Microsoft Hack Hits Hundreds of Firms, Agencies as Damage Spreads | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

(Bloomberg) — Microsoft Corp. said a Chinese hacking group is exploiting security vulnerabilities in the company’s SharePoint servers to deploy ransomware, following a cyberattack discovered last week that has affected hundreds of entities around the world.

Most Read from Bloomberg

The group, which Microsoft has named Storm-2603, has a history of waging ransomware attacks, which use malicious software to lock down computers and render them inoperable. Ransomware groups usually then demand payment from their victims to unlock the computers.

Microsoft said in a blog post late Wednesday that it was “moderately confident” that Storm-2603 was a China-based threat actor. But the company said it was “unable to confidently assess the threat actor’s objectives.”

Storm-2603 is one of three alleged Chinese entities that have exploited the security vulnerabilities in SharePoint in a widespread hacking campaign that began earlier this month, according to Microsoft.

Hackers have breached about 400 government agencies, corporations and other groups, according to estimates from Eye Security, the Dutch cybersecurity company that identified an early wave of the attacks last week. That’s up from roughly 60 based on its previous estimate provided to Bloomberg News on Tuesday.

The security firm said that most of the victims are in the US, followed by Mauritius, Jordan, South Africa and the Netherlands. The National Nuclear Security Administration, the US agency responsible for maintaining and designing the nation’s cache of nuclear weapons, was among those breached. So were several South African entities, including the country’s National Treasury, Bloomberg reported earlier.

The National Institutes of Health was also impacted through the SharePoint flaws, according to a person familiar with the matter. Andrew Nixon, a spokesperson for the Department of Health and Human Services, said, “The Department and its security teams are actively engaged in monitoring, identifying, and mitigating all risks to our IT systems posed by the Microsoft SharePoint vulnerability.”

“At present, we have no indication that any information was breached as a result of this vulnerability,” he said, adding that the department is collaborating with Microsoft and the US Cybersecurity and Infrastructure Security Agency. The Washington Post previously reported that NIH was breached.

And South Africa’s National Treasury said it was seeking help from Microsoft after discovering malware on its network, but added that its systems and websites were operating normally.

The hacks are among the latest major breaches that Microsoft has blamed, at least in part, on China and come amid heightened tensions between the governments in Washington and Beijing over global security and trade. The US has repeatedly criticized China for campaigns that have allegedly stolen government and corporate secrets over a period spanning decades.

The real number of victims from the SharePoint exploits “might be much higher as there can be many more hidden ways to compromise servers that do not leave traces,” Eye Security’s co-owner Vaisha Bernard said in an email to Bloomberg News. “This is still developing, and other opportunistic adversaries continue to exploit vulnerable servers.”

The organizations compromised in the SharePoint breaches include many working in government, education and technology services, Bernard said. There were smaller numbers of victims in countries across Europe, Asia, the Middle East and South America.

State-backed hackers tend to exploit major cybersecurity weaknesses, like the SharePoint vulnerability, in waves, according to Sveva Scenarelli, a threat analyst with Recorded Future Inc. They start with secretive, targeted hacks and then, once the vulnerability is discovered, will begin using it more indiscriminately, she said.

“Once access has been acquired, individual threat groups can then triage compromised organizations, and prioritize those of particular interest for follow-on activity,” said Scenarelli, of the cyber intelligence firm’s Insikt Group. She said this can include finding ways to maintain access to a compromised network, burrowing deeper and setting up paths to steal sensitive information.

US Treasury Secretary Scott Bessent, who is set to meet his Chinese counterparts in Stockholm next week for a third round of trade talks, suggested in a Bloomberg Television interview Wednesday that the SharePoint hacks will be discussed. “Obviously things like that will be on the agenda with my Chinese counterparts,” he said.

The security flaws allow hackers to access SharePoint servers and steal keys that can let them impersonate users or services, potentially enabling deep access into compromised networks to steal confidential data. Microsoft has issued patches to fix the vulnerabilities, but researchers cautioned that hackers may have already got a foothold into many servers.

Microsoft on Tuesday accused Chinese state-sponsored hackers known as Linen Typhoon and Violet Typhoon of being behind the attacks. Another hacking group based in China, which Microsoft calls Storm-2603, also exploited them, according to the company.

The Redmond, Washington company has repeatedly blamed China for major cyberattacks. In 2021, an alleged Chinese operation compromised tens of thousands of Microsoft Exchange servers. In 2023, another alleged Chinese attack on Microsoft Exchange compromised senior US officials’ email accounts. A US government review later accused Microsoft of a “cascade of security failures” over the 2023 incident.

Eugenio Benincasa, a researcher at ETH Zurich’s Center for Security Studies who specializes in analyzing Chinese cyberattacks, said members of the groups identified by Microsoft had previously been indicted in the US for their alleged involvement in hacking campaigns targeting US organizations. They are well known for their “extensive espionage,” he said.

It’s likely that the SharePoint breaches are being carried out by proxy groups that work with the government rather than Chinese government agencies directly carrying out the hacking, according to Benincasa. Private hacking companies in the country sometimes participate in “hacker for hire” operations, he added.

“Now that at least three groups have reportedly exploited the same vulnerability, it’s plausible more could follow,” he said.

“Cybersecurity is a common challenge faced by all countries and should be addressed jointly through dialogue and cooperation,” said Chinese Foreign Ministry spokesman Guo Jiakun. “China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues.”

According to Microsoft, the hacking group Linen Typhoon was first identified in 2012, and is focused on stealing intellectual property, primarily targeting organizations related to government, defense, strategic planning, and human rights. Violet Typhoon, first observed in 2015, was “dedicated to espionage” and primarily targeted former government and military personnel, non-governmental organizations, as well as media and education sectors in the US, Europe, and East Asia.

The hackers have also used the SharePoint flaws to break into systems belonging to the US Education Department, Florida’s Department of Revenue and the Rhode Island General Assembly, Bloomberg previously reported.

Edwin Lyman, director of nuclear power safety for the Union of Concerned Scientists, said that while the National Nuclear Security Administration possesses some of the most restricted and dangerous information in the world, the networks where classified information are stored are isolated from the internet.

“So even if those networks were compromised, I’m not sure how such information could have been transmitted to the adversaries,” Lyman said in an email. “But there are other categories of information that are sensitive but unclassified, that may be treated with less care and might have been exposed. This includes some information related to nuclear materials and even nuclear weapons.”

—With assistance from Lucille Liu, Ari Natter and Jessica Nix.

(Updated with additional context in first six paragraphs.)

Most Read from Bloomberg Businessweek

©2025 Bloomberg L.P.