Recently, Microsoft disclosed that some of its SharePoint servers were compromised by Chinese hacking groups, prompting significant security concerns within the global tech landscape. The tech behemoth named the groups involved in the cyberattack, namely Linen Typhoon, Violet Typhoon, and Storm-2603, who allegedly exploited vulnerabilities in on-premises SharePoint servers. Different from Microsoft’s cloud-based services, these on-prem servers are primarily utilized by businesses managing their own data infrastructure.
In the aftermath of this breach, Microsoft took swift action by releasing critical security updates for the affected on-premises SharePoint server customers. The company urged all businesses that use SharePoint to quickly install these updates to safeguard their systems against further intrusions. This situation has showcased the ongoing battle between cybersecurity measures and sophisticated hacking techniques, especially as threat actors become increasingly adept at exploiting system vulnerabilities.
The Chinese government, through its embassy in the United States, promptly responded to Microsoft’s allegations. A spokesperson stated that “China firmly opposes and combats all forms of cyber attacks and cyber crime.” Moreover, Liu Pengyu, the spokesperson, added a layer of nuance, emphasizing that China also opposes the unfounded allegations with no solid evidence. This statement reflects the broader geopolitical friction often underlying cybersecurity dialogues, especially involving nation-states.
Microsoft’s recognition of the heightened threat level is significant. The company expressed “high confidence” that these hackers would persist in targeting those systems that failed to promptly apply the required security updates. This highlights a critical aspect of cybersecurity: the continuous cat-and-mouse game where hackers continually adapt and evolve their strategies to take advantage of any oversights.
As investigations into other potential hackers exploiting these vulnerabilities are ongoing, Microsoft clarified that they had witnessed various attacks. These attacks included unauthorized requests made to SharePoint servers, which allowed hackers to steal key materials. The UK’s National Cyber Security Centre has reported that a limited number of SharePoint customers in the UK were among those affected by this breach, signaling the widespread impact of these actions.
Charles Carmakal, the chief technology officer at Mandiant Consulting—which is part of Google Cloud—provided additional insights into the situation. Carmakal revealed that several victims across multiple sectors and global regions had been affected, highlighting the breadth of this breach. Particularly, organizations using SharePoint for their operations seem to be the main targets of these cybercriminals. Carmakal noted that many attackers pilfered material encoded in cryptography, which granted them ongoing access to the victim’s SharePoint data.
The exploit was noted for its broad methodology and opportunistic nature; it occurred before a patch had been made available. This underscores why the incident is regarded as significant in the realm of cybersecurity. Carmakal further elaborated, stating that the “China-nexus actors” employed strategies reminiscent of previous campaigns attributed to Beijing-linked groups. This connection to known adversaries provides a deeper understanding of the motives and long-term objectives behind such cyberattacks.
In detailing the activities of the various groups, Microsoft pointed out that Linen Typhoon has focused on stealing intellectual property for over a decade, primarily directing their attacks towards organizations associated with government, defense, and human rights initiatives. In contrast, Violet Typhoon has been dedicated to espionage activities, targeting individuals with ties to the government or military, NGOs, think tanks, and various sectors within the US, European, and East Asian regions.
Amidst growing tensions in cybersecurity, Storm-2603 is presumed to be another China-based threat actor, assessed with medium confidence. This incident serves as a critical reminder for organizations globally about the vulnerabilities present in their systems and emphasizes the need for rigorous cybersecurity protocols to guard against the ever-evolving landscape of cyber threats.
