Microsoft’s SharePoint Flaw Now Tied to Ransomware Attacks as China’s Espionage Campaign Escalates

A cyber-espionage campaign exploiting a critical flaw in Microsoft’s SharePoint Server has taken a more disruptive turn. According to a late Wednesday blog post by Microsoft, the attack chain now includes ransomware deployments—a significant escalation from earlier espionage-focused intrusions.

The company attributed the latest wave of attacks to a threat group it tracks as “Storm-2603,” which is now leveraging the unpatched vulnerability to plant ransomware payloads. Unlike traditional state-backed campaigns that prioritise stealthy data exfiltration, ransomware operations paralyse systems and demand payment in cryptocurrency—often resulting in immediate operational chaos for victims.

So far, the campaign has affected at least 400 known organisations, cybersecurity firm Eye Security reported—a fourfold jump from the 100 cases documented just days ago. But even this number may not reflect the full scale. “There are many more, because not all attack vectors have left artefacts that we could scan for,” Vaisha Bernard, who is a chief hacker at Eye Security—one of the earliest firms to raise the alarm—was quoted as saying.

Details about most of the affected entities remain undisclosed, but the National Institutes of Health confirmed on Wednesday that at least one of its servers had been compromised, with others proactively isolated. Meanwhile, NextGov and Politico have reported that the Department of Homeland Security (DHS) and multiple other US agencies—potentially ranging from five to over a dozen—may have been impacted.

The US Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft have not issued further comments on the ransomware component or the full scope of the breaches.

This widening breach stems from Microsoft’s incomplete patch for a SharePoint vulnerability first disclosed in May during a cybersecurity event in Berlin. Despite subsequent security updates, attackers have continued to exploit the flaw—now with expanded objectives.

Microsoft and Google’s parent company, Alphabet, have both indicated that the attackers include Chinese state-linked actors. China has denied involvement, stating it opposes all forms of cyberattacks and rejecting accusations without “solid evidence.”

The shift from espionage to ransomware raises the threat level not just for US institutions but also for global enterprises and governments increasingly reliant on Microsoft’s enterprise platforms. It also casts renewed scrutiny on vendor responsibility, patch management, and cyber readiness in an era where threat actors can pivot rapidly from intelligence gathering to operational sabotage.

Read more: This ₹2,099 Feature Phone Has a Built-In AI Assistant That Talks in Hindi, English