Microsoft said several Chinese state-sponsored hacking groups were behind many of the attacks on SharePoint self-hosted servers that exploited unpatched vulnerabilities in recent days.
Two of the groups, which it calls Linen Typhoon and Violet Typhoon, are ones Microsoft said it has been tracking for years and which target organisations and personnel related to government, defence, human rights, higher education, media and financial and health services in the US, Europe and East Asia.
A third group that it calls Storm-2603 was also involved in the hacks, and Microsoft said it had “medium confidence” that this gang was a “China-based threat actor”.
Persistent access
The hacks targeted SharePoint servers deployed by organisations and government bodies, but did not affect Microsoft-hosted instances.
Microsoft has issued patches that it said repair the flaw, and said it had “high confidence” that hackers would continue to target systems that did not have the patches installed.
It said investigations into other groups exploiting the flaws were ongoing.
China’s foreign ministry said it opposes hacking as well as “smears and attacks against China under the excuse of cybersecurity issues”.
Cybersecurity firm Eye Security said it had scanned more than 400 systems around the world that were actively compromised.
The company and other researchers noted that the SharePoint breaches allow hackers to steal cryptographic keys that could allow them to impersonate users or services even after the server is patched, meaning those affected would need to take further steps to secure their data.
The flaw involved in the attacks was discovered by a researcher with Vietnamese security firm Viettel Cyber Security and disclosed at the May Pwn2Own security conference in Berlin, according to the Zero Day Initiative, which held the conference.
Zero-day flaw
The vulnerability was provided to Microsoft on 29 May, and Microsoft provided a patch with its monthly security updates on 8 July.
But the patch only partially resolved the issue, and Microsoft said on 19 July that it was aware of ongoing attacks using the flaw.
It has since issued further patches that it says fully protect users’ systems.
Cybersecurity company Palo Alto Networks said those at immediate risk from the attacks included government, schools, hospitals and large enterprise companies.