Microsoft Attributes SharePoint Server Exploits to Chinese Hacker Groups

Microsoft has officially attributed the exploitation of security flaws in internet-exposed SharePoint Server instances to two Chinese hacker groups, Linen Typhoon and Violet Typhoon, as of July 7, 2025. This confirmation aligns with previous reports and highlights the ongoing threat posed by state-sponsored actors. Additionally, Microsoft has observed a third China-based threat actor, Storm-2603, exploiting these vulnerabilities to gain initial access.

SharePoint Server is a widely used collaboration platform that, if compromised, can lead to unauthorized access and data breaches. The exposure of these instances to the internet increases their vulnerability to such attacks. The involvement of multiple threat actors suggests a coordinated effort, indicating a high level of sophistication and resource allocation from the attackers' side.

This incident underscores the critical importance of securing internet-exposed services and maintaining up-to-date security patches. Organizations using SharePoint Server should be on high alert, ensuring their instances are properly secured and monitored. It is advisable to conduct thorough vulnerability assessments and apply necessary patches immediately. Implementing additional security measures such as multi-factor authentication, network segmentation, and continuous monitoring can also mitigate the risk of such attacks.

The attribution to Chinese hacker groups highlights the ongoing threat posed by state-sponsored actors in the cybersecurity landscape. It serves as a reminder of the need for robust incident response plans and the importance of staying vigilant against evolving threats.