Microsoft Victim Count Reaches 400 Amid SharePoint Vulnerability Exploits

Recent reports indicate a significant rise in the number of organizations affected by a security vulnerability in Microsoft’s SharePoint servers. Initially, the estimated number of victims was around 60, but this figure has surged to nearly 400 within just a few days, according to research from a cybersecurity firm.

Hackers have breached various entities including government agencies and large corporations, primarily targeting those in the United States. Other affected countries include Mauritius, Jordan, South Africa, and the Netherlands, as determined by Eye Security, the Dutch firm that identified the initial wave of attacks.

Among the breached institutions is the National Nuclear Security Administration, responsible for overseeing the U.S. nuclear arsenal. Reports suggest that these breaches are part of a larger trend, with Microsoft attributing part of the blame to state-sponsored hacking from China amidst rising geopolitical tensions.

Eye Security’s co-owner, Vaisha Bernard, noted that the true number of breached entities could be even higher, as many compromise methods might not leave detectable traces. This situation is ongoing, with other adversaries potentially exploiting the same vulnerabilities.

Entities affected by these SharePoint breaches span various sectors including government, education, and technology services. There are also reports of victims from countries in Europe, Asia, the Middle East, and South America.

The weaknesses in SharePoint allow hackers to gain unauthorized access to servers, enabling them to steal credentials that could lead to further data breaches within compromised networks. While Microsoft has released patches to address these vulnerabilities, concerns remain that hackers may already have established footholds in numerous systems.

Microsoft has publicly linked the attacks to Chinese state-sponsored hacker groups known as Linen Typhoon and Violet Typhoon. Another group, identified as Storm-2603, is also believed to have taken advantage of these security flaws.

Historically, Microsoft has pointed to China as a source of significant cyber threats. Previous incidents include a 2021 attack that compromised thousands of Microsoft Exchange servers, and a more recent 2023 breach affecting senior officials’ email accounts. During a review, the U.S. government highlighted a “cascade of security failures” in relation to these incidents.

According to researcher Eugenio Benincasa from ETH Zurich’s Center for Security Studies, members of the identified groups have faced legal action in the U.S. for their involvement in various cyberattacks against American organizations. They are recognized for their extensive espionage activities.

Benincasa suggests the SharePoint breaches may be conducted by proxy groups cooperating with the Chinese government rather than direct government operatives. He explains that private hacking firms in China often engage in “hacker for hire” services.

Given that multiple groups are exploiting the same vulnerabilities, there is concern that more attacks may follow suit.

In a statement, the Chinese Embassy in Washington declared that China opposes all forms of cybercrime and warned against unfounded accusations. They emphasized the need for evidence-based characterizations of cyber incidents.

Microsoft identifies Linen Typhoon as an entity focused on stealing intellectual property, with a history of targeting organizations connected to defense and human rights. Violet Typhoon, known for espionage, has primarily focused on sectors including media and education in both the U.S. and Europe.

Reports indicate that these hackers have also infiltrated systems belonging to vital institutions such as the U.S. Education Department and Florida’s Department of Revenue.