Murky Panda Hackers, a Chinese state-linked group, have escalated their espionage campaign by targeting cloud providers. Security researchers report that the attackers exploit cloud trust relationships to infiltrate downstream customer environments. This tactic grants them privileged access to sensitive data across multiple organizations.
How the Attacks Work
The group compromised SaaS providers by stealing application registration secrets in Microsoft Entra ID. This enabled them to impersonate service principals and log into customer environments. Through this method, Murky Panda Hackers accessed emails, files, and corporate applications without detection.
Another attack vector involved abusing delegated administrative privileges from Microsoft cloud solution providers. With these privileges, the hackers created backdoor accounts, escalated access rights, and manipulated service principals. These actions allowed them to maintain long-term control across affected tenants.
Tools and Tactics Used
The group deploys a wide range of tools to maintain persistence. These include Neo-reGeorg and China Chopper web shells, as well as a custom Linux remote access trojan named CloudedHope. They also route malicious traffic through compromised small office devices to disguise activity.
Murky Panda Hackers actively erase logs and adjust timestamps to evade detection. Their methods make attribution and recovery efforts significantly more challenging for defenders.
Why This Campaign Matters
Trusted cloud relationships are rarely monitored as closely as user credentials. This gives attackers an ideal pathway to move laterally without raising alarms. CrowdStrike researchers note a sharp rise in such compromises this summer, marking an active surge in Murky Panda operations.
Organizations relying on cloud providers must recognize that the trust they extend can be weaponized against them. A single provider compromise can quickly cascade across multiple tenants, leading to widespread data exposure.
How Companies Can Respond
Defenders should implement several strategies to mitigate risks:
- Audit service principals and application credentials in Entra ID.
- Monitor all cloud administrative activity for unusual access.
- Enable detailed logging for Entra ID and Microsoft Graph.
- Enforce multi-factor authentication across all accounts.
- Patch SaaS platforms and access appliances promptly.
These measures can reduce the attack surface and limit the effectiveness of the group’s intrusion techniques.
Final Thoughts
Murky Panda Hackers highlight the growing risk of trust exploitation in cloud environments. By abusing provider privileges and administrative access, they gain stealthy, persistent entry into downstream customer systems. Organizations must improve monitoring, enforce MFA, and secure cloud credentials to counter this evolving threat.
