Microsoft has issued a critical cybersecurity warning after discovering that Chinese state-linked hacking groups are exploiting vulnerabilities in its SharePoint software, targeting organizations around the globe.
In a detailed blog post, Microsoft identified three Chinese-linked hacking groups, Linen Typhoon, Violet Typhoon, and Storm-2603 that have exploited vulnerabilities in SharePoint, specifically targeting organizations that operate the platform on-premises rather than through Microsoft’s cloud services. According to Microsoft, these attacks are evidence of the “growing sophistication and global scale of cyber threats.” The company emphasized it has “high confidence” that the attackers will continue to incorporate these flaws into future campaigns.
The impact is far-reaching. Among the most sensitive targets was the U.S. National Nuclear Security Administration (NNSA), which oversees the country’s nuclear weapons program. Though sources say no classified information was compromised, the breach was confirmed. Other U.S. government departments including the Department of Energy, Department of Education, Florida’s Department of Revenue, and the Rhode Island General Assembly were also reportedly infiltrated.
An Energy Department spokesperson said the exploitation began on July 18, but noted that systems running on Microsoft’s cloud infrastructure helped limit the damage, thanks to multi-layered security protocols.
Cybersecurity firm Eye Security disclosed that over 100 servers across 60 organizations had been compromised. These ranged from government agencies to energy firms, consulting companies, and academic institutions, and spanned continents including Europe, the Middle East, Southeast Asia, and North and South America.
Despite Microsoft issuing patches in July, the hackers found workarounds, allowing them to remain in breached systems even after updates and restarts. According to Vaisha Bernard, co-owner and chief hacker at Eye Security, “There were ways around the patches… That allowed these attacks to happen.” The attackers stole authentication credentials such as usernames, hashed passwords, tokens, and other sign-in keys, allowing them to impersonate users and potentially access systems for extended periods undetected.
A confidential report reviewed by Bloomberg revealed that among the victims were a U.S.-based healthcare provider and a public university in Southeast Asia. The hackers also attempted breaches in at least ten countries, including Brazil, Canada, Indonesia, Spain, South Africa, Switzerland, the UK, and the U.S.
The situation adds to mounting criticism of Microsoft’s cybersecurity practices. A 2024 U.S. government report slammed the company for a “security culture in need of urgent reform.” In response, Microsoft has ramped up internal measures conducting weekly high-level meetings and bringing in former government security officials to fortify its defenses.
China, however, has denied involvement. The Chinese Embassy in Washington issued a statement rejecting the accusations, stating:
“China firmly opposes all forms of cyberattacks and cybercrime. At the same time, we also firmly oppose smearing others without solid evidence… conclusions must be based on facts, not speculation.”
