A massive cyber storm has hit governments across the globe! Security researchers have revealed that multiple Chinese hacking groups, including the infamous Salt Typhoon, exploited a critical vulnerability in Microsoft SharePoint to target government agencies, telecommunications providers, and other organizations across three continents. This is a serious wake-up call, isn't it?
Broadcom's Symantec and Carbon Black have been digging deep, uncovering additional victims and the tools used by these attackers. They've published their findings, painting a grim picture of the scope of these attacks.
The SharePoint Attack Vector
In July, Microsoft released a patch for the ToolShell vulnerability (CVE-2025-53770), a critical flaw that allowed remote code execution on on-premises SharePoint servers. But, before the fix was available, Chinese attackers were already exploiting it as a zero-day, compromising over 400 organizations, including the US Energy Department.
Microsoft initially attributed the attacks to three China-based groups: Linen Typhoon (known for intellectual property theft) and Violet Typhoon (focused on espionage). They also pointed the finger at Storm-2603, a suspected criminal group, for using the bug to deploy Warlock ransomware.
But here's where it gets controversial... It now appears that other Beijing-based groups, including Salt Typhoon, were also involved. Salt Typhoon, known for hacking major telecommunications firms and stealing data belonging to a vast number of Americans, has been linked to these attacks.
Symantec and Carbon Black's investigation revealed that Salt Typhoon-linked attackers used the ToolShell vulnerability to breach a Middle Eastern telecom company and two African government departments shortly after the patch was released. They used Zingdoor, a backdoor written in Go, to collect system information, upload/download files, and execute commands. This same backdoor was previously seen in a cyberespionage campaign attributed to Earth Estries/Salt Typhoon. The attackers also deployed the ShadowPad Trojan and KrustyLoader, linked to the UNC5221 group, another suspected China-nexus group.
Further attacks were identified on two South American government agencies and a US university. However, in these cases, the attackers used other vulnerabilities, such as those in SQL and Apache HTTP servers running Adobe ColdFusion software, to deliver malware.
Salt Typhoon is known for using DLL sideloading to deliver malware. In a recent report, Darktrace researchers detailed this technique being used to infect a European telecom firm.
And this is the part most people miss... The attackers were likely scanning for the ToolShell vulnerability and then focusing on networks of interest, aiming to steal credentials and establish persistent access for espionage purposes. The sheer number of victims is truly alarming.
What do you think? Are these attacks a sign of escalating cyber warfare? Do you believe these attacks are isolated incidents, or part of a larger, coordinated effort? Share your thoughts in the comments below!
