US tech giant Microsoft has accused Chinese state-backed hacker groups of exploiting security vulnerabilities in the SharePoint document management software to launch a series of cyber attacks targeting enterprises and government agencies worldwide.
According to reports from Bloomberg and AFP, Microsoft published a blog post on Tuesday (July 22) stating that two hacker groups believed to be supported by the Chinese government—“Linen Typhoon” and “Violet Typhoon”—have used SharePoint system vulnerabilities for their attacks.
Microsoft revealed that the attacks mainly targeted SharePoint servers deployed and operated on customers' local networks, rather than Microsoft-managed cloud systems. Currently, thousands of enterprises and institutions worldwide use SharePoint for file storage and collaboration.
Microsoft also disclosed that another Chinese hacker group, “Storm-2603,” likewise exploited this vulnerability for attacks.
Microsoft warned that, as these vulnerabilities are being rapidly exploited for cyber attacks, the company is highly confident that these threat actors will continue to integrate these vulnerabilities into their attack methods. “We are still investigating whether other hacker groups are also exploiting these vulnerabilities.”
In response to the allegations, the Chinese Embassy in the US stated that China firmly opposes all forms of cyber attacks and cyber crime, and also opposes groundless accusations against other countries in the absence of solid evidence. “We hope that all parties concerned will approach cyber incidents with a professional and responsible attitude, basing their assertions on facts, rather than conjecture and accusations.”
Adam Meyers, Senior Vice President of cybersecurity firm CrowdStrike, pointed out that the wave of cyber attacks began as early as July 7. The early attacks resembled state-backed operations and later expanded to a broader group of attackers, with behavioral traits “looking like China.”
Eugenio Benincasa, an expert at ETH Zurich specializing in Chinese cyber attacks, also believes that, judging from the targets, tactics, and preliminary evidence, these actions highly match the characteristics of state-sponsored Chinese espionage activities.
According to informed sources, hackers exploited the vulnerability to infiltrate government systems in several European and Middle Eastern countries. In the US, the Department of Education, Florida’s tax authority, and the Rhode Island legislature were among the targets.
According to a cybersecurity company report, hackers also broke into a US healthcare provider’s system and launched attacks against a public university in Southeast Asia. The report notes that targeted SharePoint servers are located in Brazil, Canada, Indonesia, Spain, South Africa, Switzerland, the United Kingdom, the United States, and other countries.
The sources added that login credentials stored in some systems—including usernames, passwords, hash codes, and tokens—have been stolen by the hackers.
Cybersecurity firm Eye Security noted that these vulnerabilities not only allow attackers to breach SharePoint servers but also to steal keys, enabling them to impersonate legitimate users or services to maintain access even after the vulnerabilities have been patched. Hackers may also plant backdoors or modify components to stay hidden even after system updates and reboots.
Eye Security has found that more than 100 servers have already been compromised, involving 60 victim organizations spanning energy companies, consulting firms, and multiple universities in countries including Saudi Arabia, Vietnam, Oman, and the United Arab Emirates.
According to reports from Bloomberg and AFP, Microsoft published a blog post on Tuesday (July 22) stating that two hacker groups believed to be supported by the Chinese government—“Linen Typhoon” and “Violet Typhoon”—have used SharePoint system vulnerabilities for their attacks.
Microsoft revealed that the attacks mainly targeted SharePoint servers deployed and operated on customers' local networks, rather than Microsoft-managed cloud systems. Currently, thousands of enterprises and institutions worldwide use SharePoint for file storage and collaboration.
Microsoft also disclosed that another Chinese hacker group, “Storm-2603,” likewise exploited this vulnerability for attacks.
Microsoft warned that, as these vulnerabilities are being rapidly exploited for cyber attacks, the company is highly confident that these threat actors will continue to integrate these vulnerabilities into their attack methods. “We are still investigating whether other hacker groups are also exploiting these vulnerabilities.”
In response to the allegations, the Chinese Embassy in the US stated that China firmly opposes all forms of cyber attacks and cyber crime, and also opposes groundless accusations against other countries in the absence of solid evidence. “We hope that all parties concerned will approach cyber incidents with a professional and responsible attitude, basing their assertions on facts, rather than conjecture and accusations.”
Adam Meyers, Senior Vice President of cybersecurity firm CrowdStrike, pointed out that the wave of cyber attacks began as early as July 7. The early attacks resembled state-backed operations and later expanded to a broader group of attackers, with behavioral traits “looking like China.”
Eugenio Benincasa, an expert at ETH Zurich specializing in Chinese cyber attacks, also believes that, judging from the targets, tactics, and preliminary evidence, these actions highly match the characteristics of state-sponsored Chinese espionage activities.
According to informed sources, hackers exploited the vulnerability to infiltrate government systems in several European and Middle Eastern countries. In the US, the Department of Education, Florida’s tax authority, and the Rhode Island legislature were among the targets.
According to a cybersecurity company report, hackers also broke into a US healthcare provider’s system and launched attacks against a public university in Southeast Asia. The report notes that targeted SharePoint servers are located in Brazil, Canada, Indonesia, Spain, South Africa, Switzerland, the United Kingdom, the United States, and other countries.
The sources added that login credentials stored in some systems—including usernames, passwords, hash codes, and tokens—have been stolen by the hackers.
Cybersecurity firm Eye Security noted that these vulnerabilities not only allow attackers to breach SharePoint servers but also to steal keys, enabling them to impersonate legitimate users or services to maintain access even after the vulnerabilities have been patched. Hackers may also plant backdoors or modify components to stay hidden even after system updates and reboots.
Eye Security has found that more than 100 servers have already been compromised, involving 60 victim organizations spanning energy companies, consulting firms, and multiple universities in countries including Saudi Arabia, Vietnam, Oman, and the United Arab Emirates.