Microsoft has confirmed that state-backed Chinese hacking groups have exploited security flaws in its SharePoint document management software, targeting sensitive business data across multiple industries and countries.
In a recent disclosure, the US tech giant revealed that Chinese threat groups—identified as Linen Typhoon, Violet Typhoon, and Storm-2603—have exploited vulnerabilities in on-premises SharePoint servers. These are server setups typically used by private businesses and government bodies, rather than Microsoft’s more secure cloud-based platform.
Microsoft has released security patches and urged all users of on-premises SharePoint servers to install the updates immediately. “We have high confidence that these threat actors will continue to target unpatched systems,” the company warned in its official statement. Investigations into the activities of additional groups using the same exploit are still ongoing.
The breach involves threat actors sending a specific request to SharePoint servers that enables the theft of cryptographic key material, giving them prolonged access to sensitive data. According to Microsoft, attackers used this method to bypass authentication and maintain access over extended periods.
Charles Carmakal, Chief Technology Officer at Mandiant, a cybersecurity division of Google Cloud, said that several victims have already been identified across a range of sectors and regions. “This was exploited in a very broad, opportunistic manner before patches were made available,” Carmakal told the BBC. He added that the attack resembles previous Chinese cyber campaigns, suggesting state coordination.
Linen Typhoon has reportedly been involved in espionage operations for over a decade, primarily targeting sectors related to government, defense, strategic planning, and human rights. Violet Typhoon, another group linked to Beijing, is believed to have focused on surveillance and intelligence-gathering from former military officials, NGOs, think tanks, academic institutions, and media outlets in the US, Europe, and East Asia.
Storm-2603, while not as extensively profiled, is assessed with “medium confidence” to be based in China and involved in similar activities.
Microsoft stated that its cybersecurity teams are actively monitoring developments and will continue to share updates on their investigation through official channels.
The incident underscores growing concerns about state-sponsored cyberattacks and highlights the critical need for businesses to promptly apply security updates to their systems.
