Microsoft is facing growing criticism after it confirmed that vulnerabilities in its SharePoint server software have been widely exploited by Chinese state-linked hackers, leading to breaches in hundreds of organisations worldwide, including key US government agencies.
The flaws, which affect only on-premises SharePoint servers and not Microsoft’s cloud-based services, were initially identified at a hacking competition in Berlin in May. Although Microsoft released a patch earlier this month, it was later revealed that the initial fix was incomplete, allowing attackers to continue exploiting the weakness.
According to Microsoft, three groups – Linen Typhoon, Violet Typhoon, and Storm-2603 – have targeted internet-facing SharePoint servers. Linen Typhoon and Violet Typhoon are believed to be Chinese state-backed, while Storm-2603 is assessed to be China-based. Microsoft noted, “With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems.”
The Dutch cybersecurity firm Eye Security reported that at least 400 organisations have been breached, a figure it expects to rise as investigations continue. “We expect it may continue to rise as investigations progress,” Eye Security stated.
Victims include US federal and state agencies, universities, energy companies, and, according to Bloomberg, the US National Nuclear Security Administration, which oversees the country’s nuclear weapons. The majority of breaches have occurred in the United States, but organisations in Europe and the Middle East have also been affected.
The exploitation campaign escalated when the group Storm-2603 began deploying ransomware, causing further disruption. Microsoft observed that Storm-2603 used the vulnerabilities to gain initial access, steal credentials, and distribute ransomware within compromised environments.
Microsoft has released new comprehensive security updates and urged all users of on-premises SharePoint servers to install them. The company also recommends rotating machine keys, restarting servers, and enabling advanced security features. “Customers should apply these updates immediately to ensure they are protected,” Microsoft advised.
The Chinese embassy in Washington has denied involvement, stating, “We also firmly oppose smearing others without solid evidence.”
The incident has renewed scrutiny of Microsoft’s approach to security. Last year, the US Cyber Safety Review Board criticised the company for “deprioritising both enterprise security investments and rigorous risk management”, calling for an overhaul of its corporate culture.
