Microsoft says Chinese hacking groups are behind SharePoint attacks

Some of the attacks that targeted organizations using an exploit in Microsoft’s SharePoint server platform over the last few days have been linked to hacking groups affiliated with the Chinese government, according to a new Microsoft security blog.

“As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities targeting internet-facing SharePoint servers,” Microsoft said on Tuesday. “In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing.”

Eye Security told BleepingComputer it’s identified 54 organizations that have been breached, including a private university, a private energy operator in California, and a federal government health organization. The Washington Post reports that anonymous sources working on the SharePoint intrusions said they’ve also identified that some attacks were connected to IP addresses inside China.

Microsoft released a patch update for SharePoint 2016 servers on Tuesday morning, and it has now patched all versions of SharePoint that are impacted by the zero-day exploit. Microsoft’s update says it has assessed “with high confidence” that threat actors will continue using it to attack unpatched server systems now that it’s widely known. The vulnerability, which researchers at Eye Security published details about last week, allows hackers to access certain on-premises versions of SharePoint to steal sensitive data, harvest passwords, and move across connected services.