- Espionage appears to be the work of either a single hacker or a small, tightly coordinated group.
A sweeping cyber espionage operation targeting Microsoft’s self-hosted SharePoint servers, identified in late May, has compromised approximately 100 organisations globally, predominantly in the United States and Germany, including several government entities.
The operation exploits zero-day vulnerability—an unreported and thus initially unknown security flaw—that grants perpetrators unauthorized access to sensitive internal networks.
SharePoint servers widely deployed across organisations to facilitate document sharing and collaborative work, became the focal point of this attack. Notably, Microsoft clarified that SharePoint instances hosted on its own servers remained unaffected, limiting the breach to self-hosted deployments.
The attack vector allows spies to infiltrate vulnerable servers and implant backdoors, ensuring persistent and undetected access. This prolonged presence within the victims’ digital infrastructure poses substantial risks, potentially enabling further espionage or sabotage activities.
China on the radar
The campaign’s discovery was spearheaded by cybersecurity firms including Eye Security, a Netherlands-based outfit whose chief hacker, Vaisha Bernard, detailed the findings.
Through collaborative scans with the Shadowserver Foundation, nearly 100 compromised entities were identified before the nature of the exploit became widely known.
Bernard highlighted the ambiguity and urgency of the situation, emphasising the threat of additional adversaries leveraging the same vulnerability to establish similar footholds.
The targeted organisations have not been publicly named, with notifications reportedly forwarded to national authorities to coordinate an appropriate response.
Analysts from other cybersecurity organisations, such as Sophos, have suggested that the espionage appears to be the work of either a single hacker or a small, tightly coordinated group, though this may evolve as more information comes to light.
Microsoft has issued security updates to mitigate the vulnerability, urging all users of self-hosted SharePoint servers to implement these fixes promptly to prevent further exploitation.
Microsoft said in a blog post that two allegedly Chinese hacking groups, dubbed “Linen Typhoon” and “Violet Typhoon,” were exploiting the vulnerabilities, along with another China-based hacking group, in a first wave of attacks.
Microsoft said in a July 8 security update that it had identified the bug, listed it as a critical vulnerability, and released patches to fix it.
Germany’s federal office for information security, BSI, said on Tuesday it had found SharePoint servers within government networks that were vulnerable to the ToolShell attack, but none had been compromised.
Attribution for the attack remains uncertain; however, Alphabet’s Google, with its broad visibility into global internet traffic, has linked some of the hacking activities to a threat actor with connections to China.
This assertion underscores the increasingly geopolitical nature of cyber warfare, where state or state-affiliated actors conduct clandestine operations to harvest intelligence or gain strategic advantages.
Discover more from TechChannel News
Subscribe to get the latest posts sent to your email.
