A recent cybersecurity incident has revealed that a fix released by Microsoft earlier this month failed to effectively address a serious security flaw in its widely used SharePoint server software.
This shortcoming has reportedly led to a wave of cyber espionage attacks worldwide, according to a timeline reviewed by Reuters.
Microsoft acknowledged on Tuesday that its initial update, meant to correct a vulnerability exposed during a May hacker competition, was unsuccessful. A spokesperson confirmed that the issue has now been resolved with additional patches.
Despite this, the identity of the perpetrators behind the sweeping attacks, which have already affected around 100 organizations, remains unknown. Experts warn that the campaign may widen as more hackers exploit the opening.
Related story: Microsoft Warns of Active Cyberattacks on SharePoint Servers, Urges Immediate Security Updates
Suspected State-Linked Groups Exploit the Gap
In a blog post, Microsoft attributed the exploitation to three groups, including “Linen Typhoon” and “Violet Typhoon”—both believed to have ties to China. Google, alongside Microsoft, also pointed to China-linked hackers as likely initiators of the attack wave.
Chinese government-affiliated entities are frequently linked to cyber intrusions. However, Beijing consistently denies these allegations.
The Chinese Embassy in Washington responded via email, stating that China “opposed all forms of cyberattacks” and criticized what it called “smearing others without solid evidence.”
The flaw was first uncovered in May during a competition in Berlin hosted by cybersecurity firm Trend Micro.
The event rewarded participants who discovered unreported vulnerabilities, with a $100,000 prize for identifying issues in Microsoft SharePoint.
One researcher from Viettel, a Vietnamese military-run telecom, presented a successful exploit dubbed “ToolShell” and received the award, according to Trend Micro’s Zero Day Initiative.
National Security Implications and Rising Concerns
Bloomberg News reported that the U.S. National Nuclear Security Administration, responsible for safeguarding the country’s nuclear arsenal, was among the targets. However, no classified data was believed to be compromised.
Following the identification of the flaw, Microsoft listed it as critical in a July 8 update. But within days, cybersecurity firms began to see malicious activity directed at SharePoint servers. Sophos noted that hackers had developed methods to circumvent Microsoft’s patch.
Data from the internet-scanning tool Shodan indicated that more than 8,000 servers could be exposed, with systems linked to banks, health providers, industrial firms, and government agencies potentially at risk.
The Shadowserver Foundation, which monitors online threats, estimated the number of vulnerable servers at over 9,000, mostly located in the U.S. and Germany.
Germany’s federal cybersecurity office, BSI, said it had found no evidence of compromised government systems, although several were susceptible to the ToolShell vulnerability.
Read next: Amazon’s AWS Cuts Hundreds of Jobs Amid AI Restructuring Push
Looking to take your career to the next level?
Explore our range of certification prep tools designed to enhance your skills, strengthen your resource management know-how, and keep you competitive in your profession:
- CompTIA Exam Prep – Build a stronger foundation in IT support, networking, and cybersecurity.
- HR Certification Study Materials – Master key HR areas like compliance, talent management, and workforce planning.
- PMP Study Resources – Sharpen your project management skills, from budgeting to effective team coordination.
- Praxis Exam Prep – Prepare for your teaching certification with detailed study materials, realistic practice tests, and resources tailored to your state’s requirements.