A critical flaw in a major Microsoft document storage tool is hitting the organizations least able to defend themselves, security researchers and incident responders tell Axios.

Why it matters: Schools, hospitals and government agencies are "sitting ducks" as they determine whether their servers have even been affected, one security executive said.

• Hackers are rushing into the breach, including groups linked to the Chinese government.

Driving the news: Microsoft warned over the weekend of "active attacks" targeting a "zero-day" vulnerability in its on-premise SharePoint server.

• Today, the company said it has observed at least three China-based hacking groups, including two tied to the government, exploiting the vulnerability since as early as July 7. Charles Carmakal, CTO at Google's Mandiant, added that multiple threat groups are also now exploiting the bug.
• The Cybersecurity and Infrastructure Security Agency confirmed that attackers could exploit the bug to gain access to sensitive files or execute code remotely.
• At least one estimate puts the number of already compromised organizations near 100. The Washington Post reports that victims include state and federal agencies, universities, an energy company, and an Asian telecommunications firm.
• "It's not one specific group that is going to be doing the hacking of this anymore," Michael Sikorski, CTO at Palo Alto Networks' Unit 42 threat intelligence team, told Axios. "Everybody's getting on the train."

The big picture: Security teams will likely spend weeks, even months, unpacking the full scope of the breach and what damage is still to come.

• Researchers say the hackers have been stealing machine keys from targeted entities, which will allow them to keep breaking into the organizations even after they patch the SharePoint issue.
• "Because the attack blends in with just normal, legitimate activity, it's quite hard to detect what's unusual and what's atypical," Kayne McGladrey, a senior member of the Institute of Electrical and Electronics Engineers, told Axios.

Zoom in: Sikorski said Unit 42 is actively working with Microsoft to notify affected entities, but many victims likely still don't know they've been hit.

• "For those organizations that don't have a threat detection or red team capability built in, they are undoubtedly going to be at a longer time of risk for this because they just don't have the visibility," McGladrey said.

Between the lines: The flaw mostly threatens legacy SharePoint systems still used by smaller public-sector entities and critical-infrastructure operators.

• Those organizations are unlikely to have the resources to quickly spin up their own investigations and response teams, Sikorski said.
• "That's the scary part," Sikorski said. "Not only are they sitting ducks, but they don't have the capability to deal with it."

The intrigue: While Microsoft released a patch Monday to fix the issue in all affected versions of SharePoint, even patched systems may not be fully safe if attackers already gained entry, stole machine keys or installed new backdoors.

What's next: Security experts say the SharePoint hacking activity will likely unfold in waves.

• Opportunistic hackers, such as cybercriminal gangs, will race to exploit exposed servers, aiming to steal login credentials, plant backdoors and deploy ransomware.
• Meanwhile, stealthier groups, including nation-state actors, will burrow into high-value organizations for the long haul, quietly stealing sensitive data and setting up persistent access that could go undetected for months.

Layoffs, buyouts and early retirements have led to major brain drain within the State Department's three-year-old cyber diplomacy office.

Why it matters: As the Trump administration eyes increased offensive hacking operations, cyber diplomacy will be needed more than ever to avoid escalatory spirals with foreign adversaries.

Driving the news: Several news reports in the last week said cyber-focused employees across the State Department had been laid off as part of the agency's wide-scale cuts.

• Liesyl Franz, deputy assistant secretary for international cyberspace security, was placed on administrative leave, according to Nextgov. Franz has been at the State Department since 2012.
• Between nine and 11 staffers in the Bureau of Cyberspace and Digital Policy were fired, according to Cybersecurity Dive. Jennifer Bachus, the bureau's acting head, was reassigned to a different position.
• State is also planning to move various offices within the bureau into other parts of the department, Politico and Cybersecurity Dive both reported.
• The bureau's Office of the Coordinator for Digital Freedom, which promotes internet freedom, online safety and human rights, has been dismantled, according to the reports.

The big picture: The cyber-related cuts came as the State Department laid off around 1,300 agency personnel on July 11, coinciding with the Supreme Court green-lighting the administration's plans to fire federal workers.

• The Office of Science and Technology Cooperation also faced layoffs.

What they're saying: A State Department spokesperson declined to provide a breakdown of the layoffs by bureau but said the agency expects to lose nearly 3,000 employees worldwide as part of its reorganization.

