Three Chinese hacking groups have been identified as behind a global campaign exploiting vulnerabilities in Microsoft’s on-premise SharePoint software, leaving hundreds of organizations around the world vulnerable to cyberattacks.
The campaign, dubbed ToolShell, was first demonstrated at the Pwn2Own hacking competition in Berlin in March, where researchers showed that hackers could remotely compromise sensitive information via SharePoint. However, it wasn’t until four months later that the campaign began, with Microsoft’s customers reporting their on-premise SharePoint servers being plundered.
The three groups, Linen Typhoon, Violet Typhoon, and Storm-2603, all linked to China’s cyber apparatus, exploited the same vulnerabilities in SharePoint contemporaneously. Researchers are puzzled by how these groups obtained working exploits so quickly, raising concerns about the involvement of Chinese companies in Microsoft’s vulnerability disclosure program.
Microsoft initially issued patches for the flaws but warned that hackers were attempting to exploit unpatched servers. The company later acknowledged two new vulnerabilities and stated that the hacking groups had already bypassed the first patch, suggesting they had a deep understanding of the flaw and were well-resourced.
The search for explanations is ongoing, with experts warning that the emerging pattern is concerning. Researchers believe that Linen Typhoon and Violet Typhoon pursued classic intelligence-gathering priorities, while Storm-2603’s motives remain unclear. Some speculate that the ransomware group may be a smokescreen for more sinister activities.
As Western defenders struggle to understand the motivations behind the ToolShell campaign, they are left with limited data points differentiating state units, contractors, and cybercriminal actors in China’s sprawling cyber ecosystem. The incident highlights ongoing concerns about China’s expanding role in global cyber warfare and the need for greater vigilance from organizations around the world.
Source: https://therecord.media/three-hacking-groups-two-vulnerabilities-china-microsoft