In early March 2025, the U.S. Department of Justice (DOJ) announced the indictment of 12 Chinese nationals, including government officials and cyber operatives, associated with the hacker-for-hire firm called i-Soon and the group known as Silk Typhoon (APT27).
The indictment revealed that these individuals were responsible for a decade-long cyber espionage campaign targeting over 100 organizations worldwide, including the U.S. Department of the Treasury, as well as entities in the healthcare, energy, and IT sectors. The hacking campaign involved supply chain attacks, where the group exploited zero-day vulnerabilities in widely used IT management and cloud services.
Despite the indictment, the individuals involved have not been found, and the U.S. government has issued a $12 million bounty for information leading to their capture. The breach of the U.S. Treasury Department, in particular, raised alarm over national security risks, as Silk Typhoon reportedly exfiltrated sensitive financial and economic data.
Silk Typhoon is a Chinese state-affiliated cyber espionage group known for targeting IT supply chains to infiltrate various sectors globally, including government, healthcare, and energy. Their tactics involve exploiting zero day vulnerabilities in widely-used IT management and cloud services, such as remote management tools and cloud applications, to gain initial access to target entities.
Historically, Silk Typhoon has exploited vulnerabilities in several platforms:
According to Microsoft, “This threat actor holds one of the largest targeting footprints among Chinese threat actors. Part of this is due to their opportunistic nature of acting on discoveries from vulnerability scanning operations, moving quickly to the exploitation phase once they discover a vulnerable public-facing device that they could exploit.”
As a state-sponsored cyber threat group linked to China, Silk Typhoon specializes in exploiting zero-day vulnerabilities in widely used network infrastructure. These vulnerabilities allow attackers to infiltrate healthcare systems, exfiltrate sensitive protected health information (PHI), and potentially install malware or ransomware, leading to system outages that delay patient care.
The healthcare sector is particularly vulnerable due to its reliance on interconnected systems, legacy software, and third-party service providers. A cyberattack by Silk Typhoon could cripple hospital operations, delay treatments, and result in regulatory penalties for HIPAA violations, adding financial strain to already stretched healthcare budgets.
Healthcare organizations are attractive to cybercriminals due to the valuable data they possess. They also rely on interconnected digital systems and IoT devices, and they often have underfunded IT departments and outdated security protocols.
The most common threats include data breaches, phishing, and ransomware. Other threats include insider threats, DDoS attacks, and medical device vulnerabilities.
They can enhance employee training, update security policies and tools, and conduct regular risk assessments and audits.
The black-market value of health records is higher than credit card details due to the breadth of information they contain.