Microsoft Discloses 2025 SharePoint Breaches by Chinese Hackers

In July 2025, Microsoft disclosed that Chinese state-sponsored hacking groups—Linen Typhoon, Violet Typhoon, and Storm-2603—exploited critical vulnerabilities in on-premises SharePoint servers, leading to breaches in approximately 400 organizations, including U.S. federal agencies and the National Nuclear Security Administration.

The vulnerabilities, identified as CVE-2025-49704 (remote code execution) and CVE-2025-49706 (spoofing), were initially discovered during a hacking competition in May 2025. Microsoft released patches on July 8; however, attackers found ways to bypass these fixes, leading to further exploits. The attackers deployed ransomware and stole cryptographic keys, potentially allowing persistent access even after patching. (PC Gamer)

Microsoft identified three Chinese state-sponsored hacking groups involved in these attacks:

• Linen Typhoon: Also known as APT27, UNC215, and Red Phoenix, this group has been active since 2012, focusing on stealing intellectual property by targeting government organizations, defense companies, and human rights groups. (The Record)

• Violet Typhoon: Also known as APT31, this group is dedicated to espionage, previously targeting government officials, military personnel, think tanks, educational organizations, media companies, and the health sector in the U.S., Europe, and East Asia. (The Record)

• Storm-2603: A China-based threat actor observed deploying Warlock and Lockbit ransomware. Microsoft has been monitoring this group since July 18, 2025, noting their use of the SharePoint vulnerabilities to deploy ransomware. (Bleeping Computer)

Microsoft has released comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) to protect against these vulnerabilities. Organizations are urged to apply these updates immediately. Additional recommendations include:

• Enabling Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus.

• Rotating ASP.NET machine keys.

• Restarting Internet Information Services (IIS).

• Deploying endpoint detection tools.

These measures aim to mitigate the risks associated with these vulnerabilities and prevent further exploitation. (Tom's Hardware)

The exploitation of these vulnerabilities by state-sponsored actors underscores the persistent threat posed by cyber espionage and cyberattacks on critical infrastructure. The involvement of Chinese state-sponsored groups highlights ongoing geopolitical tensions and the use of cyber operations as tools of statecraft. The breaches raise concerns about the security of sensitive information and the potential for disruption of essential services.

This incident is part of a broader pattern of cyberattacks targeting critical infrastructure and government entities. Similar attacks have been observed in the past, with state-sponsored actors exploiting vulnerabilities to gain unauthorized access to sensitive systems. The persistence of such threats highlights the need for continuous vigilance and proactive security measures.