Chinese SharePoint server attacks have been linked to multiple state-sponsored hacker groups, according to a new Microsoft security alert. The company says at least three China-based espionage teams are behind recent breaches exploiting a critical SharePoint vulnerability chain.
These flaws allow full remote access to servers—without any login credentials. As a result, dozens of organizations have already been compromised, and more could follow unless urgent patches are applied.
Three Espionage Groups Identified
Microsoft says that Linen Typhoon, Violet Typhoon, and Storm-2603 have been observed actively targeting internet-facing SharePoint servers. These actors are believed to be based in China and linked to past high-level cyber espionage campaigns.
Linen Typhoon (APT27)
- Active since 2012
- Targets governments, defense, and human rights organizations
- Known for stealing intellectual property using existing exploits and drive-by attacks
Violet Typhoon (APT31)
- Active since 2015
- Targets NGOs, media, education, and financial sectors
- Conducts sophisticated surveillance on former government and military staff
Storm-2603
- Previously linked to LockBit and Warlock ransomware
- Currently under investigation, but Microsoft believes it is China-based
- Attack objectives remain unclear
How the Exploits Work
All three groups use the same exploitation method. They send specially crafted POST requests to the SharePoint ToolPane endpoint, uploading malicious scripts like spinstall0.aspx.
This script extracts MachineKey data, which is then sent back via a GET request—giving hackers the cryptographic keys needed to hijack systems.
Microsoft has also seen file name variations like:
spinstall.aspxspinstall1.aspxspinstall2.aspx
Global Impact and Urgent Warnings
Authorities around the world are warning organizations to patch immediately. Microsoft, along with other security firms, urges the following steps:
- Apply the latest SharePoint patches
- Rotate all cryptographic keys
- Audit server activity and logs
According to reports from CNBC and Bloomberg, high-profile US entities have already been breached, including:
- The US National Nuclear Security Administration (NNSA)
- The Department of Education
- Florida’s Department of Revenue
- The Rhode Island General Assembly
At least 100 servers have been compromised, with more likely affected.
Microsoft’s Outlook and China’s Denial
Microsoft states with high confidence that these groups will continue attacking unpatched on-premises SharePoint systems. Investigations are still underway, and additional victims may emerge.
In response to the allegations, the Chinese Embassy in Washington denied all involvement, calling the accusations baseless and politically motivated.
Conclusion
The Chinese SharePoint server attacks show how critical unpatched systems can become national security targets. With espionage groups actively exploiting zero-days, organizations must act fast to protect their infrastructure—or risk being the next headline.
0 responses to “Chinese SharePoint Server Attacks Linked to China-Backed Hackers”