Three China-linked hacking groups are among those responsible for a sweeping cyberattack against users of popular Microsoft server software that has already impacted dozens of organizations across the globe.
Federal investigators believe multiple U.S. government agencies are among the early victims of the ongoing cyber exploitation campaign, though the full scope is not yet clear, according to two U.S. officials with knowledge of the matter.
Microsoft confirmed in a blog post Tuesday that three Chinese hacking gangs, known as Violet Typhoon, Linen Typhoon and Storm-2603, are involved in the hacking effort. At least two U.S. federal agencies are among the roughly 100 suspected victims of the hacks thus far, said one U.S. official directly involved in the incident response and a second who has been briefed on it. Both people were granted anonymity due to the ongoing nature of the incident.
Private security researchers and federal investigators have been managing the fallout of the hack since Saturday, when Microsoft first reported that unknown hackers were exploiting a significant flaw affecting its customer-managed SharePoint servers, a widely used workplace collaboration platform.
While U.S. investigators are still scrambling to understand the full scope of the hacking campaign, it is fast shaping up to be the most serious cybersecurity incident of President Donald Trump’s second term in office thus far.
“With rapid adoption of these exploits, Microsoft assesses with high confidence that the threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” Microsoft said in a blog post Tuesday morning.
The first U.S. official said government investigators currently suspect at least “four to five” federal agencies were breached, while more agencies are yet to be fully investigated. The second added they were briefed Monday that “more than one” federal agency was impacted.
Both officials said the U.S. government has not yet made its own assessment of China’s involvement in the breaches.
Prior to Microsoft’s announcement, investigators at cybersecurity firm Mandiant said Monday, “at least one” of the hacking groups behind that first tranche of hacks is affiliated with Beijing. A researcher at another large cybersecurity firm offered a similar assessment, saying some targeting they had seen “lines up perfectly” with what researchers expect from Chinese hacking groups.
Spokespeople for the Cybersecurity and Infrastructure Security Agency and the FBI, which have said publicly they are working to address the breach, did not immediately respond to a request for comment on the number of agencies impacted.
The White House did not respond to a request for comment on the suspected links to China. The Chinese embassy in Washington also did not respond to a request for comment for this story.
The Washington Post first reported Monday on the scope of the breach and that private researchers believe at least two federal agencies were affected by the hack. They later reported on the suspected links to China.
Microsoft and other private researchers probing the incident believe that hackers unrelated to China are already exploiting the same Microsoft software flaw — and more hacking groups could try to do so soon.
“It’s critical to understand that multiple actors are now actively exploiting this vulnerability,” and other hackers are likely to “leverage this exploit as well,” Charles Carmakal, the chief technology officer at Google’s Mandiant, said in a statement Monday night.
Researchers at separate leading internet scanning firms told POLITICO Monday that roughly 100 organizations across the globe appear to have been hit thus far. Silas Cutler, principal researcher at internet scanning firm Censys, and Piotr Kijewski, CEO of The Shadowserver Foundation, also said that thousands more could be vulnerable to attack.
The flaws in the SharePoint software are considered severe because they allowed hackers to remotely access Microsoft customers running self-hosted versions of the service, and then burrow deeper inside their networks. The vulnerabilities did not affect those running a version of SharePoint hosted on Microsoft cloud servers.
Microsoft failed to fix one software bug in its on-site SharePoint service earlier this month, and has only been able to offer partial mitigations for additional bugs since.
A Microsoft spokesperson said in a statement that the company is both working to ensure its customers install fixes and “coordinating closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners around the world throughout our response.” A spokesperson for CISA said the tech giant has been “responding quickly” ever since the agency reached out to it.
The incident is the latest in a string of breaches targeting the U.S. tech giant, several of which have involved China.
In 2023, Chinese hackers stole emails from the U.S. ambassador to China and the U.S. Commerce Secretary by exploiting a “cascade” of Microsoft security misfires that were later skewered by a federal cyber review panel. And last week, the Pentagon announced that it would review all of its cloud products, after a ProPublica investigation revealed China-based engineers were providing technical support for Pentagon computer systems.
The latest exploit is reigniting scrutiny of Microsoft on the Hill.
“Government agencies have become dependent on a company that not only doesn’t care about security, but is making billions of dollars selling premium cybersecurity services to address the flaws in its products,” Sen. Ron Wyden (D-Ore.) said in a statement about the recent hack.
A spokesperson for Democratic lawmakers on the House Homeland Security Committee said lawmakers on that panel recently requested a briefing from Microsoft and CISA about Microsoft’s use of China-based engineers for certain U.S. government systems.
Source: Politico.com
