By Catherine Yang
Eye Security, a Netherlands-based cybersecurity company that has been tracking Microsoft SharePoint attack victims, said an analysis of victims shows that nearly one-third were government-sector systems.
“From the data, it’s clear this wasn’t a random or opportunistic campaign. The attackers knew exactly what they were looking for,” Lodi Hensen, Eye Security vice president of security operations, said on July 29 in a blog post.
Microsoft identified two Chinese state-sponsored groups and a separate China-based group among the perpetrators.
Multiple U.S. agencies, including the National Nuclear Security Administration and the National Institutes of Health, have confirmed that they were subject to the mass exploit.
Out of 396 compromised systems confirmed by Eye Security’s scan of more than 27,000 SharePoint systems in the first week of the breach, education-sector systems accounted for 13 percent of the victims, second after government targets.
Eye Security said this strongly suggested an intelligence-led operation. In its initial overview of the cyberattacks, the security company noted that this was a “stealthy” operation aimed at extracting and leaking encrypted secrets, and enabled complete remote access.
The majority of the successful attacks were against systems in the United States, which accounted for 18 percent of the victims. The East African country of Mauritius, which was recently awarded sovereignty over the Chagos Islands, where a strategically important U.S.–UK airbase sits, accounted for 8 percent of the compromised systems. Germany accounted for 7 percent of confirmed infections, and France for 5 percent. Eye Security noted that while only two organizations in Jordan were compromised, those systems experienced “an unusually high volume of attacks.”
In addition to government and education, software as a service (SaaS) providers, telecom providers, and power grids were targets of focused efforts.
“These sectors are known to hold high-value data and serve as intelligence-rich entry points into broader networks,” Eye Security stated in its blog post.
Multiple Waves of Attacks
Eye Security was the first to detect the mass exploitation of the SharePoint vulnerability on July 18.
The exploit, which was first confirmed during the Pwn2Own Berlin hacking competition in February, was originally a “zero-day” exploit, meaning a cyberattack aimed at a previously unknown software vulnerability, one that vendors had had zero days to patch.
Microsoft had on July 8 patched the exploit that had been shared in the Berlin conference. The original exploit was then replicated and shared on X by a third party just days before the mass attacks began.
In a July 29 update, Eye Security counted more than 8,000 unpatched systems remaining exposed online.
Eye Security confirmed that an initial wave of attacks had happened on July 17 as a possible test phase, and the first wave of widely successful attacks was carried out at about 2 p.m. Eastern Time on July 18. A second wave followed the next morning, and multiple waves followed beginning on July 21.
Microsoft disclosed in a July 19 alert to customers that a SharePoint vulnerability was being exploited and gave guidance on how to prevent these cyberattacks. Notably, the exploit affected on-premise SharePoint servers that are set to reach the end of their service cycle in 2026. The enterprise SharePoint Online versions were not affected.
The researchers said infections continued to rise even after Microsoft released subsequent patches, suggesting that infected and patched systems are still vulnerable.
“A patch alone doesn’t eliminate an attacker who’s already inside. The delay between exploitation and remediation can be devastating—especially for mid-sized organisations without round-the-clock threat detection,” Hensen said in the blog.
Subsequent waves of attacks also broadened in targets, suggesting new attackers beyond the initial Chinese state-sponsored intelligence operation.
“In incidents like these, it’s not uncommon to see a rapid shift: Once an exploit becomes public and technical details begin to circulate, other state and non-state actors tend to follow. That includes cybercriminal groups with very different motives, especially those focused on financial gain,” Hensen wrote in the Eye Security blog.
Hensen told The Epoch Times via email that once the exploit was made public, Eye Security observed “signs of opportunistic activity by less‑sophisticated actors.”
“We observed increased mass scanning, more automated exploitation attempts, and a shift from mainly government targets to include mid‑sized businesses,” Hensen said.
Intelligence operations often hit big organizations first, and mid-sized organizations may be exposed in subsequent waves, according to the researchers, who expect the exploit to be abused in the coming weeks before organizations have patched and followed best practices to secure their systems, such as by rotating machine keys.
“Patching alone is not enough. We advise running full forensic investigations, reviewing and resetting credentials, monitoring for indicators of compromise, and preserving evidence for investigation,” Hensen said.
