Microsoft Warns Of Global Ransomware Attacks Exploiting SharePoint Flaw
Microsoft has revealed that a hacking group it believes operates from China has been exploiting vulnerabilities in its SharePoint server software to launch ransomware attacks against organisations around the world.
The company said the group, tracked as Storm-2603, has previously conducted ransomware campaigns that lock victims out of their systems until payment is made. In a statement published on Wednesday, Microsoft said it was moderately confident the attackers were based in China but could not definitively determine their ultimate objectives.
The attack method takes advantage of weaknesses in SharePoint servers that allow intruders to obtain security keys. These keys can be used to impersonate legitimate users or services, potentially giving attackers deep access within compromised networks and the ability to steal sensitive data.
A range of organisations has already been affected. The US National Institutes of Health was among those impacted through the SharePoint flaws, according to a person familiar with the situation. Officials from the US Department of Health and Human Services said their cybersecurity teams were working to monitor and mitigate risks linked to the vulnerability, adding that there is currently no indication any sensitive information has been exposed.

South Africa’s National Treasury also reported discovering malware within its network and has sought assistance from Microsoft. Authorities said its online systems remain operational.
Security specialists believe the true scale of the incident may not yet be fully understood. Vaisha Bernard, co-owner of cybersecurity firm Eye Security, said the number of victims could be significantly higher because some compromised servers may not show obvious signs of intrusion. He added that other attackers may also be exploiting the same vulnerability while systems remain unpatched.
The organisations affected so far span government, education and technology sectors. Victims have been identified in multiple regions including Europe, Asia, the Middle East and South America.
Analysts say large-scale cyberattacks often follow a predictable pattern. According to Sveva Scenarelli, a threat analyst at Recorded Future, state-backed hackers typically begin with highly targeted operations before expanding their activity once a vulnerability becomes widely known. Once access is established, attackers may assess compromised networks and focus on those offering the most valuable information.
The incident has also added to existing geopolitical tensions. US Treasury Secretary Scott Bessent indicated the cyberattacks may be discussed in upcoming trade talks with Chinese officials scheduled to take place in Stockholm.
Microsoft has issued security patches to address the SharePoint vulnerabilities. However, researchers warn that attackers may already have established long-term access in some affected systems.
The company also linked the activity to other China-associated hacking groups known as Linen Typhoon and Violet Typhoon. Linen Typhoon, first identified in 2012, has focused largely on stealing intellectual property from organisations connected to government, defence and strategic planning. Violet Typhoon, observed since 2015, has carried out espionage operations targeting former government officials, military personnel, media organisations and education institutions across the United States, Europe and East Asia.
Previous reports have indicated that systems at the US Department of Education, Florida’s Department of Revenue and the Rhode Island General Assembly were also compromised through the SharePoint vulnerabilities.
Cybersecurity researcher Eugenio Benincasa from ETH Zurich said the groups linked to the attacks have previously been charged in the United States for alleged hacking campaigns. He suggested some operations may involve private contractors carrying out attacks on behalf of state interests through so-called hacker-for-hire arrangements.
Experts also noted that highly classified government systems are usually isolated from the internet. Edwin Lyman of the Union of Concerned Scientists said networks storing the most sensitive information are typically separated from public networks, which limits the risk of direct data extraction. However, he warned that other sensitive but unclassified material could still be exposed in such breaches.
China’s Foreign Ministry has denied responsibility for the attacks. A spokesperson said the country opposes hacking activities and supports international cooperation on cybersecurity while rejecting accusations made against it.























































































