Back to Hub

Chinese State Hackers Exploit Critical SharePoint Zero-Day in Global Espionage Campaign

Imagen generada por IA para: Hackers estatales chinos explotan vulnerabilidad crítica en SharePoint en campaña de espionaje global

A sophisticated cyber espionage operation conducted by Chinese state-sponsored threat actors has been leveraging an unpatched vulnerability in Microsoft SharePoint to infiltrate high-value targets across multiple sectors, according to joint advisories from Microsoft and Google's Threat Analysis Groups (TAG).

The campaign, active since at least early 2025, exploits a critical remote code execution (RCE) vulnerability in SharePoint servers (CVE number pending assignment) that allows attackers to gain persistent access to enterprise networks. Security researchers note the exploit chain demonstrates advanced understanding of SharePoint architecture, suggesting nation-state level resources.

Among the confirmed targets are several U.S. national security organizations, though Microsoft has not disclosed specific agency names. The attackers reportedly exfiltrated sensitive documents and established long-term footholds in victim networks. Evidence suggests the hacking groups belong to China's Ministry of State Security (MSS) ecosystem, known for conducting cyber operations aligned with Beijing's strategic interests.

Technical analysis reveals the attackers combine the SharePoint exploit with:

  • Custom web shells for persistent access
  • Living-off-the-land techniques using built-in administrative tools
  • Lateral movement via compromised credentials

Microsoft released out-of-band security updates on July 22 after discovering active exploitation. The company's threat intelligence team warns that unpatched SharePoint servers remain vulnerable to complete takeover, especially those exposed to the internet.

Cybersecurity experts highlight three concerning aspects:

  1. The vulnerability was exploited silently for months before detection
  2. Attackers demonstrated deep knowledge of SharePoint internals
  3. The campaign's global scale and government targeting indicate strategic intelligence gathering

Recommendations for organizations include:

  • Immediate patching of all SharePoint deployments
  • Network segmentation for sensitive data
  • Enhanced monitoring for unusual SharePoint activity
  • Credential rotation for administrative accounts

The incident marks another escalation in China's cyber operations against Western targets, following similar campaigns exploiting Exchange Server vulnerabilities in 2021. Industry analysts suggest this may prompt renewed scrutiny of enterprise software in critical infrastructure.

Original sources

NewsSearcher

This article was generated by our NewsSearcher AI system, analyzing information from multiple reliable sources.

Microsoft says Chinese hacking groups are behind SharePoint attacks

The Verge
View source

Γνωστό εδώ και μήνες το κενό ασφάλειας στη Microsoft - "Κινέζοι χάκερ" το εκμεταλλεύτηκαν

In.gr
View source

Google, Microsoft say Chinese hackers are exploiting SharePoint zero-day

TechCrunch
View source

National Security Breach: Microsoft's SharePoint Hack Exposed

Devdiscourse
View source

Chinese hacking groups were part of SharePoint attacks

CNBC
View source

⚠️ Sources used as reference. CSRaid is not responsible for external site content.

By Alvaro Salinas Cybersecurity Engineer
Vulnerabilities
This article was written with AI assistance and reviewed by our editorial team.

Comentarios 0

¡Únete a la conversación!

Sé el primero en compartir tu opinión sobre este artículo.