Breaking Attack Details
Microsoft announced on Tuesday that hackers linked to China have been exploiting critical zero day flaws in SharePoint servers since July 7, hitting more than one hundred groups that include government bodies, universities, and large companies across the United States, Germany, and other places.
Analysts at Google’s Mandiant unit first reported seeing at least one China‑nexus actor using these flaws on July 7 and then intensifying their efforts around July 18 and 19, which suggests that threat actors moved quickly after the initial discovery.
Affected Threat Groups
The security teams at Microsoft have now tied three actor clusters to the campaign, labeling them Linen Typhoon, Violet Typhoon, and Storm 2603. Linen Typhoon, which began operations around 2012, often seeks to steal research and trade secrets from defense firms and rights organizations, while Violet Typhoon focuses on spying on former officials, think tanks, and nonprofit groups in Europe, East Asia, and the United States.
Storm 2603, which security experts rate with medium confidence as China‑based, has used ransomware families before but now seems more interested in hidden access that can stay even after the main flaws receive patches.
Technical Flaws and Impact
The flaws, collectively known as ToolShell, were first shown at a Berlin hacking contest in May, where a researcher earned a six‑figure reward for finding them, and while Microsoft rolled out an initial patch in July, attackers soon created workarounds that let them slip past the updates.
These bugs allow hackers to capture cryptographic keys, gain full rights on a server, and keep access alive even when admins think they have fixed the problem. Check Point Research first spotted an unnamed Western government under attack on July 7, and then saw the strikes spread into telecom and software companies within days.
Response and Advice
In response, the U.S. Cybersecurity and Infrastructure Security Agency placed the flaws on its catalog of known threats and ordered all federal agencies to apply the latest fixes at once. Microsoft has now published full updates for every affected SharePoint edition and urged admins to review their logs for signs of past breaches, while firms such as Sophos warn that systems without complete remediation could remain at risk long after the patches go in place.
Personal Analysis
This incident shows that even major vendors struggle to stay ahead of skilled adversaries once zero day information becomes public, and it underlines how vital it is for organizations to maintain fast patch cycles and active network monitoring because attackers may lie dormant for weeks. It also suggests that security teams must assume that any unreviewed patch could be bypassed, so they should strengthen endpoint defenses and plan for rapid incident response if they detect unexpected server activity.
Sources: cnbc.com
