Chinese hackers strike Microsoft, posing a security threat
In a concerning turn of events, three Chinese hacking groups - Linen Typhoon, Violet Typhoon, and Storm-2603 - have been identified as the principal actors exploiting critical zero-day vulnerabilities in Microsoft SharePoint servers in July 2025. These groups are nation-state or nation-state affiliated actors targeting strategic sectors globally.
Who they are and their history
Linen Typhoon has been active since 2012 and primarily focuses on stealing intellectual property from government, defense, strategic planning, and human rights organizations. It is characterized as a China-nexus (likely nation-state) threat actor.
Violet Typhoon is another China-based nation-state actor tracked by Microsoft. Like Linen Typhoon, it is involved in cyber-espionage activities consistent with China's strategic interests.
Storm-2603 is a relatively newer threat actor linked to China. Unlike typical espionage-focused groups, it has recently been observed deploying ransomware, notably the Warlock ransomware, leveraging SharePoint vulnerabilities.
Notable recent cyberattacks involving them
In July 2025, these three groups orchestrated one of Microsoft's largest-ever cyberattacks targeting the SharePoint platform, exploiting vulnerabilities CVE-2025-49704 and CVE-2025-49706, among others. This attack affected over 50 confirmed victims worldwide, including U.S. and U.K. government agencies and critical infrastructure sectors such as healthcare and finance.
The attack was opportunistic and broad, with multiple threat actors exploiting these SharePoint flaws, escalating the threat landscape beyond China-originators themselves.
Microsoft and cybersecurity experts link this activity directly to persistent Chinese cyber espionage efforts aimed at stealing intellectual property, deploying ransomware, and threatening critical infrastructure.
Context
These groups are part of a larger ecosystem of Chinese state-affiliated or China-nexus hacking organizations, often codenamed with the suffix "Typhoon" by Western cybersecurity researchers, known for targeting strategic interests globally. Other related groups, such as Volt Typhoon and Flax Typhoon, have previously targeted infrastructure and government systems.
Summary
Linen Typhoon and Violet Typhoon are established Chinese nation-state groups focused on intelligence and IP theft. Storm-2603 is an emerging China-linked threat actor involved in ransomware deployments. All three exploited zero-day SharePoint vulnerabilities in July 2025, causing widespread impact across governments and industries globally.
These events fit a continuing pattern of China-linked cyber operations targeting critical infrastructure and sensitive sectors worldwide. The hackers targeted hundreds of organizations, with over 400 computer systems compromised according to Eye Security. The Typhoon groups have been active for a decade or more and are known for intellectual property theft and espionage.
Microsoft has attributed the cyberattacks to groups backed by China, including Linen Typhoon, Violet Typhoon, and Storm-2603. The vulnerability allowed hackers to retrieve credentials and access SharePoint servers kept at users' facilities. Microsoft's widespread use in offices and homes makes it a prime target for hackers seeking to steal money or information.
Microsoft is at the center of a cybersecurity crisis due to hackers exploiting flaws in SharePoint servers. The company urges users to patch SharePoint servers to avoid becoming hacking victims, as investigations into other actors using these exploits are ongoing. Rodrigue Le Bayon, head of Orange Cyberdefense computer emergency response team, stated that targeting Microsoft programs is a means to an end, and tomorrow it could be software from another company.
- These Chinese hacking groups, Linen Typhoon, Violet Typhoon, and Storm-2603, are nation-state or nation-state affiliated actors that have been active for years.
- Linen Typhoon, established since 2012, primarily focuses on stealing intellectual property from government, defense, strategic planning, and human rights organizations.
- Violet Typhoon, another China-based group, is involved in cyber-espionage activities consistent with China's strategic interests.
- Storm-2603, while relatively newer, has recently started deploying ransomware using SharePoint vulnerabilities.
- In July 2025, these three groups orchestrated a massive cyberattack on Microsoft's SharePoint platform, affecting hundreds of organizations worldwide, including U.S. and U.K. government agencies and critical sectors like healthcare and finance.
