2025, a wave of attacks has exploited the core logic of OAuth, allowing adversaries to bypass MFA and breach major corporations like Google, Allianz Life, and Louis Vuitton by tricking users into authorising malicious applications. The attackers don’t need to break in when they can be invited in through a legitimate, token-based handshake.

    This is the threat of the OAuth Replay Attack. It’s an attack on the very architecture of trust that connects our cloud applications. To defend against it, you must understand that the target isn’t just your password; it’s the digital key that the password unlocks.

    (more…)

  • One Breach, Many Victims: How the UNC6395 Attack Exposed the SaaS Supply Chain

    In the modern enterprise, third-party apps are the engines of productivity. We integrate them into our core platforms, such as Salesforce, granting them trusted access to our data to streamline workflows. But what happens when the keys to one of those trusted partners fall into the wrong hands?

    A threat actor tracked as UNC6395 recently provided a devastating answer. In a sophisticated supply chain attack that impacted over 700 organizations, the group compromised the Salesloft “Drift” integration, stealing its OAuth tokens. They then used these tokens to access the Salesforce environments of multiple downstream customers, exfiltrating data at scale. High-profile cybersecurity and tech companies, including Cloudflare, Zscaler, Palo Alto Networks, and SpyCloud, have all publicly confirmed being impacted by this widespread campaign.

    As Google’s Threat Intelligence Group first reported, this was not a breach of Salesforce itself. Instead, it was a masterful exploitation of the web of trust that underpins the entire SaaS ecosystem. One of the victims, Cloudflare, publicly detailed its response, confirming that the actor accessed its Salesforce “Case” objects between August 12-17, 2025, providing a rare public glimpse into the impact of such a compromise.

    (more…)

  • From Vishing to Breach: Deconstructing the Salesforce Social Engineering Campaign

    The phone rings. The caller ID might be blocked, or it might be cleverly spoofed to look internal. On the other end is a polite, knowledgeable, and helpful person claiming to be from your IT department. They need your help to install a critical “Data Loader” utility or a system update in Salesforce. They sound legitimate. They sound urgent.

    This is the opening move of a sophisticated attack by a threat group tracked as UNC6040. In this threat briefing, we’ll dissect how this group turns a simple phone call into a full-scale CRM data breach, not by hacking Salesforce, but by hacking the trust of your employees.

    This isn’t a vulnerability in the Salesforce platform itself; it’s a clever abuse of the legitimate, trusted pathways that make the modern cloud ecosystem work.

    (more…)