Microsoft has revealed that Chinese state-backed hacking groups have exploited vulnerabilities in its on-premises SharePoint servers, compromising sensitive data of businesses and governments worldwide.
The groups, identified as Linen Typhoon, Violet Typhoon, and China-based Storm-2603, targeted organizations using local versions of SharePoint rather than Microsoft’s secure cloud services. Investigations suggest the attackers used sophisticated techniques to steal cryptographic keys, enabling ongoing access to affected systems.
“This was exploited in a very broad and opportunistic way before a patch became available. That’s why this is significant,” said Charles Carmakal, Chief Technology Officer at Mandiant, a Google Cloud subsidiary. He confirmed victims span multiple industries and regions, with governments and firms heavily affected.
Microsoft has released security updates and urged all on-premises SharePoint users to apply patches immediately, warning that hackers are likely to keep targeting unprotected systems.
Linen Typhoon, known for stealing intellectual property, has focused for over a decade on organizations linked to government, defense, and strategic planning. Violet Typhoon has carried out espionage against NGOs, think tanks, education, and the media, while Storm-2603 is suspected to be another China-based operation.
The tech giant emphasized that further investigations are ongoing and pledged to provide updates as more details emerge.
