Microsoft Links Chinese Hackers to SharePoint Attacks
Microsoft has confirmed that recent cyberattacks exploiting vulnerabilities in its SharePoint server software are linked to Chinese state-sponsored hacking groups. The attacks, which began as early as July 7, 2025, targeted on-premises SharePoint servers globally, affecting dozens of organizations including government agencies, private companies, and educational institutions. The company identified three Chinese-affiliated groups involved: Linen Typhoon, Violet Typhoon, and Storm-2603. Microsoft has released urgent security patches to address the exploited zero-day vulnerabilities and warned that threat actors would continue attacking unpatched systems.
Details of the SharePoint Vulnerabilities and Attack Impact
The vulnerabilities exploited in SharePoint allowed hackers to gain remote code execution capabilities and access sensitive information such as cryptographic keys, which could be used to maintain persistent network access and deploy additional malware. These security flaws, indexed as CVE-2025-49704 and CVE-2025-49706 among others, were first demonstrated publicly at a hacking contest earlier this year. According to Microsoft and cybersecurity researchers, these attacks compromised at least 54 organizations worldwide, including entities across sectors like defense, telecommunications, software, finance, and health services in the US, Europe, and East Asia. Some affected victims include a private energy firm in California, a federal health agency, and various governmental bodies.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) acknowledged the active exploitation of these vulnerabilities and alerted critical infrastructure organizations about the threat. Furthermore, federal authorities have observed compromised servers communicating with IP addresses located in China. The FBI and the White House have declined to comment publicly on the ongoing investigations.
Microsoft’s CEO Satya Nadella emphasized the company’s renewed focus on cybersecurity following previous critiques related to Chinese cyber intrusions. In a related move, Microsoft announced it would halt employing engineers in China to help with U.S. Pentagon cloud services to mitigate potential security risks.
About the Chinese Hacking Groups
- Linen Typhoon (aka APT27): Active since 2012, implicated in multiple malware campaigns targeting various sectors worldwide.
- Violet Typhoon (aka APT31): Operating since 2015, known for cyberespionage efforts against U.S. and allied governments.
- Storm-2603: A China-based threat actor with a history of ransomware and other malicious activities, currently assessed with medium confidence as state-associated.
Microsoft has called on all organizations using SharePoint servers to urgently apply the provided patches to prevent further intrusions. Despite the fixes, experts warn that hackers will continue exploiting unpatched systems due to the widespread awareness of these vulnerabilities.
This summary reflects the latest public information as of July 23, 2025, capturing Microsoft's confirmations, ongoing investigations, and the cybersecurity community's response to these significant state-sponsored cyber threats.