Nation-State Hackers Exploit Microsoft SharePoint Flaw Compromising U.S. Agencies and Major Corporations

Nation-State Hackers Exploit Microsoft SharePoint Flaw Compromising U.S. Agencies and Major Corporations 

 
August 2025 | Bit by Bit 

In one of the most alarming cybersecurity incidents of the year, multiple advanced persistent threat (APT) groups believed to be affiliated with the Chinese government have exploited a zero-day vulnerability in Microsoft SharePoint, targeting unpatched, on-premises servers and compromising the systems of U.S. federal agencies, defense contractors, and enterprises across key industries. 

This sophisticated campaign, discovered by analysts at Microsoft Threat Intelligence and corroborated by the Department of Homeland Security, has been quietly infiltrating networks since at least April 2025, stealing sensitive data and remaining virtually invisible until this past month. 

At Bit by Bit, we closely monitor zero-day threats ensuring our clients stay safe. Zero-days like this are a sobering reminder of the risks tied to legacy infrastructure and delayed patching. If your organization still relies on on-prem systems like SharePoint, it may be time to talk to our cybersecurity team about secure cloud alternatives, patch management, and advanced threat detection solutions. 

What Happened? 

The breach centers around a previously unknown flaw in on-premise versions of SharePoint. While Microsoft had released patches for the issue in late spring, many organizations had not yet applied them, particularly those with aging infrastructure or decentralized IT environments. 

The exploit allowed attackers to bypass authentication protocols, gain elevated privileges, and move laterally within networks undetected. This wasn’t a “smash and grab” attack. It was slow, calculated, and designed to harvest intelligence without raising alarms. 

Cybersecurity experts identified two prolific threat actors, Linen Typhoon (formerly Hafnium) and Storm-2603, as key players behind the attack. Both groups have a history of espionage campaigns targeting Western governments, military contractors, and private-sector R&D. 

What Was Compromised? 

The breach resulted in unauthorized access to: 

• Internal emails, chat logs, and project documentation 

• Personally identifiable information (PII) of employees and contractors 

• Files related to procurement, supply chain operations, and intellectual property 

• System configurations that may be used for future exploits 

What makes this incident especially dangerous is that no ransom was demanded, suggesting the attackers were not financially motivated but instead focused on long-term surveillance and information gathering. 

Who’s at Risk? 

The scope of this attack is still unfolding, but initial reports suggest that affected parties include: 

• Federal departments involved in infrastructure, trade, and defense 

• Municipal agencies and school districts relying on outdated SharePoint installations 

• Defense contractors and aerospace firms with classified or sensitive design files 

• Healthcare systems and energy providers with critical infrastructure tied to SharePoint workflows 

• Private corporations using SharePoint for internal document sharing and collaboration 

According to internal CISA bulletins, attackers may have also accessed Active Directory credentials, enabling deeper infiltration across networks and potentially placing downstream partners and vendors at risk. 

Why This Breach Demands Attention 

This incident is more than just a case of outdated software; it’s a clear example of supply chain vulnerability on a national scale. The attackers didn’t need to break into secure vaults or brute-force firewalls. Instead, they exploited an overlooked patch in a widely used business tool to gain unprecedented access. 

It’s also a sobering reminder that nation-state cyber operations are no longer isolated to governments or military entities. Businesses of all sizes, especially those with links to federal contracts or critical infrastructure, are now in the crosshairs. 

Bit by Bit Recommends 

At Bit by Bit, we’ve long advised clients to move away from aging, on-prem systems and adopt modern, cloud-first architectures with continuous threat monitoring. In light of this breach, we strongly recommend the following steps: 

• Conduct a full audit of your legacy IT systems, starting with SharePoint, Exchange, VPNs, and any third-party tools. 

• Deploy Endpoint Detection & Response (EDR) to monitor suspicious behavior across devices. 

• Review and enforce patch management protocols, especially for high-risk, high-access systems. 

• Reevaluate your vendor relationships and third-party access controls to limit your exposure. 

• Stay informed through Microsoft and CISA bulletins and act immediately on all critical vulnerabilities. 

The Bottom Line 

This attack wasn’t flashy. There were no headlines about ransomware or ransom demands. Instead, it was a quiet infiltration, meant to observe, extract, and exploit over time. 

Cybersecurity is no longer just a technical responsibility. It’s a business continuity imperative. 

If your organization is still relying on legacy infrastructure without proactive security measures, this breach should be a turning point. The threats are real. The attackers are organized. And the consequences are growing. 

Ready to Strengthen Your Cyber Defenses? 

Cyber threats are evolving faster than ever, and as this month’s SharePoint breach shows, even widely used tools can become attack vectors overnight. Don’t wait for a wake-up call. 

Bit by Bit is offering a complimentary Cyber Risk Assessment designed to uncover vulnerabilities before attackers do. Our expert team will help you: 

• Review your current password policies and MFA setup 

• Evaluate your exposure to recent breaches 

• Identify security gaps in your infrastructure 

• Receive a custom action plan to improve your cyber resilience 

Let’s secure what matters, before someone else exploits it. 
👉 Schedule Your Free Assessment 

Final Thoughts 

The SharePoint hack is a clear sign of the times, cyberattacks are getting smarter, stealthier, and more strategic. They’re no longer just about causing chaos; they’re about quietly stealing what matters most. 

Whether you’re a public institution, a defense contractor, or a mid-sized business, the risks are real and rising. This breach reminds us that outdated systems, slow patching, and vendor blind spots can open the door to highly sophisticated threats. 

At Bit by Bit, we believe prevention starts with visibility. Don’t wait for a breach to expose the cracks in your infrastructure. Let’s work together to close the gaps, strengthen your defenses, and outpace the next wave of threats. 

 
The Bit by Bit Cybersecurity Team