Hackers linked to the Chinese government are behind recent cyberattacks targeting Microsoft SharePoint users, according to cybersecurity experts. The attacks exploited a severe vulnerability in SharePoint, widely used for document sharing and collaboration.
Microsoft issued partial patches earlier this month, but attackers moved quickly—using the gap to access sensitive systems. SharePoint versions hosted by customers, not in the cloud, were affected.
Charles Carmakal, CTO at Mandiant Consulting, said, “We assess that at least one of the actors responsible… is a China-nexus threat actor.” Microsoft confirmed that three Chinese groups were involved, two of which are government-backed.
Researchers found U.S.-based SharePoint servers communicating with IP addresses in China. Some early victims included agencies and organizations likely of interest to Chinese intelligence. But experts warned that multiple groups—criminal and state-backed—are now exploiting the flaw for different goals, from data theft to ransomware.
The breach allowed attackers to extract cryptographic keys from affected servers. These keys could be used to install malware or maintain long-term access.
“The trend will continue, as various other threat actors… will leverage this exploit as well,” Carmakal warned.
While Microsoft has since patched the final vulnerable versions, experts say more work is needed. Organizations must rotate digital keys, scan for malware, and investigate for hidden breaches.
Piet Kerkhofs, CTO of Eye Security, noted the speed of the attack. He said Chinese hackers used a similar approach in the recent Citrix NetScaler vulnerability and in the 2021 Microsoft Exchange hack. That incident was linked to Silk Typhoon, a group tied to China’s Ministry of State Security.
The Chinese Embassy denied involvement, stating, “China firmly opposes and combats all forms of cyber attacks.”
With more threat actors now joining in, cybersecurity experts warn that vigilance and fast action are critical to limiting the damage.
