The United States National Nuclear Security Administration (NNSA) is among approximately 400 organizations that have been compromised in a wave of cyberattacks exploiting newly discovered vulnerabilities in Microsoft SharePoint servers. According to Microsoft and Dutch cybersecurity firm Eye Security, the intrusions have been attributed to three China-based threat groups, including two believed to be state-sponsored.
Microsoft reported that the threat actors, identified as Linen Typhoon, Violet Typhoon and Storm-2603, began targeting vulnerable on-premises SharePoint servers starting in early July 2025. These actors exploited several security flaws listed as CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771, which allow attackers to bypass authentication and remotely execute malicious code. Eye Security detected abnormal activity on a client’s SharePoint server on July 18 and subsequently scanned more than 8,000 publicly accessible servers.
The firm confirmed dozens of compromised systems and expects the total number to increase as further investigations are conducted. Most of the affected organizations are based in the United States and operate across government, defense, healthcare and academic sectors. Microsoft clarified that the vulnerabilities affect only on-premises versions of SharePoint Server and do not impact the cloud-based SharePoint Online platform. In the observed attacks, threat actors used crafted POST requests to install web shells such as files named spinstall0.aspx.
Mitigation measures and geopolitical context shape response
These files enabled the attackers to extract machine key data used for authentication, thereby maintaining unauthorized access. Linen Typhoon has been active since 2012 and is known for targeting institutions involved in policy, government operations and human rights to steal intellectual property. Violet Typhoon, first tracked in 2015, has focused on espionage efforts directed at non-governmental organizations, academic institutions, media outlets and former military personnel in the United States, Europe and East Asia.
Microsoft assesses with medium confidence that Storm-2603 is based in China but has not linked it to the other known actors. This group has previously deployed ransomware in other operations. Microsoft has released critical security updates for supported versions of SharePoint Server, including the Subscription Edition, 2019 and 2016. The company advised immediate installation of these patches and recommended additional steps such as rotating machine keys, enabling the Antimalware Scan Interface in full mode and deploying Microsoft Defender for Endpoint or equivalent tools to detect post-exploitation activity.
The cyberattacks coincide with broader geopolitical tensions and a reassessment of technology cooperation between the United States and China. Reports indicate that Amazon has shut down its artificial intelligence lab in Shanghai, while McKinsey & Company has restricted its China operations from engaging in AI-related projects. Microsoft and IBM have also reduced their China-based research efforts as scrutiny of U.S. technology partnerships continues to grow. – By Content Syndication Services.