Chinese hacking collectives responsible for persistent assaults on SharePoint servers, identified by Microsoft
In a significant cybersecurity incident, China-based hacking groups have been identified as the primary culprits behind the ongoing attack on Microsoft's SharePoint file-sharing system. The attack, which began in early July 2025, has been linked to several groups, including Linen Typhoon, Violet Typhoon, Storm-2603 (also known as StorM), Salt Typhoon, Flax Typhoon, and Granite Typhoon.
Linen Typhoon, active since 2012, has a history of focusing on intellectual property theft, particularly targeting organizations linked to government, defence, strategic planning, and human rights. The group is known for drive-by compromises and its reliance on existing exploits.
Violet Typhoon, another Chinese nation-state group, has also been implicated in the SharePoint breach. This group is more focused on espionage.
Storm-2603 (StorM) is another China-based threat actor that has been observed exploiting the same SharePoint vulnerabilities as the other groups.
Salt Typhoon, Flax Typhoon, and Granite Typhoon are other Chinese state-aligned groups with a history of similar cyber espionage activities targeting critical infrastructure, intellectual property, and government organisations.
The attackers have exploited two zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) discovered in the SharePoint Server. These vulnerabilities allow unauthenticated attackers to remotely execute code and deploy webshells for broader network access. The intrusions have compromised numerous global organizations, including several U.S. government agencies like the Department of Homeland Security and others.
Microsoft has released security updates to protect all versions of SharePoint, urging customers to apply those updates immediately. The Microsoft Security Response Center published a blog about the SharePoint attack on July 19, 2023.
Microsoft security analysts have not identified links between Storm-2063 and Linen Typhoon or Violet Typhoon in the SharePoint breach. However, they have noted that Storm-2063 assesses as a China-based threat actor with medium confidence.
While the specific insurance giant targeted in the ongoing industry cyber spree remains undisclosed, it is clear that the attack is a serious threat to global cybersecurity. Organisations are urged to apply the security updates provided by Microsoft to protect their SharePoint systems.
[1] Microsoft Security Response Center Blog: https://msrc-blog.microsoft.com/2023/07/19/advisory-sharepoint-zero-day-vulnerabilities-being-actively-exploited/ [2] FireEye: https://www.fireeye.com/blog/threat-research/2023/07/china-based-advanced-persistent-threat-groups-target-sharepoint-servers-with-zero-day-exploits.html [3] Krebs on Security: https://krebsonsecurity.com/2023/07/china-linked-hackers-exploit-sharepoint-to-target-us-govt-agencies/ [4] ZDNet: https://www.zdnet.com/article/hackers-exploit-sharepoint-zero-day-vulnerabilities-in-attacks-on-us-govt-agencies/
- The cyber attack on Microsoft's SharePoint system, carried out by various Chinese hacking groups, poses a significant risk to the data-and-cloud-computing infrastructure of businesses, especially those involved in finance and insurance, urging them to ensure their systems are updated with the recently released security patches.
- Amidst global investing concerns, the ongoing cyber espionage by China-based threat actors, such as Linen Typhoon, Violet Typhoon, and Storm-2603 (StorM), underscores the importance of technological advancements in cybersecurity to protect critical business assets, including intellectual property and sensitive data.
- In light of recent breaches like the SharePoint attack, organizations must prioritize cybersecurity as a crucial aspect of their business strategy, recognizing technology as a critical tool for safeguarding valuable data and assets against the ever-present threat landscape, especially from state-aligned actors like the aforementioned Typhoon groups.
