Microsoft has identified Chinese hacking groups responsible for exploiting vulnerabilities in its SharePoint servers, targeting numerous organizations. The company detailed how these groups, including state-sponsored actors Linen Typhoon and Violet Typhoon, along with another group known as Storm-2603, have been exploiting newly disclosed vulnerabilities in on-premises SharePoint servers. These vulnerabilities allow attackers to spoof authentication credentials and execute malicious code remotely, posing significant risks to unpatched systems.
The company released security updates to address these vulnerabilities and strongly urged all users of on-premises SharePoint systems to apply the updates immediately. According to Microsoft, these attacks began as early as July 7, 2025, with hackers attempting to gain initial access to target organizations. The attacks have already impacted over 400 agencies and businesses, with a majority of the victims located in the United States.
The Chinese hacking groups involved have a history of targeting government, defense, and strategic planning organizations. Linen Typhoon, active since 2012, focuses on stealing intellectual property, while Violet Typhoon has been dedicated to espionage since 2015, targeting various sectors including NGOs, think tanks, and higher education. Storm-2603, although not directly linked to the other groups, has been deploying ransomware using these vulnerabilities.
Microsoft has emphasized the importance of applying security updates and implementing additional security measures such as enabling Microsoft Defender Antivirus and rotating SharePoint server ASP.NET machine keys to prevent further exploitation. The company warns that threat actors will continue to target unpatched systems, making immediate action critical for organizations using SharePoint servers.