Chinese hackers
 

NY Times: Chinese Hackers Are Exploiting Flaws in Widely Used Software, Microsoft Says

The company said state-backed hacking groups were breaching systems through flaws in SharePoint, which is used by the U.S. government and companies around the world.

July 23, 2025Updated 1:37 p.m. ET

Microsoft said that Chinese state-sponsored actors were exploiting vulnerabilities in one of its popular collaboration software products, SharePoint, which is used by U.S. government agencies and many companies worldwide.

Microsoft said in a notice on its security blog on Tuesday that it had identified at least two China-based groups linked to the Chinese government that it said had been taking advantage of security flaws in its SharePoint software. Such attacks aim to sneak into the computer systems of users.

Those groups, called Linen Typhoon and Violet Typhoon, were ones that Microsoft said it had been tracking for years, and which it said had been targeting organizations and personnel related to government, defense, human rights, higher education, media, and financial and health services in the United States, Europe and East Asia.

Microsoft said another actor, which it called Storm-2603, was also involved in the hacking campaign. It said it had “medium confidence” that Storm-2603 was a “China-based threat actor.”

The U.S. government’s Cybersecurity and Infrastructure Security Agency issued a notice that said it was aware of the hacking attack on SharePoint. It added that it had notified “critical infrastructure organizations” that were affected.

“While the scope and impact continue to be assessed,” the agency said, the vulnerabilities would enable “malicious actors to fully access SharePoint content, including file systems and internal configurations and execute code over the network.”

A Microsoft spokesperson wrote in an emailed response that the company had been “coordinating closely” with the Cybersecurity and Infrastructure Security Agency, the Department of Defense’s Cyber Defense Command and “key cybersecurity partners globally throughout our response.”

The Chinese Embassy in Washington did not immediately respond to a request for comment. China has routinely denied being behind cyberattacks and asserts that it is a victim of them.

Microsoft said in its blog post that investigations into other actors also using these exploits were still ongoing.

Eye Security, a cybersecurity firm, said that it had scanned more than 23,000 SharePoint servers worldwide and discovered that more than 400 systems had been actively compromised.

The cybersecurity firm also noted that the breaches could allow hackers to steal cryptographic keys that would allow them to impersonate users or services even after the server was patched. It said users would need to take further steps to protect their information.

James Corera, the director of the cyber, technology and security program at the Australian Strategic Policy Institute, a research group, said that being able to deploy back doors to enable long-term access was “a level of sophistication typically associated with the most advanced actors.”

While there was no public confirmation that the Chinese hackers had stolen those cryptographic keys, it was clear that China’s state-sponsored operations had become increasingly precise in recent years, he said.

“Chinese state-sponsored cyber actors have steadily evolved from opportunistic to highly disciplined operators,” Mr. Corera wrote in written responses to questions. “What we’re seeing now is a level of sophistication in initial access, lateral movement, and credential harvesting that exceeds what many governments and vendors had anticipated.”

Indeed, American officials have grown increasingly alarmed by Chinese hacking capabilities. During a breach of the U.S. telecommunications system last year, a group linked to a Chinese intelligence agency was able to listen in on telephone conversations and read text messages, members of Congress said. The hack was considered so severe that former President Joseph R. Biden took it up directly with Xi Jinping, China’s leader, when they met in Peru in November.

With this latest breach, a researcher with Viettel Cyber Security, a Vietnamese security firm, uncovered the SharePoint vulnerability at a May security conference called Pwn2Own in Berlin. On May 16, the researcher won a $100,000 award at the conference for uncovering the weakness.

The vulnerability was shared with Microsoft on May 29, according to the Zero Day Initiative, which tracks security exposures and hosted the security confernce.

Microsoft said it noticed hackers had been trying to use the software weaknesses to gain access to “target organizations” since July 7. The company issued security updates the next day, as part of its weekly batch of security patches, and urged users to install them immediately.

But those patches only partially solved the problem. Microsoft said on July 19 that it was aware of attempts to exploit those vulnerabilities, and has since issued updates to its patches and guidance to customers that it says, if followed, “fully protect customers.”

Cybersecurity firms had said that they believed Chinese actors were among those attackers, even before Microsoft said so on Tuesday.

SharePoint helps organizations create websites and manage documents. It integrates with other Microsoft services such as Office, Teams and Outlook.

Microsoft said the vulnerabilities affected only on-premises SharePoint servers, meaning those managed by organizations on their own computer networks, and not those operated on Microsoft’s cloud.

Palo Alto Networks, a cybersecurity company, said in a post about the breach that on-premises servers “particularly within government, schools, health care (including hospitals) and large enterprise companies” were “at immediate risk.”

“A compromise in this situation doesn’t stay contained, it opens the door to the entire network,” the cybersecurity company said.

Karen Weise contributed reporting from Seattle.

Vivian Wang is a China correspondent based in Beijing, where she writes about how the country’s global rise and ambitions are shaping the daily lives of its people.

Shocking! This is the first that I'd ever heard of Chinese govt backed cyberwarfare. And this is so unlike them.

The only thing about this that should be surprising is that there are so many systems that are out there with active vulnerabilities, but it's not actually surprising at all. Some companies are super diligent about cybersecurity, but there are plenty that are not. And "government systems" is a wide net that includes all sorts of systems that have low budgets and are barely or poorly maintained.

DoD is well aware of this breach, trust me.

We've moved heavily into Sharepoint (I'm not pleased with that) and most of our AI tools live in that space, too. This is bad juju.

Microsoft's fault, they were notified, did nothing, then once active exploits were happening they tried to patch.

Stop writing ****ty code...

The Chinese (Govt) are not our friends and want nothing more than to see our downfall. I wish there was someway to sever all ties and relations with them.

Yea, We use Office 365 to use Outlook. For a while an appointment would just appear on my calendar from some company I never heard of. I ever accepted the appointment, it just appeared. I just deleted it and it was gone. A week later a different apt. with a different company appeared. I never read what the appointment was about, I just deleted it.

That should never be possible with Outlook. Hopefully that hole was fixed, as I have not seen one recently.

Yeah, I have been avoiding all of the cloud based apps. I've got a version of Office that came on disk or was downloadable. I'll use that one as long as I can. If using it for a business holding out like that may be either more difficult or not the best option.

I'd love to be able to buy an older version of photoshop that would run on my computer and wouldn't be in the cloud. But in the meantime, I'll do without before I'll buy a subscription to something.