• "Secretary Rubio is committed to ensuring the Department moves at the speed of relevancy," the spokesperson said in a statement. "This includes restoring our Department to its roots: results-driven diplomacy, powered primarily by our overseas posts and our regional bureaus in Washington."

Between the lines: The cuts at the Bureau of Cyberspace and Digital Policy will hinder efforts to protect against adversarial nation-state attacks, security experts tell Axios.

• Chris Painter, the State Department's top cyber diplomat from 2011 to 2017, called the layoffs "a gift to our adversaries who are ramping up, not dismantling, their teams and capabilities."
• Annie Fixler, director of the Foundation for Defense of Democracies' Center on Cyber and Technology Innovation, said many of the employees who have left the department oversaw programs that managed congressionally mandated cyber foreign aid funds.
• "You need experts who can run those programs who understand specifically how cyber foreign aid works," Fixler said. "I'm concerned about the loss of that kind of expertise."

The intrigue: The layoffs have also prompted many cyber workers at State to leave proactively, Fixler added.

• "They have other job offers, they have expertise that is valuable in many different industries — cybersecurity expertise, geopolitical expertise — and so they're moving on," she said.

Flashback: The Bureau of Cyberspace and Digital Policy started operating in April 2022, as directed by Congress.

• The bureau made its first major splash at the RSA Conference last year when then-Secretary of State Antony Blinken gave a keynote speech.

What to watch: While many of the layoffs impacted probationary employees who have few employment protections, some officials can appeal their firings.

Ring camera users were convinced this past week that someone had broken into their accounts.

• The truth? A backend update was actually the culprit, not hackers.

Why it matters: A lack of public awareness and the speed of social media have made it difficult for people to know what reported hacks are really worth worrying about.

Driving the news: Late last week, social media users shared concerns on TikTok about a series of mysterious logins on their Ring cameras on May 28 from devices they didn't recognize.

• Users immediately jumped to the conclusion that people were hacking their videos and surveilling them.
• "I want to throw up, I feel sick, my skin is crawling," one user said in a video Friday about the apparent hack, adding that she was upset that Ring never notified her.

Yes, but: The hacks never happened, according to Amazon-owned Ring.

• A backend update reportedly caused old device entries to reappear or display incorrectly in users' login history, triggering panic about unknown access.
• "We're working to resolve this," the company said in a statement Friday. "We have no reason to believe this is the result of unauthorized access to customer accounts."

The big picture: This is the second time in as many months that a viral cybersecurity "breach" turned out to be a false alarm.

• Last month, headlines warned of a massive leak of 16 billion passwords — but most of them had already been exposed years ago and reposted online.

Between the lines: Social media runs on fear, and users are especially vulnerable to scary headlines that suggest their security has been compromised.

The intrigue: Adding to the fear is Ring's own privacy and security track record.

• The company has previously faced criticism over both its security features and its law enforcement partnerships, leaving users wary of any signs their cameras might be compromised.

The bottom line: Suspect a breach of your communications? Take a deep breath and try to verify before panicking. Start by contacting customer support or checking credible news sources.

@ D.C.

🏛️ Sean Plankey, Trump's pick to lead CISA, will testify before the Senate Homeland Security Committee on Thursday. (Nextgov)

🤖 OpenAI CEO Sam Altman is making the rounds at various D.C. events this week to argue that AI is already making Americans more productive. (Axios)

☎️ A top Secret Service official was the subject of a "swatting" incident, adding to a string of government figures who have been targeted with prank 911 phone calls. (Axios)

@ Industry

💰 iCounter, the new startup from cyber veteran John Watters, raised a $30 million Series A round led by SYN Ventures. (Axios Pro)

@ Hackers and hacks

🏥 At least 750 hospitals faced disruptions during the global CrowdStrike outage last year. (Wired)

🇨🇳 The number of suspected China-linked hacks more than doubled in 2024 from the year before to more than 330 and continued to climb during the first months of the new administration. (Washington Post)

💥 European authorities led a takedown of NoName057(16), a pro-Russian hacktivist group that's claimed responsibility for more than 1,000 denial-of-service attacks since the Russian invasion of Ukraine. (Bloomberg)

The countdown to this year's Black Hat and DEF CON conferences is on, and this week, I have another fun event to share: Analyst1's Jon DiMaggio's talk on his undercover stint with the LockBit ransomware gang.

• 🎲 The event is at The Mob Museum (enticing), and it gets you off the Vegas Strip. What's not to love?