Microsoft has revealed that Chinese “threat actors” have compromised several on-premises SharePoint servers used by businesses, exploiting security flaws in the software to steal sensitive data.
Details of the Attack and Actors Involved
The hacking groups identified include Linen Typhoon and Violet Typhoon, believed to be state-backed by China, as well as Storm-2603, a China-based actor. These groups targeted vulnerabilities in on-premises SharePoint servers—systems hosted and managed by organizations themselves—not affecting Microsoft’s cloud-based SharePoint services.
Microsoft has responded by releasing security updates and urged all customers using on-premises SharePoint servers to promptly install the patches to defend against ongoing threats.
China’s US embassy spokesperson Liu Pengyu denied involvement, stating, “China firmly opposes and combats all forms of cyber attacks and cybercrime,” while also condemning “smearing others without solid evidence.”
Microsoft expressed “high confidence” that threat actors will continue targeting systems that remain unpatched. The company is investigating additional actors exploiting similar vulnerabilities and has pledged to update its public communications as the probe continues.
Impact and Targets
Microsoft detailed that the attacks involved sending specific requests to SharePoint servers, enabling hackers to steal cryptographic key material. The UK’s National Cyber Security Centre confirmed that a limited number of UK-based SharePoint customers were affected.
Charles Carmakal, CTO of Mandiant Consulting (a Google Cloud division), reported awareness of multiple victims across sectors and geographies. He noted that governments and businesses using SharePoint on their premises were the main targets. The hackers exploited these vulnerabilities opportunistically before security patches became available.
Microsoft indicated that Linen Typhoon has operated for 13 years, primarily stealing intellectual property from organizations linked to government, defense, strategic planning, and human rights.
Violet Typhoon focuses on espionage targeting former government and military personnel, NGOs, think tanks, universities, media, financial services, and healthcare sectors across the US, Europe, and East Asia.
Storm-2603 is assessed with medium confidence as another China-based threat actor engaging in related activities.
Author’s Opinion
The persistent and sophisticated cyberattacks on critical infrastructure like SharePoint servers highlight an urgent need for organizations to prioritize cybersecurity and for governments to engage in stronger international dialogue. While tech companies can patch vulnerabilities, the human element—such as timely updates and vigilance—remains crucial. Attributing attacks without clear evidence, however, risks escalating geopolitical tensions without resolving the core issues.
Featured image credit: Dale Lane via Flickr
For more stories like it, click the +Follow button at the top of this page to follow us.