A sweeping cyber espionage operation targeting Microsoft server software compromised about 100 organisations as of the weekend, two of the organisations that helped uncover the campaign said on Monday.
Microsoft on Saturday issued an alert about “active attacks” on self-hosted SharePoint servers, which are widely used by organisations to share documents and collaborate within organisations. SharePoint instances run off of Microsoft servers were unaffected.
Dubbed a “zero-day” because it leverages a previously undisclosed digital weakness, the hacks allow spies to penetrate vulnerable servers and potentially drop a backdoor to secure continuous access to victim organisations.
Vaisha Bernard, the chief hacker at Eye Security, a Netherlands-based cybersecurity firm, which discovered the hacking campaign targeting one of its clients on Friday, said that an internet scan carried out with the Shadowserver Foundation had uncovered nearly 100 victims altogether — and that was before the technique behind the hack was widely known.
“It’s unambiguous,” Bernard said. “Who knows what other adversaries have done since to place other backdoors.”
He declined to identify the affected organisations, saying that the relevant national authorities had been notified.
The Shadowserver Foundation confirmed the 100 figure. It said most of those affected were in the US and Germany, and the victims included government organisations.
‘China-nexus threat actor’
Another researcher said that, so far, the spying appeared to be the work of a single hacker or set of hackers. “It’s possible that this will quickly change,” said Rafe Pilling, director of Threat Intelligence at Sophos, a British cybersecurity firm.
Microsoft said it had “provided security updates and encourages customers to install them”, a company spokesman said in an e-mailed statement.
It was not clear who was behind the ongoing hack, but Google, which has visibility into wide swathes of internet traffic, said it tied at least some of the hacks to a “China-nexus threat actor”.
Read: Stolen phone? Samsung now buys you an hour to lock it down
The Chinese Embassy in Washington didn’t immediately respond to a message seeking comment; Beijing routinely denies carrying out hacking operations.
The FBI said on Sunday it was aware of the attacks and was working closely with its federal and private sector partners, but offered no other details. Britain’s National Cyber Security Centre said in a statement that it was aware of “a limited number” of targets in the UK. A researcher tracking the campaign said that the campaign appeared initially aimed at a narrow set of government-related organisations.
The pool of potential targets remains vast. According to data from Shodan, a search engine that helps to identify internet-linked equipment, over 8 000 servers online could theoretically have already been compromised by hackers. Shadowserver put the number at a little more than 9 000, while cautioning that the figure was a minimum.
Those servers include major industrial firms, banks, auditors, healthcare companies and several US state-level and international government entities.
Read: Hackers tighten grip as ransomware epidemic hits South Africa hard
“The SharePoint incident appears to have created a broad level of compromise across a range of servers globally,” said Daniel Card of British cybersecurity consultancy PwnDefend. “Taking an assumed breach approach is wise, and it’s also important to understand that just applying the patch isn’t all that is required here.” — James Pearson and Raphael Satter, (c) 2025 Reuters
Get breaking news from TechCentral on WhatsApp. Sign up here.
Don’t miss:
SharePoint zero-day hits servers, Microsoft issues emergency alert