Microsoft Corp. on Tuesday warned that Chinese state‑sponsored hacking groups have been exploiting critical vulnerabilities in its on‑premises SharePoint software, compromising at least 60 organisations and hundreds of servers worldwide.
The tech giant identified two government‑backed actors, “Linen Typhoon” and “Violet Typhoon”, as well as a third group it labels “Storm‑2603,” all targeting unpatched SharePoint instances to gain persistent access and execute malicious code.
According to a Microsoft security blog, the breaches span multiple sectors, including energy companies, consulting firms, universities and national governments across Europe and West Asia. Among the most sensitive breaches, Microsoft confirmed that the US National Nuclear Security Administration (NNSA), the Energy Department arm responsible for nuclear weapons design and naval reactors, suffered unauthorised intrusions.
A company spokesperson emphasised that no classified information is believed to have been exfiltrated, attributing the limited impact to the NNSA’s use of cloud‑hosted SharePoint, which received patches more rapidly than on‑premises deployments.
Security researchers at CrowdStrike Holdings Inc. estimate that exploitation began around July 7, 2025 and initially bore hallmarks of intelligence‑driven operations before broadening to other Chinese‑linked hacking outfits. Adam Meyers, CrowdStrike’s senior vice‑president, noted the shift from targeted espionage to wider, opportunistic attacks against any vulnerable SharePoint server.
Bloomberg News corroborated that US federal and state entities, including the Department of Education, Florida’s Department of Revenue and the Rhode Island General Assembly, have also reported intrusions. The Florida agency confirmed an active investigation, while other bodies declined to comment.
Microsoft has released an emergency patch for on‑premises servers and urges administrators to apply it immediately. The company cautioned that threat actors will likely “continue to integrate these exploits into their attacks” and that remediation must include thorough forensic reviews to detect any lingering backdoors. “Our investigations into other adversaries leveraging these vulnerabilities remain ongoing,” the blog stated.
In response to the allegations, the Chinese Embassy in Washington issued a statement denying involvement in cyberattacks and urging attribution only on the basis of “solid evidence,” decrying what it called “unfounded speculation.”
The Energy Department reported that the SharePoint exploit began affecting some of its platforms on July 18, 2025 but was largely contained due to its hybrid cloud strategy. As Microsoft and government agencies scramble to lock down affected environments, the incident highlights persistent risks in enterprise software and the critical importance of rapid patch deployment, especially for defence‑related networks.
With tens of thousands of organisations dependent on SharePoint for document collaboration, security experts warn that unpatched servers remain prime targets for both state and criminal hackers. Administrators are advised to prioritise patching and to monitor for unusual file‑system and network activity to guard against similar sophisticated intrusions.
