Photo Credit: Getty Images
Microsoft has announced that Chinese "threat actors" have hacked some of its customers' on-premises SharePoint servers, targeting the data of the businesses using them. Microsoft identified China state-backed groups Linen Typhoon, Violet Typhoon, and China-based Storm-2603 as the perpetrators, saying they exploited vulnerabilities in on-premises SharePoint servers, a version used by businesses, but not its cloud-based service.
The US tech giant has released security updates in response and has advised all on-premises SharePoint server customers to install them.
"China firmly opposes and combats all forms of cyber attacks and cyber crime," China's US embassy spokesman said in a statement.
"At the same time, we also firmly oppose smearing others without solid evidence," continued Liu Pengyu in the statement posted on X.
Microsoft said it had "high confidence" the hackers would continue to target systems which have not installed its security updates.
"Investigations into other actors also using these exploits are still ongoing," Microsoft said in a statement.
It added that it would update its website blog with more information as its investigation continues.
Microsoft said it had observed attacks in which hackers had sent a request to a SharePoint server "enabling the theft of the key material by threat actors".
The UK's National Cyber Security Centre said this included "a limited number" of SharePoint Server customers in the UK.
Microsoft said Linen Typhoon had "focused on stealing intellectual property, primarily targeting organizations related to government, defence, strategic planning, and human rights" for 13 years.
It added that Violet Typhoon had been "dedicated to espionage", primarily targeting former government and military staff, non-governmental organizations, think tanks, higher education, the media, the financial sector and the health sector in the US, Europe, and East Asia.
Meanwhile, Storm-2603 was "assessed with medium confidence to be a China-based threat actor".
Charles Carmakal, chief technology officer at Mandiant Consulting firm, a division of Google Cloud, said it was "aware of several victims in several different sectors across a number of global geographies".
Carmakal said it appeared that governments and businesses that use SharePoint on their sites were the primary target.
