Three groups of hackers have exploited a flaw from Microsoft software to infect 400 companies or administration. The American nuclear agency has been affected.
After the operation of a security flaw allocated to Chinese groups, a Microsoft American mastodon software is at the heart of strong concerns, while several hundred organizations may have been targeted.
If this type of incident is not a first for the group, the extent of the potential targets and the exploitation speed of the faults are widely commented.
Saturday, July 19, the Dutch company Eye Security publicly mentioned several attacks carried out thanks to a security flaw on the SharePoint file sharing software, leading to a reaction from the American group which formalized the existence of the breach on the same day.
The vulnerabilities, which open up third parties to recover, without authorization, identifiers and then access SharePoint servers, “only affect local SharePoint servers,” said Microsoft, as opposed to the use of SharePoint on the cloud.
• What are the targeted organizations?
According to Eye Security, “more than 400 systems actively compromised during four waves of confirmed attacks” were discovered.
According to Bloomberg, several state organizations in Europe, the Middle East, and in the United States, including the US Federal Agency in charge of Nuclear (NNSA), have been targeted.
“Local SharePoint servers – in particular in governments, schools, health sector (including hospitals) and large companies – are exposed to an immediate risk,” warns the search team of the American company Palo Alto Networks, in a note published online.
Microsoft did not communicate on the number of victims of the attacks. According to the latest figures published by Microsoft, in 2020, SharePoint had more than 200 million active users.
• Who are the attackers?
Three groups were appointed by Microsoft on Tuesday as managers of organized attacks. The first two, called Linen Typhoon and Violet Typhoon, are qualified as Chinese state actors, while a third, Storm-2603, “is considered with moderate confidence as a threatening actor based in China.”
According to the group, the first two actors, who have operated since 2012 and 2015 respectively, are known for “the flight of intellectual property”, and espionage. Regarding the third, the company indicates that it is unable to determine its motivations with certainty.
“Surveys on other players also using these exploits are still underway,” said Microsoft, who highlighted a high risk that other malicious players exploit the flaw on unrehaged servers.
On his blog Zataz, the Expert in cybersecurity Damien Bancal thus noted on Wednesday the publication on a well -known site of “an operating code (of the fault) ready to use”.
• Why is Microsoft targeted?
“This new incident is continuing a series of sophisticated attacks by state groups against the Microsoft ecosystem,” said Damien Bancal. In 2021, an attack campaign led by the Chinese group Silk Typhoon had compromised “tens of thousands of servers” of Exchange messaging.
With software used worldwide, and by critical organizations, the Redmond firm (Washington State), is a target of choice for malware.
Especially since these software used daily “can shelter sensitive intellectual properties, strategic planning documents and internal communications,” said Shane Barney, head of information systems for the American company Keeper.
“It is not Microsoft who is targeted, it is its customers, Microsoft software is only a means, and tomorrow it could affect software from another company,” insists with AFP Rodrigue Le Bayon, at the head of the Center for Alert and Reaction to IT attacks (CERT) of Orange Cyberdefense.
• What is the role of China?
This type of cyber attacks “is not specific to China,” notes Rodrigue Le Bayon, which points to the growing importance of computer attacks in the world.
China is nevertheless recurrently designated by many companies, especially American, but also by states.
In 2024, several Western countries had already accused groups of hackers presented as supported by the Chinese State of carrying out a global cyberspioning campaign against critical Beijing personalities, democratic institutions and companies in various sensitive sectors.
