Global Sharepoint Exploitation: From Chinese State-Backed Intrusions to Ransomware Escalation and Supply Chain Risk- updated

August 8, 2025

A sophisticated and multi-phase cyber campaign targeting Microsoft SharePoint Server has rapidly evolved from targeted espionage to opportunistic ransomware deployment, affecting hundreds of organizations worldwide.

Initially driven by China-linked advanced persistent threat (APT) groups exploiting a previously unknown zero-day vulnerability, the intrusions have compromised critical government, energy, academic, and private sector networks across at least 29 countries.

Recent intelligence confirms the involvement of Storm-2603, a China-attributed group with both espionage and ransomware capabilities, deploying the Warlock ransomware variant against unpatched systems. Eye Security and other researchers report over 400 actively compromised servers, including systems within U.S. federal agencies, state and local governments, and critical infrastructure providers.

 Compounding the technical threat is a serious supply chain and insider risk dimension: investigative reporting has revealed that the very version of SharePoint targeted — “OnPrem” — has been maintained for years by China-based Microsoft engineers. The timing of this revelation, alongside confirmed Chinese exploitation activity, has prompted heightened scrutiny of foreign engineering access to U.S. government systems and renewed calls for transparency in software maintenance practices.