Microsoft has confirmed that recent cyberattacks exploiting a vulnerability in its SharePoint server platform have been linked to hacking groups associated with the Chinese government. The announcement follows a series of breaches affecting various organisations, including academic, energy, and government institutions.
Chinese hacking groups identified
According to a blog post published by Microsoft on 23 July, the tech giant has identified several Chinese nation-state actors exploiting a zero-day vulnerability in SharePoint. Specifically, the hacking groups Linen Typhoon and Violet Typhoon have been observed targeting internet-facing SharePoint servers. A third group, known as Storm-2603, also based in China, has reportedly been involved in similar malicious activity.
“As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities targeting internet-facing SharePoint servers,” the company stated. “In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing.”
Dozens of organisations are affected
Cybersecurity firm Eye Security reported to technology site BleepingComputer that it has so far identified 54 affected organisations. Among them are a private university, a California-based private energy provider, and a federal government health agency. The Washington Post also cited unnamed sources involved in the SharePoint investigation who indicated that some attacks could be traced to IP addresses located within China.
The vulnerability being exploited allows unauthorised access to on-premises SharePoint servers. Once infiltrated, attackers can extract sensitive information, harvest user credentials, and move laterally across connected systems. The flaw was first detailed by researchers at Eye Security last week, raising concerns about the potential scale and impact of these attacks.
Patch released, but risks remain
Microsoft issued a patch on the morning of 23 July for SharePoint 2016 servers. With this release, all affected versions of SharePoint are now covered by official security updates. However, the company has warned that the threat remains high, particularly for systems that have not yet been updated.
In a security update, Microsoft stated it believes “with high confidence” that the exploit will continue to be used against unpatched servers. The company urged administrators and organisations to apply the necessary updates immediately to prevent further breaches.
The incident underscores the ongoing cyber threat posed by state-sponsored groups and highlights the importance of timely security patching, particularly for widely used enterprise platforms like SharePoint.
