Chinese state-sponsored hackers exploited vulnerabilities in Microsoft’s SharePoint software, impacting hundreds of companies and key U.S. government agencies. Microsoft acknowledged its long-standing use of China-based engineers to maintain the product.
The cyberattack, disclosed by Microsoft last month, targeted SharePoint “OnPrem,” the version installed and run on customers’ own computers and servers. Affected entities included the National Nuclear Security Administration (NNSA) and the Department of Homeland Security (DHS). Notably, Microsoft’s announcement omitted that support for SharePoint has been handled by a China-based engineering team for years.
Internal Microsoft work-tracking system screenshots reviewed by ProPublica showed China-based employees recently fixing bugs for SharePoint OnPrem. Microsoft stated this team “is supervised by a US-based engineer and subject to all security requirements and manager code review.” The company further confirmed, “Work is already underway to shift this work to another location.”
The role, if any, of Microsoft’s China-based staff in the hack remains unclear. However, significant security concerns persist due to Chinese law granting officials broad data collection authority, making it difficult for citizens or companies to refuse state requests. The Office of the Director of National Intelligence identifies China as the “most active and persistent cyber threat” to U.S. networks.
This incident follows a recent ProPublica investigation revealing Microsoft relied on foreign workers, including those based in China, to maintain the Defense Department’s cloud systems for a decade. Oversight was provided by U.S.-based “digital escorts,” but these personnel often lacked the advanced technical skills to effectively monitor their highly skilled foreign counterparts, potentially leaving sensitive data vulnerable.
ProPublica reported that Microsoft developed the “digital escort” system to address Pentagon concerns about foreign employees handling sensitive data, which requires U.S. citizenship or permanent residency. The arrangement helped Microsoft secure substantial federal cloud computing business. The investigation also found China-based engineers maintain cloud systems for other federal departments, including Justice, Treasury, and Commerce.
In response to ProPublica’s findings and the SharePoint breach, Microsoft stated it halted the use of China-based engineers for Defense Department cloud systems and is considering the same for other government cloud customers. Defense Secretary Pete Hegseth has launched a review of tech companies’ reliance on foreign-based engineers. Senators Tom Cotton (R-Ark.) and Jeanne Shaheen (D-N.H.) demanded more information from Hegseth about Microsoft’s China-based support.
Microsoft’s analysis placed the start of Chinese hackers exploiting the SharePoint vulnerabilities as early as July 7. A patch released on July 8 was bypassed by attackers, necessitating a subsequent patch with “more robust protections.” The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned the flaws allowed hackers “to fully access SharePoint content, including file systems and internal configurations, and execute code over the network,” and noted hackers spread ransomware using this access.
DHS stated there is no evidence data was taken from the agency. The Department of Energy, encompassing the NNSA, reported being “minimally impacted,” with spokesperson Ben Dietderich adding, “At this time, we know of no sensitive or classified information that was compromised.”
Microsoft has announced it will cease support for on-premises versions of SharePoint starting next July. The company is urging customers to migrate to the online version, which generates more revenue through subscriptions and usage of Microsoft’s Azure cloud platform. Azure’s success has significantly driven Microsoft’s market value, recently propelling the company to become the second ever valued at over $4 trillion.
