Chinese Hackers Exploit Critical SharePoint ‘ToolShell’ Flaws
▼ Summary
– Microsoft confirmed three Chinese threat groups (Linen Typhoon, Violet Typhoon, Storm-2603) are exploiting critical SharePoint vulnerabilities (CVE-2025-53770 and CVE-2025-53771), dubbed ‘ToolShell’.
– Linen Typhoon (APT27) is a Chinese state-backed group active since 2010, targeting embassies and organizations for government, defense, and human rights data.
– Violet Typhoon (APT31) is another Chinese state-backed actor focused on intellectual property theft, targeting NGOs, academia, and media in the US, Europe, and East Asia.
– Storm-2603’s links to other Chinese threat actors remain unclear, though it has deployed ransomware and exploits SharePoint vulnerabilities to steal MachineKeys.
– Experts warn the ‘ToolShell’ campaign is strategic, aiming to access high-value targets, and predict more threat actors will exploit these vulnerabilities.
Chinese-linked hacking groups are actively exploiting critical vulnerabilities in Microsoft SharePoint servers, posing significant risks to organizations worldwide. Microsoft has identified three threat actors, Linen Typhoon, Violet Typhoon, and Storm-2603, leveraging flaws tracked as CVE-2025-53770 and CVE-2025-53771. These exploits, collectively called ‘ToolShell,’ allow attackers to compromise internet-facing SharePoint systems, potentially stealing sensitive data or deploying ransomware.
Linen Typhoon (APT27), a well-known Chinese state-backed group, has targeted foreign embassies and organizations since 2010. Specializing in intelligence gathering, the group focuses on government, defense, and human rights sectors. Earlier this year, the U.S. charged two individuals linked to APT27 for hacking American entities, causing millions in damages.
Violet Typhoon (APT31), another Chinese-affiliated actor, primarily steals intellectual property to undermine competitors. Their victims include former government officials, NGOs, universities, and media organizations across the U.S., Europe, and East Asia. The group frequently scans for weaknesses in web infrastructure, deploying malicious tools like web shells to maintain access.
While Storm-2603 is also suspected to operate from China, its exact motives and affiliations remain unclear. Microsoft confirmed the group has exploited SharePoint vulnerabilities to steal encryption keys and previously deployed ransomware like Warlock and Lockbit.
Security experts warn that these attacks are not random but part of a coordinated campaign targeting high-value sectors. Lorri Janssen-Anessi of BlueVoyant stressed that unpatched, internet-facing systems are already at risk, urging organizations to prioritize updates.
Mandiant’s Charles Carmakal echoed this sentiment, predicting more threat actors will adopt these exploits. Microsoft expects attacks to escalate as hackers integrate the vulnerabilities into their toolkits. Investigations into additional groups exploiting these flaws are ongoing, highlighting the urgency for businesses to secure their SharePoint environments.
The situation underscores the persistent threat posed by state-sponsored cyber operations and the critical need for proactive defense measures. Organizations must patch systems immediately and monitor for suspicious activity to mitigate potential breaches.
(Source: InfoSecurity Magazine)
