Microsoft is facing mounting scrutiny after Chinese state-linked hacking groups exploited a critical flaw in its SharePoint server software, compromising data from government agencies and major businesses across the globe-including the U.S. agency that oversees nuclear weapons, according to multiple sources including Bloomberg and Reuters.
The vulnerability, discovered in May at a Berlin-based cybersecurity competition hosted by Trend Micro, was dubbed "ToolShell" and earned its Vietnamese military-linked researcher a $100,000 prize. Although Microsoft released a patch on July 8, cybersecurity firms reported within days that hackers had developed exploits bypassing the fix. "Threat actors subsequently developed exploits that appear to bypass these patches," Sophos wrote in a blog post on Monday.
In a blog update, Microsoft attributed the campaign to three Chinese groups: Linen Typhoon, Violet Typhoon, and Storm-2603. The company said it observed attackers sending crafted requests to SharePoint servers that enabled theft of encryption keys and persistent access.
Linen Typhoon has targeted government, defense, and human rights entities for more than a decade, while Violet Typhoon has focused on espionage against former military personnel, NGOs, media, and financial sectors. Microsoft assessed Storm-2603 as a China-based actor with "medium confidence."
Charles Carmakal, CTO of Google Cloud's Mandiant Consulting, confirmed his firm was "aware of several victims in several different sectors across a number of global geographies." He added the flaw was exploited "very opportunistically before a patch was made available."
Bloomberg reported that the U.S. National Nuclear Security Administration, responsible for maintaining the nation's nuclear weapons cache, was among those breached. No classified information is known to have been compromised.
Trend Micro stated vendors are expected to patch flaws "in an effective and timely manner," but acknowledged that "patches will occasionally fail." Microsoft's spokesperson confirmed the original fix did not resolve the issue but said follow-up patches have now been issued.
The scale of the breach is significant. The Shadowserver Foundation identified more than 9,000 potentially vulnerable servers, mostly in the U.S. and Germany, including in networks associated with auditors, banks, health care companies, and state-level government bodies. Search engine Shodan showed over 8,000 such systems online.
Germany's Federal Office for Information Security (BSI) said Tuesday it had found no evidence of compromised government SharePoint servers, despite vulnerabilities existing within the network.
As investigations continue, Microsoft said it will update customers through its website. "Investigations into other actors also using these exploits are still ongoing," the company noted.
China's embassy in Washington denied involvement, stating: China opposes all forms of cyberattacks, and accused Microsoft of "smearing others without solid evidence." Microsoft and Alphabet have both said China-linked hackers are likely behind the initial wave of intrusions.
