Microsoft accuses Chinese hackers of exploiting SharePoint software

Stay informed with free updates

Simply sign up to the Cyber Security myFT Digest — delivered directly to your inbox.

Microsoft has accused Chinese state-sponsored groups of exploiting its SharePoint document management software to target users including large corporations and government agencies.

The US software giant said on Tuesday that two groups — Linen Typhoon and Violet Typhoon — had exploited a so-called spoofing vulnerability to attack servers used by Microsoft customers. Another China-based group, Storm-2603, was also found to have exploited these vulnerabilities.

Microsoft said these so-called “zero day” vulnerabilities affected customers operating their own on-premise servers and did not affect those who used its cloud-based service. It added that it had since released “new comprehensive security updates”.

“Investigations into other actors also using these exploits are still ongoing,” Microsoft said in a statement. “With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks.”

Details of the hack were disclosed on Sunday when Microsoft issued a patch for the vulnerability and said it was rolling out other fixes after it emerged that hackers had exploited the vulnerability to target its customers.

US federal and state agencies, universities and energy companies were impacted by the SharePoint hack, the Washington Post previously reported. Bloomberg has reported that national governments in Europe and the Middle East have also been affected.

Microsoft is a major federal contractor and has come under fire in the recent past after its systems were subject to serious cyber attacks. In 2023, the company’s email service Microsoft Exchange Online was breached and US lawmakers were targeted by Chinese-state backed hackers Storm-0558.

Netherlands-based Eye Security, a cyber security firm, first identified the SharePoint exploitation last week. It said it had since established that dozens of systems had been compromised and that attackers were conducting a “co-ordinated mass exploitation campaign”. It has located victims in Saudi Arabia, Vietnam, Oman and the United Arab Emirates.

Attacks increased significantly following the wide dissemination of the vulnerability last week, according to CrowdStrike, a US-based cyber security company.

More than 200mn customers used SharePoint as of December 2020, though the figure using on-premise servers is likely significantly lower.

The Cyber Safety Review Board, a now disbanded panel that reviewed cyber incidents and reported to the US Secretary of Homeland Security, said last year that Microsoft’s corporate practices “deprioritised both enterprise security investments and rigorous risk management”. It called for an overhaul of the company’s culture.

The software giant has in recent weeks also been subject to further criticism after a ProPublica report found it had used China-based engineers to carry out support work for contracts it holds from the US Department of Defense.

“Microsoft has made changes to our support for US Government customers to assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services,” Frank Shaw, Microsoft’s head of communications, posted on X last week.