This month, Microsoft released a security patch intended to resolve a serious vulnerability in its SharePoint server software, but new evidence indicates that the fix was insufficient, potentially facilitating a widespread global cyber espionage campaign, according to a timeline reviewed by Reuters.
A Microsoft representative confirmed on Tuesday that the original fix for the vulnerability, first unveiled at a hacking competition in May, failed to address the issue. The company has since issued additional patches to fully rectify the problem.
The identity of the actors behind this cyber spying initiative remains uncertain, with approximately 100 organizations targeted over the past weekend. Experts suggest that the scope of the infiltration could expand as more hackers become involved.
In a recent blog post, Microsoft alleged that two hacking groups with purported connections to China, referred to as “Linen Typhoon” and “Violet Typhoon,” are exploiting the identified vulnerabilities, alongside another group believed to be based in China.
Both Microsoft and Alphabet’s Google have indicated that the initial series of attacks was likely conducted by hackers linked to the Chinese government.
While Chinese state-sponsored hackers are frequently associated with various cyber offenses, Beijing consistently refutes claims of involvement in such activities. In a statement from its embassy in Washington, China condemned all forms of cyberattacks and criticized accusations made without credible evidence.
The flaw that enabled these attacks was first discovered in May during a hacking competition in Berlin organized by cybersecurity firm Trend Micro, which offered monetary rewards for uncovering software vulnerabilities.
A $100,000 prize was available for discovering “zero-day” exploits—previously unknown vulnerabilities that could potentially be leveraged against SharePoint, Microsoft’s leading document management and collaboration tool.
The breach included significant agencies like the U.S. National Nuclear Security Administration, which is responsible for the nation’s nuclear weapons program, according to Bloomberg News, citing an informed source.
No sensitive or classified information is reported to have been compromised during this incident.
The U.S. Energy Department, U.S. Cybersecurity and Infrastructure Security Agency, and Microsoft did not respond immediately to Reuters’ inquiries regarding the breach.
A researcher from Viettel, a telecommunications company owned by the Vietnamese military, discovered the SharePoint vulnerability at the May event, naming it “ToolShell” and demonstrating an exploitation method. This discovery earned the researcher the $100,000 reward, as documented in an X post by Trend Micro’s “Zero Day Initiative.”
Trend Micro noted that participating vendors are accountable for patching and promptly disclosing security issues. The company acknowledged that “patches will occasionally fail,” a circumstance that has indeed occurred with SharePoint in the past.
In a security update issued on July 8, Microsoft acknowledged the bug, categorizing it as a critical vulnerability, and released fixes to address it. However, within about ten days, cybersecurity firms began observing a spike in harmful online activity targeting SharePoint servers.
British cybersecurity firm Sophos commented in a recent blog post that “threat actors subsequently developed exploits that appear to bypass these patches.”
The pool of potential targets for ToolShell is extensive. Data from the search engine Shodan illustrates that hackers may have already breached over 8,000 online servers.
These servers are part of networks that include auditors, banks, healthcare organizations, major industries, and various U.S. state and international government entities.
The Shadowserver Foundation, an organization that scans the internet for digital vulnerabilities, estimated that over 9,000 servers could be impacted, though they emphasized this is a conservative figure. It noted that the majority of affected servers are located in the United States and Germany.
On Tuesday, Germany’s Federal Office for Information Security (BSI) reported it had found no compromised SharePoint servers within government networks, even though some were identified as vulnerable to the ToolShell exploit.
© Thomson Reuters 2025
