Chinese hackers exploit Microsoft flaw to breach U.S. government agencies and global entities

07/28/2025 / By Kevin Hughes

Chinese state-affiliated hackers exploited a critical Microsoft SharePoint vulnerability (CVE-2024-6101), stealing cryptographic keys to impersonate legitimate users and infiltrate U.S. government agencies, including the National Nuclear Security Administration, as well as 400+ global organizations.
The breach affected the Department of Energy, Department of Education, state agencies and organizations worldwide, including energy firms, universities and consulting companies across Europe, the Middle East and the Americas.
Despite Microsoft’s July security patches, hackers bypassed fixes, maintaining persistence in compromised systems by stealing authentication keys. Around 100 servers in 60 organizations remained vulnerable post-patch.
Microsoft attributed the attacks to Chinese-linked groups (Linen Typhoon, Storm-2603) and urged organizations to adopt cloud-based defenses and layered security. The U.S. government criticized Microsoft’s security culture, prompting internal reforms and hires of ex-government cybersecurity experts.
The incident reflects state-sponsored cyber espionage for political and economic gain. China denied involvement, calling accusations “unfounded.” Experts stress the need for enhanced global cybersecurity amid rising sophisticated threats.

In a significant escalation of cyber warfare, Chinese state-affiliated hackers have exploited a critical vulnerability in Microsoft’s SharePoint software to infiltrate several high-profile United States government agencies, including the National Nuclear Security Administration (NNSA), which oversees America’s nuclear weapons. The breach, which began on July 18, has also affected over 400 organizations worldwide, spanning Europe, the Middle East and other regions.

Exploiting a critical vulnerability

The cyberattack took advantage of a zero-day flaw in Microsoft SharePoint, allowing the hackers to gain unauthorized access and steal cryptographic keys. These keys could potentially enable the attackers to impersonate legitimate users or services within the compromised systems. Microsoft has attributed the attacks to groups known as Linen Typhoon, Violet Typhoon and Storm-2603, all believed to have ties to the Chinese government.

TrustedSec Security Intelligence Director Carlos Perez described the exploited vulnerability as “critical” and “already being actively exploited at scale.” He emphasized that the flaw allows attackers to execute remote code on SharePoint servers, posing a severe threat to enterprise-level infrastructure.

Impact on U.S. government agencies

The U.S. Department of Energy, which includes the NNSA, confirmed that it experienced a disruption but stated that the impact was minimal due to its robust cybersecurity measures. “The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems,” a spokesman said. “A very small number of systems were impacted, and all are being restored.”

The breach also affected the U.S. Department of Education, the Florida Department of Revenue and the Rhode Island General Assembly.

Global reach and ongoing threat

The attacks did not stop at government agencies. Cybersecurity firm Eye Security revealed that the breach compromised around 400 entities globally, highlighting the widespread nature of the attack.

Energy firms, consulting companies and universities were also targeted, with breaches detected on over 100 servers across 60 different organizations. Cybersecurity researchers have identified victims in countries such as Saudi Arabia, Vietnam, Oman, the United Arab Emirates, South Africa, the European Union and the Americas.

Despite Microsoft releasing security patches in July, attackers have found ways to circumvent them. Eye Security’s Chief Hacker and Co-owner, Vaisha Bernard, explained that the vulnerabilities allowed attackers to steal authentication keys and remain inside systems even after updates and reboots. “There were ways around the patches,” Bernard said, emphasizing the persistent threat posed by these attacks.

Broader implications and Microsoft’s response

The breaches have raised concerns about the security of Microsoft’s software and its ability to protect sensitive information. The U.S. government has criticized Microsoft’s security culture, calling for urgent reforms. In response, Microsoft has been holding weekly meetings with top executives and hiring security experts, including former government officials, to bolster its defenses. (Related: US and allies condemn China for massive cyberattack against Microsoft email servers.)

Microsoft continues to urge organizations to apply all security updates, move to cloud-based systems and implement multiple layers of security to detect and prevent suspicious activity. The company has released “new comprehensive security updates” and stressed the importance of immediate action to prevent further exploitation.

International response and denials

The Chinese Embassy in Washington has rejected the claims, stating, “China firmly opposes all forms of cyberattacks and cybercrime.” The embassy emphasized the need for evidence-based conclusions rather than “unfounded speculation and accusations.”

Cybersecurity experts believe these attacks are part of a larger strategy to use business software hacks for political or economic gain. As the investigation continues, the full extent of the breach and its consequences are yet to be fully revealed.

This incident underscores the growing sophistication and global scale of cyber threats, highlighting the urgent need for enhanced cybersecurity measures and international cooperation to combat state-sponsored cyber espionage.

Follow CommunistChina.news for more news about Chinese hackers.

Watch the video below about hackers allegedly linked to the Chinese government who gained unauthorized access to several files on U.S. Treasury Secretary Janet Yellen’s computer.

This video is from the Cynthia’s Pursuit of Truth channel on Brighteon.com.