In mid‑July 2025, a devastating cyber‑espionage campaign was launched against on‑premises Microsoft SharePoint servers—widely used by businesses, governments, universities, and utility providers around the globe. Leading cybersecurity investigations reveal that multiple Chinese‑affiliated threat groups orchestrated the breach, exploiting critical vulnerabilities to extract cryptographic keys and plant persistent backdoors. This article unpacks the unfolding incident, its scale, the technical tradecraft involved, and the urgent response from Microsoft and cybersecurity defenders.
Table of Contents
What Happened
Around July 18, threat intelligence firms first flagged a “zero‑day” breach in SharePoint Server software—an issue that remained undetected until hackers began exploiting it aggressively. This flaw allowed unauthorised actors to access sensitive key material, enabling them to install malware and maintain unsanctioned access to affected networks.
While Microsoft’s cloud-based SharePoint Online remained untouched, its on‑premises counterpart—installed within organisations’ own infrastructure—became the primary target across multiple sectors and geographies.
Who’s Behind the Attacks
Microsoft directly attributed the breach to three Chinese-aligned threat actors:
- Linen Typhoon (also known as APT27), linked with long-term intelligence gathering, particularly targeting defence, human rights, and government agencies.
- Violet Typhoon (APT31), a group focused on espionage across media, finance, academia, and government sectors in Western countries.
- Storm‑2603, believed to have moderate confidence of Chinese origin.
In addition, cybersecurity firm Eye Security noticed IP addresses associated with Chinese-source traffic during the breaches, and Google’s Mandiant dubbed the perpetrator a “China-nexus threat actor.”
These groups are part of China’s wider cyber‑espionage complex—akin to past actions by Hafnium in the 2021 Exchange Server breach—and carry strategic goals of long-term intelligence gain.
Scale & Global Reach
Although reports vary slightly, forensic scans by Shadowserver and Eye Security have identified around 100 victims so far, notably in the U.S., Germany, and other industrialised nations. However, experts warn that over 8,000 to 9,000 SharePoint servers worldwide remain vulnerable.
Notable affected organisations include:
- U.S. federal and state agencies
- A major California energy operator
- A fintech provider in New York
- Educational institutions and research bodies
- International energy and healthcare entities
- Even the U.S. National Nuclear Security Administration, as reported by Bloomberg.
Technical Breakdown: How the Hack Works
The attackers orchestrated the breach by exploiting two critical vulnerabilities in self-hosted versions of Microsoft SharePoint Server:
- CVE‑2025‑49706 – an authentication spoofing flaw
- CVE‑2025‑49704 – a remote code execution weakness.
These flaws allowed hackers to:
- Gain initial access and steal cryptographic “key material”
- Install persistent malware or backdoors
- Harvest credentials and escalate privileges
- Maintain a covert and resilient presence even after patching
Security researchers caution that patching alone is insufficient, especially for servers already compromised. Necessary mitigation includes:
- Rotating cryptographic keys
- Deploying enhanced monitoring
- Deploying anti-malware tools
- Conducting comprehensive incident response.
Microsoft’s Response & What Organisations Must Do
Microsoft responded rapidly after discovering active breaches:
- Released patches for SharePoint 2016, 2019, and Subscription Edition.
- Issued guidance recommending immediate patching—or offline isolation if updates cannot be applied.
- Emphasised enabling Microsoft Defender or equivalent, plus full antimalware integration (AMSI), to prevent unauthorised code execution.
- Alerted customers to assume breach, inspect for post‑patch backdoors, and rotate cryptographic tokens.
Federal investigators—FBI, CISA, NCSC (UK), and counterparts in Canada and Australia—mobilised to coordinate response, forensics, and attribution.
Why This Attack Matters
This incident marks one of the most significant espionage operations targeting Microsoft infrastructure since the Exchange Server attacks in 2021. Key takeaways:
- Targeted espionage: These attacks are characteristic of Chinese cyber‑espionage, focused on critical infrastructure, government, energy, finance, and healthcare.
- Zero‑day exploitation without public warning: Due to their stealth and rapid deployment, zero-day flaws leave defenders exposed.
- Microsoft supply‑chain scrutiny: Lawmakers are scrutinising Microsoft’s recurrent breaches and its use of China‑based engineers.
- Global coordination needed: Public‑private partnerships are crucial in closing this class of vulnerabilities and establishing trust.
Immediate Steps All Organisations Should Take
- Apply Patches Immediately – Ensure all on-premises SharePoint servers are fully updated.
- Enable AMSI & Anti‑Malware Protection – Microsoft Defender or reputable AV tools should be enabled in full.
- Rotate Cryptographic Keys – Any potentially stolen key material must be replaced.
- Conduct Forensic Analysis – Check logs and deployed binaries for signs of intrusion.
- Isolate or Rebuild – Consider temporary isolation or full server rebuild if compromise is confirmed.
- Engage Cybersecurity Experts – Involve incident response professionals where needed.
- Strengthen Defence Posture – Review system hardening, patch management, and MFA across the environment.
What Lies Ahead
- Continued exploitation: Microsoft warns that unpatched systems remain high-value targets.
- New threat group activity: Other adversaries may copy the exploit or join the campaign.
- Regulatory and legislative pressure: Governments will likely enforce stricter remediation timelines and supply chain audits.
- Heightened geopolitical tension: The breach occurs amid rising tech & cyber rivalry between the U.S. and China.
- Advanced defensive practices: Organisations will likely accelerate adoption of zero‑trust models, real‑time threat detection, and system segmentation.
Conclusion
The Microsoft SharePoint server hack by Chinese-linked cyber actors is more than a data breach—it’s a strategic, global espionage operation striking at the heart of enterprise collaboration systems. Although Microsoft swiftly released a patch, the long‑term impact hinges on whether organisations act beyond simple remediation and assume breach. This incident serves as a stark reminder: cyber‑resilience requires constant vigilance, coordination, and proactive defence.
Join Our Social Media Channels:
WhatsApp: NaijaEyes
Facebook: NaijaEyes
Twitter: NaijaEyes
Instagram: NaijaEyes
TikTok: NaijaEyes
