A sophisticated cyber espionage operation conducted by Chinese state-sponsored threat actors has been leveraging an unpatched vulnerability in Microsoft SharePoint to infiltrate high-value targets across multiple sectors, according to joint advisories from Microsoft and Google's Threat Analysis Groups (TAG).
The campaign, active since at least early 2025, exploits a critical remote code execution (RCE) vulnerability in SharePoint servers (CVE number pending assignment) that allows attackers to gain persistent access to enterprise networks. Security researchers note the exploit chain demonstrates advanced understanding of SharePoint architecture, suggesting nation-state level resources.
Among the confirmed targets are several U.S. national security organizations, though Microsoft has not disclosed specific agency names. The attackers reportedly exfiltrated sensitive documents and established long-term footholds in victim networks. Evidence suggests the hacking groups belong to China's Ministry of State Security (MSS) ecosystem, known for conducting cyber operations aligned with Beijing's strategic interests.
Technical analysis reveals the attackers combine the SharePoint exploit with:
- Custom web shells for persistent access
- Living-off-the-land techniques using built-in administrative tools
- Lateral movement via compromised credentials
Microsoft released out-of-band security updates on July 22 after discovering active exploitation. The company's threat intelligence team warns that unpatched SharePoint servers remain vulnerable to complete takeover, especially those exposed to the internet.
Cybersecurity experts highlight three concerning aspects:
- The vulnerability was exploited silently for months before detection
- Attackers demonstrated deep knowledge of SharePoint internals
- The campaign's global scale and government targeting indicate strategic intelligence gathering
Recommendations for organizations include:
- Immediate patching of all SharePoint deployments
- Network segmentation for sensitive data
- Enhanced monitoring for unusual SharePoint activity
- Credential rotation for administrative accounts
The incident marks another escalation in China's cyber operations against Western targets, following similar campaigns exploiting Exchange Server vulnerabilities in 2021. Industry analysts suggest this may prompt renewed scrutiny of enterprise software in critical infrastructure.
Comentarios 0
Comentando como:
¡Únete a la conversación!
Sé el primero en compartir tu opinión sobre este artículo.
¡Inicia la conversación!
Sé el primero en comentar este artículo.