A massive attack on Microsoft's servers puts China in the eye of the storm

A large-scale cyberespionage operation has compromised nearly 100 organizations through a critical vulnerability in on-premises Microsoft SharePoint servers, according to revelations by the firm Eye Security and the Shadowserver Foundation.

The attack, classified as "zero-day" for exploiting a previously unknown flaw, has caused international alarm due to its scope, sophistication, and possible origin linked to Chinese state actors.

Microsoft issued an alert on Saturday about "active attacks" against self-hosted versions of SharePoint, software widely used by companies and government institutions for document management and internal collaboration. Cloud-based versions of SharePoint were not affected.

Vaisha Bernard, director of hacking at Eye Security, indicated that a scan conducted together with Shadowserver identified nearly 100 compromised servers before the vulnerability became widely known. This figure is considered conservative, and there are concerns that malicious actors may have implanted additional backdoors in systems that have not yet been identified.

Shadowserver confirmed these findings and noted that the majority of those affected are located in the United States and Germany, including several government entities. The actual scope could be much greater: the Shodan tool identified more than 8,000 potentially exposed servers, while Shadowserver estimated more than 9,000.

Microsoft attributed with "high confidence" part of the attacks to actors with ties to China, in particular the groups known as Linen Typhoon, Violet Typhoon, and Storm-2603.

These groups have previously been identified as responsible for cyberespionage campaigns aimed at obtaining intellectual property and strategic data. Linen Typhoon, for example, has focused its attacks for more than a decade on government, defense, strategic planning, and human rights organizations.

Meanwhile, Violet Typhoon has targeted NGOs, universities, media outlets, and financial and health sectors in the United States, Europe, and East Asia.

The spokesperson for the Chinese embassy in Washington denied the accusations and stated that the country "firmly opposes all types of cyberattacks and cybercrimes" and rejected the lack of evidence in the allegations.

Nevertheless, cybersecurity experts confirmed that victims have been identified in multiple sectors and countries, and that the strikers used tactics similar to previous campaigns associated with Beijing.

According to the researchers, the attack consisted of sending malicious requests to vulnerable SharePoint servers, allowing the hackers to steal essential cryptographic material that was then used to maintain long-term access to the compromised systems.

This extended access turns the incident into a significant threat, not only because of data theft but also due to the potential for future manipulation or sabotage.

Microsoft released security updates and strongly recommended their immediate installation. However, experts such as Daniel Card from the firm PwnDefend warned that applying the patches is not enough.

Since strikers may have left backdoors before the vulnerability became known, organizations must assume they have been compromised and conduct thorough analyses of their systems.

The FBI, together with cybersecurity agencies from the United Kingdom and other countries, confirmed being aware of the attack and is working with private sector partners to mitigate its effects.