Microsoft accused Chinese state-sponsored hackers of using flaws in its SharePoint document management software in a hacking campaign that has targeted businesses and government agencies around the world.
In a blog post on Tuesday, the tech giant identified two groups supported by the Chinese government, Linen Typhoon and Violet Typhoon, as leveraging flaws in SharePoint software used by customers who managed it on their own networks, as opposed to in the cloud. Another hacking group based in China, which Microsoft calls Storm-2603, also exploited the SharePoint vulnerabilities, according to the blog.
“Investigations into other actors also using these exploits is still ongoing,” Microsoft said. “With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks.”
A representative for the Chinese Embassy in Washington didn’t immediately respond to a request for comment.
Other cybersecurity researchers have said multiple hacking groups have been making use of the flaws in the popular Microsoft software, and some also indicated that Chinese attackers were likely among them.
Hackers have already used the flaw to break into the systems of national governments in Europe and the Middle East, according to a person familiar with the matter. In the US, they’ve accessed government systems, including ones belonging to the Education Department, Florida’s Department of Revenue and the Rhode Island General Assembly, said the person, who asked not to be identified discussing sensitive information.
The types of organizations targeted, the techniques and other initial evidence is consistent with Chinese state-sponsored espionage, said Eugenio Benincasa, a researcher at the Swiss university ETH Zurich who specializes in analyzing Chinese attacks.
The security company Eye Security has detected compromises on more than 100 servers representing 60 victims, including organizations in the energy sector, consulting firms and universities. Victims were also located in Saudi Arabia, Vietnam, Oman and the United Arab Emirates, according to the company.
Multiple different hackers are launching attacks through the Microsoft vulnerability, according to representatives of two cybersecurity firms, CrowdStrike and Google’s Mandiant Consulting.
Attackers have exploited the vulnerability in SharePoint since at least July 7th in attempted hacks against two “high value targets,” says Adam Meyers, senior vice president at CrowdStrike. The early exploitation resembled government-sponsored activity, and then spread more widely to include hacking that “looks like China,” Meyers said. CrowdStrike’s investigation into the campaign is ongoing, he said.
Microsoft over the weekend released a patch for the vulnerability in servers of the SharePoint document management software. The company said it was still working to roll out other fixes after warnings that hackers were targeting SharePoint clients, using the flaw to enter file systems and execute code.
Representatives of the Department of Education and Rhode Island legislature didn’t respond to calls and emails seeking comment Monday. A Florida Department of Revenue spokesperson, Bethany Wester Cutillo, said in an email that the SharePoint vulnerability is being investigated “at multiple levels of government” but that the state agency “does not comment publicly on the software we use for operations.”
The hackers also breached the systems of a US-based health-care provider and targeted a public university in Southeast Asia, according to a report from a cybersecurity firm reviewed by Bloomberg News. The report doesn’t identify either entity by name, but says the hackers have attempted to breach SharePoint servers in countries including Brazil, Canada, Indonesia, Spain, South Africa, Switzerland, the UK and the US. The firm asked not to be named because of the sensitivity of the information.
In some systems they’ve broken into, the hackers have stolen sign-in credentials, including usernames, passwords, hash codes and tokens, according to a person familiar with the matter, who also spoke on condition that they not be identified discussing the sensitive information.
“This is a high-severity, high-urgency threat,” said Michael Sikorski, chief technology officer and head of threat intelligence for Unit 42 at Palo Alto Networks Inc.
“What makes this especially concerning is SharePoint’s deep integration with Microsoft’s platform, including their services like Office, Teams, OneDrive and Outlook, which has all the information valuable to an attacker,” he said. “A compromise doesn’t stay contained — it opens the door to the entire network.”
Tens of thousands — if not hundreds of thousands — of businesses and institutions worldwide use SharePoint in some fashion to store and collaborate on documents. Microsoft said that attackers are specifically targeting clients running SharePoint servers from their own on-premise networks, as opposed to being hosted and managed by the tech firm. That could limit the impact to a subsection of customers. --Bloomberg