Microsoft has linked recent mass exploitation of SharePoint vulnerabilities to three Chinese state-sponsored threat actors. These hackers—identified as Linen Typhoon, Violet Typhoon, and Storm-2603—are reportedly behind a series of advanced cyber-espionage attacks targeting unpatched on-premises SharePoint servers worldwide.
The company’s threat intelligence team detailed how the attacks are exploiting a remote code execution (RCE) vulnerability chain in SharePoint, enabling attackers to gain full control of affected systems without authentication. According to Microsoft, “We have observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities.”
The exploitation has reached critical levels. SharePoint servers remain widely exposed on the internet, with thousands still unpatched. Cybersecurity authorities have issued global warnings, urging organizations to apply Microsoft’s latest patches, rotate server keys, and follow updated threat mitigation steps to close the exposure.
The Attack Chain Used in the Exploitation of SharePoint
Microsoft’s investigation revealed that all three groups are conducting reconnaissance and executing remote code by sending malicious POST requests to the SharePoint ToolPane endpoint.
The attackers upload a malicious script—typically named spinstall0.aspx—which enables further intrusion. Microsoft explained:
“In observed attacks, threat actors send a crafted POST request to the SharePoint server, uploading a malicious script named spinstall0.aspx. Actors have also modified the file name in a variety of ways, such as spinstall.aspx, spinstall1.aspx, spinstall2.aspx, etc.”
Once deployed, the script retrieves sensitive MachineKey data and exfiltrates it through GET requests. This stolen key material is then used to facilitate deeper access into systems and maintain persistence.
Profile of the Involved Chinese Threat Actors
Each group has distinct tactics, targets, and capabilities, but all are aligned in their espionage objectives and targeting of public sector entities.
- Linen Typhoon (APT27, Emissary Panda, Bronze Union, Budworm) has operated since 2012 and focuses on intellectual property theft. Targets include:
- Government bodies
- Defense contractors
- Human rights organizations
- Strategic planning entities
- Violet Typhoon (APT31, Bronze Vinewood, Judgment Panda, Zirconium), active since 2015, is primarily focused on espionage. It has targeted:
- Former military and government staff
- NGOs and think tanks
- Academic institutions
- Media and financial organizations
- Storm-2603, while not as well-documented, has previously deployed both Warlock and LockBit ransomware. Microsoft has not yet confirmed its long-term objectives but assesses with medium confidence that it is China-based.
Confirmed Victims Include U.S. Federal Agencies
The exploitation has already led to multiple high-profile breaches. According to CNBC, hackers compromised the U.S. National Nuclear Security Administration (NNSA), which oversees America’s nuclear weapons. Bloomberg also confirmed additional victims:
- U.S. Department of Education
- Florida Department of Revenue
- Rhode Island General Assembly
More than 100 SharePoint servers across dozens of organizations have already been identified as compromised. Microsoft warns that number is expected to rise.
“Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” the company stated.
Investigations are ongoing, and Microsoft has not ruled out the involvement of additional threat actors.
China Denies the Allegations
Responding to the reports, the Chinese Embassy in Washington issued a statement rejecting the accusations. According to Bloomberg:
“China firmly opposes all forms of cyberattacks and smearing without solid evidence.”
Despite this denial, Microsoft’s attribution is backed by years of tracking Chinese-linked groups, including their tactics, toolsets, and historical targeting patterns.
Call for Immediate Action
With the vulnerabilities actively exploited and many servers still unpatched, Microsoft and global security agencies strongly advise:
- Immediate deployment of the latest SharePoint security updates
- Rotation of machine keys and other cryptographic materials
- Close monitoring of SharePoint logs for unusual POST or GET requests
- Blocking of suspicious ASPX file uploads to the
ToolPaneendpoint
Enterprise IT teams are being urged to assume compromise if systems remain unpatched and begin incident response procedures.
