A major cyberattack tied to a Chinese threat group is making waves across the globe and Microsoft’s SharePoint servers are at the center of it.
According to Microsoft, a group it tracks as Storm-2603 has been exploiting vulnerabilities in SharePoint to spread ransomware. While the exact motive remains unclear, the tactic is familiar: systems are locked down, operations disrupted, and ransom demanded. What’s troubling is the widespread nature of the attack. The breach has hit hundreds of organizations, from government agencies to private companies worldwide.
Eye Security (a Dutch cybersecurity firm) was among the first to flag the breach, estimating over 400 affected entities, including those in the United States, South Africa, the Netherlands, and even Mauritius and Jordan. In the U.S., major institutions like the National Institutes of Health and the National Nuclear Security Administration were caught in the crosshairs.
Here’s a recap of what’s happening. Once the attackers exploit the SharePoint vulnerability, they gain access to sensitive servers and can impersonate legitimate users or services. This gives them deep and potentially undetected access to internal networks. Microsoft has issued patches, however many organizations may not have acted fast enough, and the damage may already be done.
This is not the first time that China-linked groups have been blamed for targeting Microsoft infrastructure. In 2021 and 2023, Exchange Server breaches were linked to Chinese-backed actors. Now, Microsoft says that Storm-2603 is joined by two more groups (Linen Typhoon and Violet Typhoon) to exploit the same SharePoint flaws.
To be clear, these aren’t rogue hobbyist hackers. These are well-resourced, state-sponsored groups focused on long-term espionage, data theft, intellectual property, government secrets, and confidential research. Experts say many of these attackers may be operating through hacker-for-hire operations.
It’s not surprising that China is denying involvement in the attack. Their foreign ministry responded by stating that China opposes hacking and supports international cooperation but also criticized the “smear campaigns” targeting them.
The list of compromised organizations is growing and includes education departments, state agencies like the Florida Department of Revenue, and even legislative bodies like the Rhode Island General Assembly. Fortunately, some systems that store classified data like those used by the National Nuclear Security Administration are air-gapped (disconnected from the internet). That limits some of the worst-case scenarios, but it doesn’t mean there’s no fallout. Unclassified but sensitive information may still be at risk.
The big takeaway? Patch your systems. Now. Organizations still running unpatched SharePoint servers are sitting ducks. Even for those who’ve patched, assume you’ve been compromised. Monitor your logs. Hunt for indicators of compromise and prepare your leadership teams for the possibility of sensitive data being exfiltrated.
Cybersecurity is a team sport, and this attack is a stark reminder that the threat landscape is rapidly evolving. The weakest link in your infrastructure may be an outdated server or a missed patch which can unravel the strongest defenses.
Be alert, stay patched and be resilient. Don’t be a victim.
About the Author – Dr. Kimma Wreh
https://medium.com/@drkimmawreh/about