Microsoft
A sophisticated cyber-espionage campaign targeting unpatched Microsoft SharePoint servers has taken a troubling new turn. In a blog post published late Wednesday, Microsoft disclosed that threat actors are now using the exploited vulnerability not just for spying but also to deploy ransomwareโmalware that locks or paralyzes systems until victims pay a ransom in digital currency.
Microsoft attributed the attacks to a hacking group it tracks under the name โStorm-2603.โ According to the tech giantโs โexpanded analysis and threat intelligence,โ the group has shifted from traditional espionage tactics to actively planting ransomware into compromised systems, significantly raising the stakes for affected organizations.
This marks a major escalation in the cyber campaign, which has already impacted at least 400 organizations, as reported by Netherlands-based cybersecurity firm Eye Security. That figure is a dramatic increase from the 100 affected victims counted over the weekend. Eye Security warned the real number could be far higher, as many attack traces may go undetected.
โThere are many more [victims], because not all attack vectors have left artifacts that we could scan for,โ said Vaisha Bernard, chief hacker at Eye Security, one of the first groups to identify the breaches.
The identities of most victim organizations remain undisclosed, but on Wednesday, a spokesperson for the U.S. National Institutes of Health confirmed that at least one of its servers had been compromised. In response, additional servers were isolated as a precautionary measure. The breach was first reported by The Washington Post.
Other reports suggest that the attack campaign has penetrated a wide array of U.S. government entities. NextGov, citing unnamed sources, reported that the Department of Homeland Security (DHS) was among the victims, along with at least five to 12 other federal agencies. Politico, quoting two U.S. officials, also confirmed that several agencies had likely been compromised.
DHSโs Cybersecurity and Infrastructure Security Agency (CISA) has yet to issue a public statement regarding the reported breaches. Microsoft and Google-parent Alphabet have both linked the attacks to Chinese state-sponsored hackers, though Beijing has categorically denied any involvement.
The cyber campaign originated from a flaw in Microsoftโs SharePoint server software, which the company initially failed to fully patch. That oversight triggered a wave of intrusions as threat actors rushed to exploit the lingering vulnerability.
With the transition from espionage to ransomware, the campaign now threatens not only data confidentiality but also operational continuity across government and private sector networks.
