Chinese “threat actors” have hacked Microsoft’s SharePoint document software servers and targeted the data of the businesses using it, the firm has said.
China state-backed Linen Typhoon and Violet Typhoon as well as China-based Storm-2603 were said to have “exploited vulnerabilities” in on-premises SharePoint servers, the kind used by firms, but not in its cloud-based service.
The US tech giant has released security updates in response and has advised all on-premises SharePoint server customers to install them.
“Investigations into other actors also using these exploits are still ongoing,” Microsoft said in a statement.
The firm said it had “high confidence” the hackers would continue to target systems which have not installed its security updates.
It added that it would update its website blog with more information as its investigation continues.
Microsoft said it had observed attacks in which hackers had sent a request to a SharePoint server “enabling the theft of the key material by threat actors”.
Charles Carmakal, chief technology officer at Mandiant Consulting firm, a division of Google Cloud, told the BBC it was “aware of several victims in several different sectors across a number of global geographies”.
Carmakal said it appeared that governments and businesses that use SharePoint on their sites were the primary target.
A number of adversaries who stole material encoded by cryptography were then able to regain ongoing access to the victims’ SharePoint data, he said.
“This was exploited in a very broad way, very opportunistically before a patch was made available. That’s why this is significant,” Carmakal said.
Carmakal said the “China-nexus actor” was deploying techniques similar to previous campaigns associated with Beijing.
Microsoft said Linen Typhoon had “focused on stealing intellectual property, primarily targeting organizations related to government, defence, strategic planning, and human rights” for 13 years.
It added that Violet Typhoon had been “dedicated to espionage”, primarily targeting former government and military staff, non-governmental organizations, think tanks, higher education, the media, the financial sector and the health sector in the US, Europe, and East Asia.
Meanwhile, Storm-2603 was “assessed with medium confidence to be a China-based threat actor”.