In recent days, a series of widespread cyberattacks targeting organizations utilizing Microsoft collaboration software have been attributed to hackers connected to the Chinese government. Defenders involved in mitigating these intrusions shared insights during interviews, shedding light on the significant security vulnerabilities that were exploited.
The breaches, which occurred in the United States and several other countries, took advantage of a critical security flaw in SharePoint, a widely used platform for coordinating documents and projects. This vulnerability gained attention after Microsoft released a patch that addressed only a portion of the underlying issue. Charles Carmakal, chief technology officer at Google’s Mandiant Consulting, stated, “We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor.”
Researchers, who chose to remain anonymous due to the ongoing investigation, indicated that federal investigators have identified U.S.-based servers linked to compromised SharePoint systems connecting to internet protocol addresses in China over the course of Friday and Saturday. Despite inquiries, the FBI, the White House, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency have refrained from commenting on the situation.
The attacks allowed hackers to extract cryptographic keys from servers operated by Microsoft clients. These keys enabled the attackers to install malicious software, including back doors that could facilitate future intrusions. It has been reported that various federal and state agencies were affected by these breaches, although the specifics of which organizations were compromised remain unclear. Notably, only customer-hosted versions of SharePoint are vulnerable; cloud-hosted versions were not impacted.
In response to the breaches, Microsoft issued effective patches for the exposed SharePoint versions by Monday. While these updates are crucial in preventing further intrusions, Microsoft emphasized that customers must also change their machine’s digital keys, implement anti-malware software, and conduct thorough investigations for any existing breaches.
Initial targets of these attacks were primarily entities of interest to the Chinese government. However, the landscape has since expanded, with various attackers now attempting to exploit the same vulnerabilities to steal corporate secrets or install ransomware that encrypts critical files until a ransom is paid. Carmakal warned, “It’s critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue.”
Piet Kerkhofs, CTO and co-founder of Eye Security, a Europe-based cybersecurity firm, noted that the SharePoint breaches exhibit characteristics similar to previous compromises attributed to Chinese hackers. For instance, this month, hackers exploited a vulnerability in Citrix’s NetScaler virtual desktop, a tactic also observed in attacks attributed to Chinese actors. This rapid exploitation mirrors past incidents, including the global compromise of Microsoft Exchange email servers in early 2021, which was linked to a hacking group known as Silk Typhoon.
Silk Typhoon, associated with China’s Ministry of State Security, is regarded as one of the most technically advanced hacking groups globally. In recent years, they have increasingly targeted sensitive U.S. entities and have also made incursions into various European ministries. The escalation of these attacks highlights the ongoing threat posed by state-sponsored cyber actors and emphasizes the need for robust cybersecurity measures across organizations using Microsoft’s platforms.
