State-backed groups exploit SharePoint vulnerabilities in sweeping cyber espionage campaign
Chinese state-sponsored hacking groups have launched a sophisticated cyber attack against Microsoft’s SharePoint servers, compromising sensitive business data across multiple sectors and geographical regions, the technology giant confirmed today.
Three distinct threat actors – identified as Linen Typhoon, Violet Typhoon, and Storm-2603 – successfully exploited critical vulnerabilities in Microsoft’s on-premises SharePoint document management systems.
The attack, which Microsoft describes as having been conducted with “high confidence” of continued targeting, represents one of the most significant corporate cyber breaches of 2025.
The hackers specifically targeted on-premises SharePoint installations used by businesses and government organizations, while Microsoft’s cloud-based SharePoint services remained unaffected.
The attackers were able to steal cryptographic key material by sending malicious requests to vulnerable servers, subsequently gaining persistent access to victims’ SharePoint data repositories.
Charles Carmakal, chief technology officer at Mandiant Consulting, a Google Cloud division, told the BBC that his firm was “aware of several victims in several different sectors across a number of global geographies.”
The attack appears to have been conducted opportunistically on a broad scale before security patches became available, making it particularly significant in scope.
Linen Typhoon, one of the primary threat actors, has been actively stealing intellectual property for over a decade, focusing primarily on government agencies, defense contractors, strategic planning organizations, and human rights groups.
Violet Typhoon has concentrated on espionage activities, targeting former government and military personnel, non-governmental organizations, think tanks, academic institutions, media companies, financial services, and healthcare organizations across the United States, Europe, and East Asia.
The third group, Storm-2603, has been assessed with “medium confidence” as a China-based threat actor, though less detailed information about their specific targeting patterns has been disclosed.
Microsoft has responded by releasing emergency security updates and strongly advising all customers running on-premises SharePoint servers to install the patches immediately.
The company warned that investigations into other actors potentially exploiting the same vulnerabilities remain ongoing.
“Investigations into other actors also using these exploits are still ongoing,” Microsoft stated, indicating the attack’s full scope may not yet be understood.
The company has committed to providing regular updates on its security blog as the investigation progresses.
The attack methodology involved sending specially crafted requests to SharePoint servers that enabled the theft of encryption keys, providing the hackers with the ability to decrypt and access sensitive corporate and government documents.
This technique allowed the attackers to maintain persistent access to compromised systems even after initial infiltration.
Carmakal noted that the China-nexus actors deployed techniques consistent with previous campaigns attributed to Beijing-backed hacking groups, suggesting a coordinated state-sponsored effort rather than independent criminal activity.
The breach highlights ongoing concerns about the security of on-premises enterprise software installations versus cloud-based alternatives.
While Microsoft’s cloud SharePoint services were not compromised, the attack demonstrates the continued vulnerability of locally-hosted business systems to sophisticated nation-state actors.
Organizations using on-premises SharePoint installations are being urged to immediately assess their systems for signs of compromise and ensure all available security updates have been applied.
