Eye Security, a Netherlands-based cybersecurity company that has been tracking Microsoft SharePoint attack victims, said an analysis of victims shows that nearly one-third were government-sector systems.
Multiple U.S. agencies, including the National Nuclear Security Administration and the National Institutes of Health, have confirmed that they were subject to the mass exploit.
Out of 396 compromised systems confirmed by Eye Security’s scan of more than 27,000 SharePoint systems in the first week of the breach, education-sector systems accounted for 13 percent of the victims, second after government targets.
In addition to government and education, software as a service (SaaS) providers, telecom providers, and power grids were targets of focused efforts.
Multiple Waves of Attacks
Eye Security was the first to detect the mass exploitation of the SharePoint vulnerability on July 18.The exploit, which was first confirmed during the Pwn2Own Berlin hacking competition in May, was originally a “zero-day” exploit, meaning a cyberattack aimed at a previously unknown software vulnerability, one that vendors had had zero days to patch.
In a July 29 update, Eye Security counted more than 8,000 unpatched systems remaining exposed online.
Eye Security confirmed that an initial wave of attacks had happened on July 17 as a possible test phase, and the first wave of widely successful attacks was carried out at about 2 p.m. Eastern Time on July 18. A second wave followed the next morning, and multiple waves followed beginning on July 21.
“A patch alone doesn’t eliminate an attacker who’s already inside. The delay between exploitation and remediation can be devastating—especially for mid-sized organisations without round-the-clock threat detection,” Hensen said in the blog.
Subsequent waves of attacks also broadened in targets, suggesting new attackers beyond the initial Chinese state-sponsored intelligence operation.
“In incidents like these, it’s not uncommon to see a rapid shift: Once an exploit becomes public and technical details begin to circulate, other state and non-state actors tend to follow. That includes cybercriminal groups with very different motives, especially those focused on financial gain,” Hensen wrote in the Eye Security blog.
Hensen told The Epoch Times via email that once the exploit was made public, Eye Security observed “signs of opportunistic activity by less‑sophisticated actors.”
“We observed increased mass scanning, more automated exploitation attempts, and a shift from mainly government targets to include mid‑sized businesses,” Hensen said.
Intelligence operations often hit big organizations first, and mid-sized organizations may be exposed in subsequent waves, according to the researchers, who expect the exploit to be abused in the coming weeks before organizations have patched and followed best practices to secure their systems, such as by rotating machine keys.
“Patching alone is not enough. We advise running full forensic investigations, reviewing and resetting credentials, monitoring for indicators of compromise, and preserving evidence for investigation,” Hensen said.







