Microsoft Says China-Linked Hackers Used Recent Security Exploit in Hacking Spree

‘Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities,’ it says.

Mark Us Preferred on Google

Microsoft Says China-Linked Hackers Used Recent Security Exploit in Hacking Spree — A member of an alleged hacking group, in a file photo. Nicolas Asfouri/AFP via Getty Images

Jack Phillips

Breaking News Reporter

7/22/2025|Updated: 7/23/2025

0:00

Microsoft said on July 22 that it has observed Beijing-backed hackers exploiting widespread attacks against organizations using collaboration software from the tech giant.

“As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities targeting internet-facing SharePoint servers,” the Redmond, Washington-based company said in a blog post on July 22.

It added that “another China-based threat actor, tracked as Storm-2603,” was seen exploiting vulnerabilities in its SharePoint software, which is widely used to coordinate work on projects, documents, and other matters.

“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” Microsoft’s statement reads.

Exploits include bypassing the program’s authentication feature and executing remote code “against vulnerable on-premises SharePoint servers,” Microsoft said.

Microsoft’s post advised customers using SharePoint to upgrade it with the latest security patches in order to stop attacks and exploits from Chinese hacking groups. It also advised that users enable Microsoft software such as Defender Antivirus and its Antimalware Scan Interface, or equivalent programs.

“Additional actors may use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately,” the company said.

Linen Typhoon, according to Microsoft, is accused of stealing intellectual property and is focused on organizations connected to human rights, governments, the defense industry, and strategic planning.

Violet Typhoon has been more focused on exploiting systems related to former government and military officials, nongovernmental organizations, universities and colleges, print and digital media, and think tanks, among other sectors.

In March, the Department of Justice indicted two Chinese nationals accused of operating in the APT27, or Linen Typhoon, hacking group, which researchers say has many different names.

The two nationals were alleged to have hacked into U.S. companies, municipalities, and other institutions for profit, and caused millions of dollars worth of damages, the department said.

Microsoft’s July 22 post did not elaborate on the types or names of organizations that were targeted through the SharePoint vulnerability.

On July 19, the company sent out an alert about “active attacks” on self-hosted SharePoint servers, and also issued an emergency fix to shut down the vulnerability, while dubbing it a “zero-day” exploit because it leverages a previously undisclosed digital weakness. SharePoint instances run off of Microsoft servers were not affected, the company said.

The Cybersecurity and Infrastructure Security Agency has warned that the impact of the vulnerability could be widespread and said that servers affected by it should be disconnected from the internet before any updates are applied. Meanwhile, private research firms have said that the vulnerability can lead to serious security breaches.

“Once inside, they can access all SharePoint content, system files, and configurations and move laterally across the Windows Domain,” Netherlands-based research company Eye Security said in a research note on the hacks.

Eye Security added that “because SharePoint often connects to core services like Outlook, Teams, and OneDrive, a breach can quickly lead to data theft, password harvesting, and lateral movement across the network.”

Reuters contributed to this report.

We had a problem loading this article. Please enable javascript or use a different browser. If the issue persists, please visit our help center.