• Microsoft SharePoint flaw leads to attacks on 400+ organisations.
• Experts say real number could be higher.

A growing number of organisations have been caught up in a wave of cyberattacks tied to a security hole in Microsoft’s SharePoint software installed on-premise. What started as dozens of victims has now ballooned to around 400, according to Dutch cybersecurity firm Eye Security, which has been tracking the situation.

As reported by Bloomberg, the attackers have hit a wide mix of targets – government agencies, private companies, and other groups. Most of them are based in the US, but others are scattered in countries like Mauritius, Jordan, South Africa, and the Netherlands. Among those affected are high-profile US institutions, including the National Nuclear Security Administration and the National Institutes of Health (NIH), according to people familiar with the matter.

Andrew Nixon, spokesperson for the Department of Health and Human Services, said teams are actively working to monitor and reduce risks from the SharePoint flaw. “At present, we have no indication that any information was breached,” he said, adding that the department is working with Microsoft and the US Cybersecurity and Infrastructure Security Agency.

Security experts say this is still unfolding. Vaisha Bernard, co-owner of Eye Security, warned that the actual number of affected systems could be much higher, since some intrusions may leave no clear traces. Hackers are likely still probing vulnerable servers for openings, she said.

The victims span sectors like government, education, and tech services. And while the bulk are in the US, the attack has reached parts of Europe, Asia, the Middle East, and South America.

According to Sveva Scenarelli, a threat analyst at Recorded Future, state-backed hackers often move in waves. First come the quiet, targeted breaches. Then, once the vulnerability is out in the open, it becomes a free-for-all. After gaining access, hackers can sift through their targets, looking for high-value organisations to go deeper into – stealing data, planting backdoors, or setting up long-term access.

The breach is already making its way into international talks. US Treasury Secretary Scott Bessent said the SharePoint attacks are likely to come up during his meeting with Chinese officials in Stockholm next week. “Obviously things like that will be on the agenda,” he said in an interview.

So far, Microsoft has pointed to several Chinese hacking groups – Linen Typhoon, Violet Typhoon, and Storm-2603 – as those exploiting the flaw. All are believed to be tied to Beijing. The groups have a long history of targeting US government systems, military personnel, human rights organisations, and intellectual property.

Microsoft describes the groups it’s identified as follows:

• Violet Typhoon: Focused on espionage, often targeting former government and military figures, NGOs, and media.
• Linen Typhoon: Operating for over a decade, known for stealing intellectual property from government and defence-related organisations.
• Volt Typhoon: Linked to attacks on US critical infrastructure, including energy and water systems.
• Salt Typhoon: Known for targeting telecom firms around the world.
• Silk Typhoon: Believed to be tied to Chinese intelligence, with a focus on sensitive research – including COVID-19 vaccines.

Microsoft has publicly blamed China for multiple breaches in recent years. That includes the 2021 Microsoft Exchange hack that hit tens of thousands of servers, and a 2023 breach where US officials’ emails were compromised. A government review later faulted Microsoft for what it called a “cascade of security failures.”

Edwin Lyman, who leads nuclear power safety at the Union of Concerned Scientists, said that while the National Nuclear Security Administration holds highly restricted data, the most sensitive networks are kept offline. “Even if those networks were compromised, I’m not sure how such information could have been transmitted to the adversaries,” he said. Still, there’s a concern that less tightly protected information – like nuclear materials data – could have been exposed.

According to Microsoft, Linen Typhoon has been active since 2012, and Violet Typhoon since 2015. Both have repeatedly targeted US and international organisations in government, education, and civil society.

Benincasa, a researcher at ETH Zurich’s Centre for Security Studies, said that while these hacking groups are believed to operate with state backing, many of the attacks are likely carried out by private contractors working indirectly for the Chinese government. The “hacker-for-hire” operations are common in the country, he said.

Now that at least three groups are known to have used the SharePoint flaw, more may follow.

China, for its part, has denied involvement. “Cybersecurity is a common challenge faced by all countries and should be addressed jointly through dialogue and cooperation,” said Foreign Ministry spokesperson Guo Jiakun. “China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues.”

Microsoft has released patches to fix the SharePoint vulnerability, but experts say the damage may already be done. Once inside, hackers can steal authentication keys and use them to pose as legitimate users or services – making it much harder to detect or remove them.