Insights into the Microsoft SharePoint Hacking Incidents
In a recent development, three China-based hacker groups - Linen Typhoon, Violet Typhoon, and Storm-2603 - have been identified as participating in a series of cyberattacks targeting Microsoft SharePoint servers.
Linen Typhoon and Violet Typhoon, known for their espionage and intellectual property theft activities, have been active since 2012 and 2015, respectively. Linen Typhoon, also known as APT27, and Violet Typhoon, APT31, have a history of targeting various geopolitical regions for intelligence gathering.
Storm-2603, on the other hand, is a threat actor known for stealing machine keys and deploying ransomware such as Warlock and LockBit. Its motivations seem to be more financially or disruption-oriented than purely espionage-driven.
The attacks, which began in early July and escalated last week, exploit previously unknown vulnerabilities in Microsoft SharePoint. The attack sequence, combining remote code injection and network spoofing vulnerabilities, is tracked as CVE-2025-49704 and CVE-2025-49706.
Microsoft has since released security updates to protect customers against these vulnerabilities (CVE-2025-53770 and CVE-2025-53771) for SharePoint 2016, 2019, and SharePoint Subscription Edition. Customers are advised to configure Antimalware Scan Interface integration, rotate SharePoint Server ASP.NET Machine Keys, and restart Internet Information Services on all SharePoint servers after upgrading.
The Department of Homeland Security (DHS) is investigating reports that these hacks have compromised multiple federal agencies and state and local government entities. The Shadowserver Foundation has reported at least three hundred confirmed compromises of Microsoft SharePoint customers worldwide.
Microsoft later released an urgent advisory and disclosed a vulnerability tracked as CVE-2025-53770. Researcher Khoa Dinh originally discovered the attack chain, and Code White GmbH was able to reproduce the attack chain earlier this month. However, according to Benjamin Harris, CEO of watchTowr, Microsoft's initial patches for the vulnerabilities were incomplete.
Researchers at Rapid7 have posted an exploit module on GitHub for CVE-2025-53770 and CVE-2025-53371 to help security teams test their environments. Defenders are urged to take immediate action for any SharePoint servers in their environments and apply the vendor patches on an emergency basis, without waiting for a regular patch cycle to occur.
[1] CSO Online: "China-Based Hacker Groups Launch Coordinated Attacks on Microsoft SharePoint" [2] The Hacker News: "Three Chinese Groups Behind Microsoft SharePoint Cyberattacks" [3] Microsoft Security Blog: "Microsoft Security Advisory for CVE-2025-53770 and CVE-2025-53771"
- The recent cyberattacks on Microsoft SharePoint servers, led by three Chinese hacker groups, have exposed a new vulnerability tracked as CVE-2025-53770.
- The threat actor group Storm-2603, notorious for deploying ransomware such as Warlock and LockBit, is among the three China-based groups implicated in the data breach.3.infosec professionals are encouraged to follow Microsoft's security advice and apply the latest patches for SharePoint 2016, 2019, and SharePoint Subscription Edition to defend against the identified vulnerabilities.
- The cybersecurity community's concern over the Microsoft SharePoint data breach extends beyond corporate entities, as government agencies and local governments have also been reportedly affected.
