Chinese state-backed hackers exploiting software flaws in attacks, says Microsoft

BEIJING – Microsoft has accused Chinese state-sponsored actors of exploiting vulnerabilities in one of its popular collaboration software products, SharePoint, which is used by US government agencies and many companies worldwide.

Microsoft said in a notice on its security blog on July 22 that it had identified at least two China-based groups linked to the Chinese government that it said had been taking advantage of security flaws in its SharePoint software. Such attacks aim to sneak into the computer systems of users.

These groups, called Linen Typhoon and Violet Typhoon, were ones that Microsoft said it had been tracking for years. They had been targeting organisations and personnel related to government, defence, human rights, higher education, media, and financial and health services in the United States, Europe and East Asia, it added.

Microsoft said another actor, which it called Storm-2603, was also involved in the hacking campaign. It said it had “medium confidence” that Storm-2603 was a “China-based threat actor”.

The US government’s Cybersecurity and Infrastructure Security Agency (Cisa) issued a notice that said it was aware of the hacking attack on SharePoint. It added that it had notified “critical infrastructure organisations” that were affected.

“While the scope and impact continue to be assessed”, the agency said, the vulnerabilities would enable “malicious actors to fully access SharePoint content, including file systems and internal configurations and execute code over the network”.

A Microsoft spokesperson wrote in an e-mail response that the company had been “coordinating closely” with Cisa, the Department of Defence’s Cyber Defence Command and “key cyber-security partners globally throughout our response”.

The Chinese Embassy in Washington did not immediately respond to a request for comment. China has routinely denied being behind cyber attacks and asserts that it is a victim of them.

Microsoft said in its blog post that investigations into other actors also using these exploits were still ongoing.

Eye Security, a cyber-security firm, said it had scanned more than 23,000 SharePoint servers worldwide and discovered more than 400 systems had been actively compromised.

The firm also noted that the breaches could allow hackers to steal cryptographic keys that would allow them to impersonate users or services even after the server was patched. It said users would need to take further steps to protect their information.

Chinese hackers have shown growing sophistication in their ability to penetrate US government systems, leaving American officials increasingly alarmed. During a breach of the US telecommunications system in 2024, Chinese hackers were able to listen in on telephone conversations and read text messages, members of Congress said.

The hack was considered so severe that then President Joe Biden took it up directly with President Xi Jinping of China when they met in Peru in November.

In this latest breach, Microsoft said hackers had been using the software weaknesses to attempt, and gain, access to “target organisations” since as early as July 7. It issued security updates and urged users to install them immediately.

Microsoft revealed the vulnerabilities in SharePoint in July, but at first patched them only partially. It said on July 19 that it was aware of active attacks trying to exploit those vulnerabilities.

Cyber-security firms had said that they believed Chinese actors were among those attackers, even before Microsoft said so on July 22.

SharePoint helps organisations create websites and manage documents. It integrates with other Microsoft services such as Office, Teams and Outlook.

Microsoft said the vulnerabilities affected only on-premises SharePoint servers, meaning those managed by organisations on their own computer networks, and not those operated on Microsoft’s cloud.

Palo Alto Networks, a cyber-security company, said in a post about the breach that on-premises servers “particularly within government, schools, healthcare (including hospitals) and large enterprise companies” were “at immediate risk”.

“A compromise in this situation doesn’t stay contained, it opens the door to the entire network,” the cyber-security company said. NYTIMES