Silk Typhoon Supply Chain Attack: How Crap MSPs Sell You Out for £20 a Month

Written By Noel Bradford

I Built an MSP; So Let Me Tell You Why This Matters

I’ve built an MSP function from the ground up. I know exactly what it takes to do it right. I know how much it costs to deliver proper service, with real security baked in. And here’s the cold truth: anyone claiming to manage your IT for £20 per user per month is either lying to you or selling you out; probably both.

This brings us to Silk Typhoon, the latest China-backed hacking outfit that’s decided to skip attacking businesses directly. Why bother when so many cheap and cheerful MSPs have wide-open doors and zero actual security? If you want to know who just opened the backdoor to your entire network, it’s probably your bargain-bin IT provider.

What is Silk Typhoon Doing?

Silk Typhoon isn’t guessing passwords or wasting time trying to crack your firewall directly. They’ve evolved past that. They’re going after the remote management tools used by MSPs; the same tools that give your IT provider full admin access to your network.

They breach the MSP, then use those trusted admin tools to waltz straight into every customer network that MSP manages. One hack, dozens of victims; efficient and terrifying.

Crap and Cheap Go Together Like Spam Emails and Dodgy Links

Here’s the reality; good security costs money. Full stop. If your MSP is charging you less than £60 per user per month for full management, including security and productivity licensing like M365 or Google Workspace, they’re cutting corners somewhere. And nine times out of ten, those corners involve:

❌ No meaningful security training for their staff
❌ No proper certification like Cyber Essentials Plus (CE+)
❌ No customer segmentation inside their own systems
❌ No 24/7 monitoring on their own tools
❌ No independent security audits (because those cost money)

What they do have is a great marketing pitch and a rock-bottom price — which is exactly how they lure in businesses who don’t know better.

The Supply Chain Domino Effect; When Your MSP Is the Weakest Link

Here’s how this disaster unfolds:

  1. Silk Typhoon breaches your MSP’s remote tools.

  2. Using those tools, they jump into every customer network that MSP manages.

  3. They steal data, plant backdoors, and exfiltrate anything useful — all while appearing like normal support traffic.

Your own security controls? They trust your MSP, so this attack slides straight through.

This Isn’t New; It’s Just Embarrassing Now

We’ve done this dance before:

  • SolarWinds — compromised updates infecting thousands.

  • Kaseya VSA — ransomware in the supply chain.

  • MOVEit — file transfer software turned into an attack vector.

Every time, the same shocked reaction; like supply chain attacks were some rare cosmic event instead of a standard playbook move for any competent threat actor.

CE+ Is the Bare Minimum for a Real MSP

Here’s the bit that matters most: if your MSP isn’t certified to Cyber Essentials Plus (CE+) at an absolute minimum, they are not fit to manage your IT. Full stop.

CE+ isn’t some fancy gold-standard; it’s the floor. It’s basic hygiene — the cybersecurity equivalent of washing your hands after using the loo. Any MSP not certified is essentially saying, “Trust us; but don’t ask too many questions.”

That’s not good enough in 2025. Not for your business, not for your customers, and certainly not for anyone handling sensitive data.

The Real WTF Moment; Businesses Don’t Ask Their MSPs Anything

When’s the last time you asked your MSP:

❓ Are you CE+ certified?
❓ How do you protect your own remote access tools?
❓ How do you monitor your own staff?
❓ What happens if you get hacked?
❓ Do you have segmentation between customers, or does everyone share the same infrastructure?

If you’ve never asked these questions, you’ve got no idea how much risk you’re carrying. Blind trust in your IT provider is the fastest way to end up in the next breach headline.

If It’s Less Than £60 Per User, Something’s Missing

Let’s be brutally honest; proper managed IT, with security baked in, cannot be done for £20 per user per month. Not if you expect:

✅ Cyber Essentials Plus certification
✅ Proper security monitoring
✅ Good quality productivity licensing (M365, Google Workspace)
✅ Competent, trained staff
✅ Real incident response capability
✅ Proactive updates and patching

When you pay peanuts, you don’t just get monkeys; you get unmonitored, insecure, cobbled-together rubbish that’s one Silk Typhoon away from selling you out.

What to Do Right Now (Because Hope Isn’t a Plan)

Step 1: Ask your MSP if they’re CE+ certified — and don’t take excuses if they’re not.
Step 2: Review your contract — do they even have to tell you if they get hacked?
Step 3: Run a third-party risk review — what tools does your MSP use to manage you, and how secure are they?
Step 4: Assume every supplier in your stack could be the next breach point — because they could.

This Isn’t MSP-Bashing — It’s Reality Check Time

The good MSPs; the ones who do this properly; already have CE+ (or better). They audit their own processes, they segment customers properly, and they monitor their own tools 24/7. They charge realistic prices because that’s what proper IT costs.

The cheap MSPs? They cut corners, cross fingers, and hope you never ask questions.

Ask the Awkward Questions Today

If your MSP can’t prove they’re CE+ certified, and they’re charging you less than £60 per user including licensing, then they’re not a bargain; they’re a risk.

Ask the questions now.
✅ Ask for certification proof.
✅ Ask for their audit history.
✅ Ask how they monitor themselves.
✅ Ask what happens if they get breached.

If they flinch, fumble, or give you waffle answers, you already know what you’re dealing with.

Source Description Link
ZeroFox Advisory Silk Typhoon supply chain infiltration details ZeroFox Advisory
BleepingComputer Technical breakdown of Silk Typhoon methods BleepingComputer
CISA Best practices for defending against supply chain threats CISA Advisory
Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

The StubHub Ticket Heist: When Cybercriminals Outsmarted the Entire Concert Industry with Basic URL Tricks
Next

Jaguar Land Rover Cyber Breach: Hackers Drive Off with Luxury Brand's Secrets!