Following on from Microsoft's warning earlier this week that "active attacks" were targeting its SharePoint Server customers through a known exploit, the company has now released a blog post revealing more details about the breach. According to MS, on-premises SharePoint servers were determined to have been attacked by three allegedly Chinese nation-state actors, Linen Typhoon, Violet Typhoon, and Storm-2603, via a known spoofing vulnerability and a remote code execution vulnerability.
Reuters reported on Monday that, according to Vaisha Bernard, chief hacker at Eye Security, around 100 organisations were compromised as of the weekend. The Shadowserver Foundation said that most of those affected were in the United States and Germany, and the victims included government organisations.
Bloomberg has since reported that "a person with knowledge of the matter" confirmed that hackers used the SharePoint flaws to break into the US National Nuclear Security Administration, among others, although no sensitive or classified information was compromised. The US federal agency is responsible for managing and maintaining the US nuclear weapons stockpile, along with providing nuclear propulsion plants for US submarines and promoting international nuclear safety.
A security patch released earlier this month appears to have failed to fix the vulnerabilities, which were said to be first identified in May at a hacking competition in Berlin.
Microsoft says that only on-prem servers were affected by the hack, and that the vulnerabilities in question (CVE-2025-49706 and CVE-2025-49704 respectively) have since been successfully patched out in all supported versions of SharePoint Server. MS advises that "customers should apply these updates immediately" to ensure they are protected.
"With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems," the company continues.
"Customers should also integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode. Customers should also rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions."
I'd imagine all that might be quite the headache for sysadmins working with SharePoint servers, but at this point it's probably better to be safe than sorry. The hacking groups identified are said to have prior form, with Linen Typhoon and Violet Typhoon supposedly responsible for a litany of digital crimes, including stealing intellectual property, enacting government and military espionage, and exploiting digital weaknesses to install web shells.
Storm-2603, meanwhile, appears to be more mysterious. MS says that it has assessed the group with "medium confidence" to be a China-based threat actor, although it's been unable to link it directly with the hacking groups above. Reuters also reports that the Chinese embassy in Washington has already released a statement confirming that China is against all forms of cyberattacks, and that it firmly opposes "smearing others without solid evidence."
"We hope that relevant parties will adopt a professional and responsible attitude when characterizing cyber incidents, basing their conclusions on sufficient evidence rather than unfounded speculation and accusations," the embassy said.
In 2023, Microsoft hit the headlines over a high-profile US government email hack, also attributed to Chinese hacking groups. The federal Cyber Safety Review board later released a report on the incident, identifying a "cascade of Microsoft's avoidable errors that allowed this intrusion to succeed." Given that Microsoft's server infrastructure seems so innately tied to sensitive US government operations at this point, and the potential severity of this particular breach, it remains to be seen whether the US government will order a similar review again.
1. Best overall: HP Omen 35L
2. Best budget: Lenovo Legion Tower 5i
3. Best compact: Velocity Micro Raptor ES40
4. Alienware: Alienware Aurora
5. Best mini PC: Minisforum AtomMan G7 PT
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
