This post is also available in:
עברית (Hebrew)
A wave of cyber intrusions tied to Chinese state-affiliated actors has exploited unpatched vulnerabilities in Microsoft SharePoint, with consequences affecting governments, businesses, and critical infrastructure worldwide. According to Microsoft, the breaches have targeted organizations running on-premises versions of SharePoint, bypassing protections more robustly enforced in the company’s cloud-based services.
Three hacker groups—identified by Microsoft as Linen Typhoon, Violet Typhoon, and Storm-2603—are suspected of leveraging these software weaknesses in a campaign that dates back to early July. Victims include several U.S. government agencies, such as the Department of Energy and its National Nuclear Security Administration (NNSA), though no classified information is reported to have been compromised.
Microsoft released patches to address the exploited vulnerabilities in July. However, cybersecurity researchers have found that attackers have developed methods to evade these fixes, allowing them to maintain unauthorized access even after updates. These tactics include the theft of authentication keys, user impersonation, and persistent infiltration into server environments, according to Interesting Engineering.
The intrusions were across more than 100 servers globally. Affected organizations span energy providers, academic institutions, consulting firms, and public sector agencies.
The attackers reportedly harvested login credentials—such as usernames, password hashes, and session tokens—which could allow for long-term impersonation or lateral movement within networks. While many victims remain unnamed, reports confirm the involvement of at least one U.S.-based healthcare provider and a Southeast Asian university.
These events have reignited concerns over Microsoft’s security infrastructure, particularly for customers still operating outside its cloud ecosystem. A recent U.S. government review criticized Microsoft’s handling of similar incidents, urging a more rigorous internal security posture.
As investigations continue, Microsoft advises users to apply all security updates, transition to cloud-based platforms when feasible, and implement layered defense mechanisms to detect unauthorized access. The scale and persistence of these attacks underscore the growing risk posed by well-resourced threat actors exploiting widely used enterprise software.
