Microsoft has officially attributed a recent wave of extensive cyberattacks targeting its on-premises SharePoint servers to several hacking groups with ties to the Chinese government. The tech giant revealed that at least three China-linked entities – “Linen Typhoon,” “Violet Typhoon,” and “Storm-2603” – have been actively exploiting critical vulnerabilities in the widely used collaboration platform, impacting dozens of organizations globally, including government agencies and critical infrastructure.
The attacks, which began as early as July 7, leveraged what researchers have dubbed the “ToolShell” exploit chain, targeting previously unknown “zero-day” vulnerabilities (CVE-2025-49706 and CVE-2025-49704). These flaws, initially demonstrated at the Berlin Pwn2Own hacking contest in May, allowed attackers to gain unauthorized access, steal credentials, and even deploy ransomware. While Microsoft released initial patches on July 8, hackers quickly found ways to bypass these fixes, top to continued unauthorized access.
Among the confirmed victims is the US National Nuclear Security Administration, though officials have stated that no sensitive or classified information was compromised in that specific breach. Other affected sectors span government, telecommunications, energy, consulting, and education across North America, Europe, and the Middle East. Cybersecurity firm Eye Security reported detecting compromises on over 100 servers belonging to 60 victims in various countries.
Microsoft’s Threat Intelligence team highlighted that “Linen Typhoon” and “Violet Typhoon” are known Chinese nation-state actors with a history of espionage, targeting government, defense, human rights, and other sensitive sectors. “Storm-2603,” while assessed with “medium confidence” as China-based, has been observed deploying Warlock ransomware, indicating potentially financially motivated objectives alongside traditional espionage.
This incident has amplified scrutiny on Microsoft’s cybersecurity practices, following a 2024 US government report that criticized the company’s security culture. Microsoft has stated it is working closely with agencies like CISA and has implemented measures to enhance software resilience.
In response to the escalating threat, Microsoft has urged all organizations using on-premises SharePoint servers to immediately apply the latest security updates, including CVE-2025-53770 and CVE-2025-53771, which address the bypasses. The company also recommends enabling Antimalware Scan Interface (AMSI) integration, deploying Microsoft Defender Antivirus, and rotating server security keys to mitigate further risks. SharePoint Online (cloud-based) services are not affected by these specific vulnerabilities.
The Chinese embassy in Washington D.C. has denied the allegations, stating that China “firmly opposes all forms of cyberattacks” and criticizes “smearing others without solid evidence.” However, Western cybersecurity firms and government agencies frequently attribute state-sponsored hacking operations to China. As investigations continue, the full scope and impact of these widespread attacks remain under assessment.
