Jens Asbjørn Bøgen
The tech-company warned that the hackers would continue to target systems that do not install the security update that was released following the breach.
The tech-company warned that the hackers would continue to target systems that do not install the security update that was released following the breach.
What is happening?
Microsoft has confirmed that state-backed Chinese hacking groups have exploited vulnerabilities in its on-premises SharePoint software, compromising sensitive business data.
The company stressed that its cloud-based services were not affected in the attack.
Three Threat Groups Behind the Attack
The cyber breach has been linked to three separate groups: Linen Typhoon, Violet Typhoon, and Storm-2603.
While the first two are believed to be state-sponsored by China, Storm-2603 is considered China-based with “medium confidence,” BBC reports.
Security Updates Rolled Out Urgently
In response to the attack, Microsoft has released patches and urged all businesses using on-premises SharePoint servers to install the updates immediately.
Systems that remain unpatched are still at risk, the company warned.
Exploits Still Under Investigation
Microsoft revealed that investigations into whether other threat actors are using the same exploits are ongoing.
The company plans to share additional findings on its official blog as the probe continues.
Attack Involved Theft of Encryption Keys
The attackers sent malicious requests to vulnerable SharePoint servers to steal “key material” — cryptographic data that grants them prolonged access to sensitive information, Microsoft said.
Global Impact Across Multiple Sectors
Charles Carmakal of Google Cloud’s Mandiant Consulting told the BBC that victims span various industries and regions.
Both government entities and businesses relying on on-premises SharePoint were affected.
Attackers Maintain Access Long After Breach
The stolen cryptographic material enabled the hackers to maintain persistent access to compromised systems.
Exploited Before Patch Was Available
Carmakal emphasized that the exploit was used widely and opportunistically before Microsoft had a chance to develop a fix.
This early abuse made the incident particularly severe.
Tactics Mirror Past Chinese Campaigns
The techniques used in the breach closely resemble methods previously linked to Chinese state-sponsored cyber operations.
The hackers’ behavior aligns with a broader pattern of strategic espionage.
Espionage, IP Theft, and Global Targets
Microsoft says Linen Typhoon has spent over a decade targeting government, defense, and human rights organizations to steal intellectual property.
Meanwhile, Violet Typhoon has focused on espionage involving former officials, NGOs, think tanks, and institutions across the US, Europe, and East Asia.
