On Monday, two organizations instrumental in uncovering the campaign reported a serious cyber attack targeting Microsoft’s SharePoint server software, affecting approximately 100 organizations. This breach, discovered over the weekend, is part of a broader hacking campaign that has triggered global concern.
Microsoft had issued an alert on Saturday about “active attacks” on self-hosted SharePoint servers, which are widely used by organizations for internal document sharing and collaboration. SharePoint instances running on Microsoft’s own servers were unaffected.
Dubbed a “zero-day” due to its exploitation of a previously undisclosed digital vulnerability, these hacks allow threat actors to penetrate vulnerable servers and potentially install backdoors, ensuring continuous access to victim organizations.
Vaisha Bernard, chief hacker at Eye Security, a Netherlands-based cybersecurity firm that discovered the hacking campaign targeting one of its clients on Friday, stated that an internet scan conducted with the Shadowserver Foundation revealed nearly 100 victims in total—even before the technique behind the hack was widely known.
“It’s unambiguous,” Bernard said. “Who knows what other adversaries have done since to place other backdoors.”
He declined to identify the affected organizations, noting that the relevant national authorities had been notified. The Shadowserver Foundation confirmed the figure of 100, adding that most of the affected entities were in the United States and Germany, and victims included government organizations.
Another researcher indicated that, so far, the spying appeared to be the work of a single hacker or group of hackers. “It’s possible that this will quickly change,” said Rafe Pilling, Director of Threat Intelligence at Sophos, a British cybersecurity firm.
Microsoft, in an emailed statement, confirmed it had “provided security updates and encourages customers to install them.”
The identity of those behind the ongoing hack remains unclear. However, Alphabet’s Google, which has extensive visibility into internet traffic, stated it had linked at least some of the hacks to a “China-nexus threat actor.” The Chinese Embassy in Washington did not immediately respond to a request for comment, as Beijing routinely denies carrying out hacking operations.
The FBI stated on Sunday that it was aware of the attacks and was collaborating closely with its federal and private-sector partners, but offered no further details. Britain’s National Cyber Security Centre noted it was aware of “a limited number” of targets in the United Kingdom. A researcher tracking the campaign indicated it initially appeared to target a narrow set of government-related organizations.
The pool of potential targets remains vast. According to data from Shodan, a search engine for internet-linked equipment, over 8,000 servers online could theoretically have already been compromised. Shadowserver put the number slightly higher at over 9,000, cautioning that this figure represented a minimum. These vulnerable servers include those of major industrial firms, banks, auditors, healthcare companies, and several U.S. state-level and international government entities.
“The SharePoint incident appears to have created a broad level of compromise across a range of servers globally,” said Daniel Card of British cybersecurity consultancy PwnDefend.
“Taking an assumed breach approach is wise, and it’s also important to understand that just applying the patch isn’t all that is required here.”
