Microsoft confirms Chinese cyber groups behind major SharePoint exploit; US agencies and global companies among affected

Three China-linked cyber espionage groups have been implicated in a major hacking campaign that has compromised a wide range of organisations globally, including multiple US government agencies. The cyberattack, which exploits critical vulnerabilities in Microsoft’s widely used SharePoint server software, has prompted urgent investigations by federal officials and private security experts, according to a report by Politico.

Microsoft confirmed in a recent blog post that the three threat actors, identified as Violet Typhoon, Linen Typhoon, and Storm-2603, are actively involved in the campaign. These groups are believed to be state-affiliated and have been previously associated with cyber operations targeting Western interests.

Two US officials, speaking on condition of anonymity due to the sensitivity of the situation, disclosed that at least four to five federal agencies have been affected, though the full scale of the breach remains unclear. “More than one” agency had been confirmed as compromised as of Monday, one of the officials added.

The attackers are exploiting a serious flaw in customer-managed, on-premises versions of Microsoft SharePoint, a collaborative platform used extensively across government and corporate sectors. Microsoft stated that the cloud-hosted versions of SharePoint are not impacted by the vulnerability.

Since the breach was detected over the weekend, both federal cybersecurity teams and private analysts have been working to contain the damage. Microsoft said it is confident the threat actors will continue to exploit unpatched systems, warning of the urgent need for organisations to update their software.

The tech giant has said it is working closely with the US Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense’s Cyber Defence Command, and international cybersecurity partners to mitigate the threat. A CISA spokesperson noted that Microsoft had been “responding quickly” since the agency first raised the alarm.

This latest breach adds to a growing list of high-profile cybersecurity incidents involving Microsoft and suspected Chinese hackers. In 2023, attackers linked to China reportedly accessed email accounts belonging to the US ambassador to China and the US Commerce Secretary by exploiting a string of Microsoft security flaws, shortcomings that were later criticised by a federal review board.

More recently, the Pentagon announced it would reassess all its cloud services after it emerged that Chinese-based engineers had been providing technical assistance for sensitive US military systems.