China-linked hackers behind Microsoft hacking spree, Google says
Add Axios as your preferred source to
see more of our stories on Google.
Photo by Gary Hershorn/Getty Images
A China-backed hacking group is behind some of the "active attacks" on Microsoft SharePoint software uncovered over the weekend, a top Google security executive said Monday.
Why it matters: It remains unclear how many businesses were already hacked prior to Microsoft's weekend warning, but researchers say the issue likely could affect thousands of organizations worldwide.
Driving the news: Microsoft warned late Saturday that unidentified hackers have been actively exploiting a previously unknown software vulnerability in on-premise SharePoint servers.
- The Cybersecurity and Infrastructure Security Agency said Sunday that hackers could use the vulnerability to access content stored on SharePoint servers and execute code.
- The Washington Post, which first reported on the attacks, said hackers have already breached U.S. federal and state agencies, universities, energy companies and an Asian telecommunications company.
Threat level: Charles Carmakal, chief technology officer at Google Cloud's Mandiant Consulting firm, said in an emailed statement Monday that a China-linked hacking team is "at least one of the actors responsible for this early exploitation."
- However, Carmakal added that Mandiant has observed "multiple actors" actively targeting the SharePoint vulnerability. The Chinese Embassy did not immediately respond to a request for comment.
- Meanwhile, researchers at Palo Alto Networks said over the weekend that hackers have been stealing cryptographic machine keys that will allow them to maintain persistent access in targeted companies' systems.
- Google said in an earlier emailed statement that it has also observed hackers using this vulnerability to "install webshells and exfiltrate cryptographic secrets from victims servers."
- Customers who use SharePoint Online and Microsoft 365 are not affected by the vulnerability.
- Affected organizations need to implement recommended mitigations as soon as possible, including any patches that are made available, researchers say.
The big picture: Microsoft has been rolling out a series of internal security initiatives in recent years to shore off similar attacks to these.
- The initiative, known internally at the Secure Future Initiative, started after a series of high-profile breaches involving Microsoft products.
What to watch: Microsoft is still working on additional patches that could protect organizations that haven't been breached yet.
- The U.S. government and Microsoft are also still investigating who is behind these intrusions.
- It will likely take weeks, if not months, for the full extent of the attacks to be understood.
Editor's note: This story has been updated with quotes from Google about China's potential connection to the breaches.
