Chinese state hackers targeting Microsoft customers
ADVERTISEMENT

Welcome, Kapamilya! We use cookies to improve your browsing experience. Continuing to use this site means you agree to our use of cookies. Tell me more!
Chinese state hackers targeting Microsoft customers
Agence France-Presse
Published Jul 23, 2025 12:12 AM PHT

Chinese state-sponsored hackers are actively exploiting critical security vulnerabilities in users of Microsoft's popular SharePoint servers to steal sensitive data and deploy malicious code, the US tech giant warned Tuesday.
Chinese state-sponsored hackers are actively exploiting critical security vulnerabilities in users of Microsoft's popular SharePoint servers to steal sensitive data and deploy malicious code, the US tech giant warned Tuesday.
Microsoft said it has observed three threat groups –- dubbed Linen Typhoon, Violet Typhoon, and Storm-2603 –- targeting internet-facing SharePoint servers using two newly disclosed vulnerabilities that allow attackers to bypass authentication and execute remote code.
Microsoft said it has observed three threat groups –- dubbed Linen Typhoon, Violet Typhoon, and Storm-2603 –- targeting internet-facing SharePoint servers using two newly disclosed vulnerabilities that allow attackers to bypass authentication and execute remote code.
SharePoint Server is Microsoft's collaboration and document management platform designed for businesses and organizations.
SharePoint Server is Microsoft's collaboration and document management platform designed for businesses and organizations.
Many large organizations use SharePoint as their primary platform for internal collaboration and for storing documents, and is appreciated for working well with other Microsoft products like Office, Teams, and Outlook.
Many large organizations use SharePoint as their primary platform for internal collaboration and for storing documents, and is appreciated for working well with other Microsoft products like Office, Teams, and Outlook.
ADVERTISEMENT
The attacks, which Microsoft said began as early as July 7, affect only on-premises SharePoint installations and do not impact the cloud-based SharePoint Online service, the company said in a security bulletin.
The attacks, which Microsoft said began as early as July 7, affect only on-premises SharePoint installations and do not impact the cloud-based SharePoint Online service, the company said in a security bulletin.
Microsoft warned that it "assesses with high confidence" that the threat actors will continue their assault against vulnerable systems where companies haven't taken the necessary precautions.
Microsoft warned that it "assesses with high confidence" that the threat actors will continue their assault against vulnerable systems where companies haven't taken the necessary precautions.
The vulnerabilities allow attackers to spoof authentication credentials and execute malicious code remotely on vulnerable servers.
The vulnerabilities allow attackers to spoof authentication credentials and execute malicious code remotely on vulnerable servers.
Microsoft has released comprehensive security updates to address the malware and urged customers to apply the patches immediately.
Microsoft has released comprehensive security updates to address the malware and urged customers to apply the patches immediately.
In their successful attacks, the Chinese hackers deployed malicious code that provides backdoor access to compromised systems. The attackers used these tools to steal machine encryption keys and maintain access to targeted networks.
In their successful attacks, the Chinese hackers deployed malicious code that provides backdoor access to compromised systems. The attackers used these tools to steal machine encryption keys and maintain access to targeted networks.
ADVERTISEMENT
Linen Typhoon, active since 2012, primarily focuses on intellectual property theft from government, defense, and human rights organizations.
Linen Typhoon, active since 2012, primarily focuses on intellectual property theft from government, defense, and human rights organizations.
Violet Typhoon, operating since 2015, conducts espionage against former government officials, NGOs, think tanks, and media organizations across the United States, Europe, and East Asia.
Violet Typhoon, operating since 2015, conducts espionage against former government officials, NGOs, think tanks, and media organizations across the United States, Europe, and East Asia.
Storm-2603, which Microsoft assesses with "medium confidence" to be China-based, has previously deployed ransomware but its current objectives remain unclear.
Storm-2603, which Microsoft assesses with "medium confidence" to be China-based, has previously deployed ransomware but its current objectives remain unclear.
Research from cybersecurity company Check Point said the campaign began on July 7 against a major Western government and that the attacks intensified dramatically around July 18.
Research from cybersecurity company Check Point said the campaign began on July 7 against a major Western government and that the attacks intensified dramatically around July 18.
Since then, researchers have confirmed dozens of compromise attempts primarily targeting organizations in North America and Western Europe, Check Point said in a blog post.
Since then, researchers have confirmed dozens of compromise attempts primarily targeting organizations in North America and Western Europe, Check Point said in a blog post.
ADVERTISEMENT
ADVERTISEMENT