Chinese hackers targeting SharePoint flaw for weeks, Microsoft says
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Annelise Capossela/Axios
At least three China-based hacking teams have been exploiting a previously unknown flaw in Microsoft SharePoint since at least July 7, the company said in a blog post.
Why it matters: Microsoft and security researchers didn't uncover the vulnerability until this past weekend, leaving thousands of customers exposed to potential nation-state hacking.
Driving the news: Microsoft said in a blog post Tuesday that it's observed three China-based hacking teams — two of which are based within the Chinese government — attempting to break into companies' networks using the SharePoint flaw.
- Microsoft tracks those groups under the names Linen Typhoon, Violet Typhoon and Storm-2603. Each cybersecurity company has their own naming convention for hacking teams based on their own internal data and telemetry.
- Google's Mandiant also said Monday that it has observed at least one China-backed group targeting the SharePoint flaws, but that multiple threat actors have started getting involved.
Catch up quick: Over the weekend, Microsoft and several researchers warned about a new flaw in SharePoint servers that only affects those who use the technology on-premise, or on their own servers and not in the shared Microsoft cloud.
- The vulnerability could allow hackers to access content stored in SharePoint and execute code.
- Some experts also said they've seen hackers stealing machine keys when they break in, which would allow them to break back in even after the SharePoint flaw is patched.
- So far, victims have included the Education Department, national governments in Europe and the Middle East, universities, energy companies and an Asian telecommunications firm, according to news reports.
Zoom in: Linen Typhoon and Violet Typhoon are both government hacker teams that focus on espionage and stealing intellectual property, according to Microsoft.
- Storm-2603 takes a different approach and is known for stealing machine keys and deploying ransomware onto victims' devices. Microsoft says it's unclear what this hacking group's motives are.
In a statement Tuesday, a spokesperson for the Chinese embassy said that "we firmly oppose smearing others without solid evidence."
- "Cyberspace is characterized by strong virtuality, difficulty in tracing origins, and diverse actors, making the tracing of cyber attacks a complex technical issue," the spokesperson added, without directly referencing Microsoft's allegations.
- "We hope that relevant parties will adopt a professional and responsible attitude when characterizing cyber incidents, basing their conclusions on sufficient evidence rather than unfounded speculation and accusations."
What's next: Microsoft released a full patch to resolve the SharePoint issue late Monday, and the company recommends affected customers rotate their machine keys and turn on their endpoint detection tools, like antivirus and malware scanners.
Editor's note: This story has been updated with a comment from the Chinese embassy.
