Microsoft servers hacked by Chinese groups, says tech giant

Chinese "threat actors" have hacked some Microsoft SharePoint servers and targeted the data of the businesses using them, the firm has said.

China state-backed Linen Typhoon and Violet Typhoon as well as China-based Storm-2603 were said to have "exploited vulnerabilities" in on-premises SharePoint servers, the kind used by firms, but not in its cloud-based service.

The US tech giant has released security updates in response and has advised all on-premises SharePoint server customers to install them.

"China firmly opposes and combats all forms of cyber attacks and cyber crime," China's US embassy spokesman said in a statement.

"At the same time, we also firmly oppose smearing others without solid evidence," continued Liu Pengyu in the statement posted on X.

Microsoft said it had "high confidence" the hackers would continue to target systems which have not installed its security updates.

"Investigations into other actors also using these exploits are still ongoing," Microsoft said in a statement.

It added that it would update its website blog, external with more information as its investigation continues.

Microsoft said it had observed attacks in which hackers had sent a request to a SharePoint server "enabling the theft of the key material by threat actors".

The UK's National Cyber Security Centre said this included "a limited number" of SharePoint Server customers in the UK.

Charles Carmakal, chief technology officer at Mandiant Consulting firm, a division of Google Cloud, told BBC News it was "aware of several victims in several different sectors across a number of global geographies".

Carmakal said it appeared that governments and businesses that use SharePoint on their sites were the primary target.

A number of adversaries who stole material encoded by cryptography were then able to regain ongoing access to the victims' SharePoint data, he said.

"This was exploited in a very broad way, very opportunistically before a patch was made available. That's why this is significant," Carmakal said.

Carmakal said the "China-nexus actor" was deploying techniques similar to previous campaigns associated with Beijing.

Microsoft said Linen Typhoon had "focused on stealing intellectual property, primarily targeting organizations related to government, defence, strategic planning, and human rights" for 13 years.

It added that Violet Typhoon had been "dedicated to espionage", primarily targeting former government and military staff, non-governmental organizations, think tanks, higher education, the media, the financial sector and the health sector in the US, Europe, and East Asia.

Meanwhile, Storm-2603 was "assessed with medium confidence to be a China-based threat actor".

Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here.