Chinese state-backed hacking groups have breached Microsoft’s on-premises SharePoint servers, exploiting unpatched vulnerabilities to access sensitive business data, the tech giant confirmed.
Microsoft identified three threat actors—Linen Typhoon, Violet Typhoon, and Storm-2603—as responsible for the attacks. These groups, believed to be linked to Beijing, did not exploit Microsoft’s cloud-based services, but rather targeted companies using SharePoint on their own infrastructure.
In a statement, Microsoft said it had “high confidence” that the hackers would continue to attack systems that haven’t installed its latest security updates. The company has issued urgent patches and advised all users of on-premises SharePoint servers to update immediately.
“Investigations into other actors also using these exploits are still ongoing,” Microsoft added, promising continued updates on its security blog.
Attackers were able to steal key cryptographic material, enabling persistent access to victims’ systems even after initial entry. According to Charles Carmakal, CTO at Mandiant (a division of Google Cloud), several organizations across multiple industries and regions have been affected.
“This was a broad and opportunistic exploitation—significant because it happened before a fix was available,” Carmakal told the BBC.
Targeted Sectors and Motives
Microsoft provided background on the groups involved:
- Linen Typhoon: Active for 13 years, known for stealing intellectual property from organizations in government, defense, strategic planning, and human rights.
- Violet Typhoon: Specializes in espionage, targeting former government officials, NGOs, think tanks, universities, the media, and the health and financial sectors across the U.S., Europe, and East Asia.
- Storm-2603: A China-based group “assessed with medium confidence” by Microsoft, believed to be newly involved in the campaign.
Experts say the attackers used techniques consistent with previous Chinese state-sponsored cyber operations, reinforcing concerns about long-term access and data theft in critical sectors.
