In April 2025, Chinese authorities in Harbin accused the U.S. National Security Agency (NSA) of conducting sophisticated cyberattacks during the February Asian Winter Games, targeting critical infrastructure such as energy, transportation, and defense institutions in Heilongjiang province. The attacks allegedly aimed to disrupt China's information systems, incite social disorder, and steal confidential data. Chinese police named three NSA agents—Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson—as suspects and placed them on a wanted list. The University of California and Virginia Tech were also cited as being involved, though specifics were not provided. (reuters.com)
According to China’s state news agency Xinhua, the NSA used anonymous international servers and IP addresses to obscure their operations and reportedly exploited pre-installed backdoors in Microsoft Windows systems. The attacks intensified during the games, particularly targeting athlete registration systems and sensitive personal data. (reuters.com)
This development comes amid escalating U.S.-China tensions, including a trade war and cyber espionage accusations from both sides. While China denies involvement in offensive cyber operations, recent years have seen Beijing push back with its own accusations of U.S. cyber intrusion, including claims of NSA attacks on Chinese enterprises like Huawei. The U.S. Embassy in China has not commented. (reuters.com)
In a related incident, a widespread cyberattack exploiting two zero-day vulnerabilities in Microsoft SharePoint, known as "ToolShell" (CVE-2025-53770 and CVE-2025-53771), impacted over 50 organizations globally, including the U.S. Department of Energy and its semiautonomous arm, the National Nuclear Security Administration (NNSA). The NNSA, responsible for nuclear weapons security and counterterrorism, was affected, though no classified information is reported to have been compromised. The Energy Department reported minimal impact due to strong cybersecurity systems and cloud infrastructure. Microsoft attributed the attacks to two Chinese nation-state actors, Linen Typhoon and Violet Typhoon, targeting on-premises SharePoint servers. Microsoft has released out-of-band patches and guidance for affected users. Security experts warn that this remains an active and serious threat, with the full extent of the damage still unknown. (windowscentral.com)
Furthermore, a recent cyberattack exploiting Microsoft SharePoint vulnerabilities has affected approximately 400 organizations, a significant increase from the previously reported 100. Microsoft attributes the attack to Chinese threat groups, including Linen Typhoon, Violet Typhoon, and Storm-2603. Among the victims are major U.S. institutions, notably the National Nuclear Security Administration, along with entities in Europe and the Middle East. The attackers used the vulnerabilities to deploy ransomware and steal cryptographic keys, potentially allowing long-term access to systems even after patching. Although Microsoft issued patches and recommended additional defenses such as Antimalware Scan Interface (AMSI), some bypasses have been discovered, raising concerns about lingering threats. China has denied involvement, calling for evidence-based investigations. The long-term impact of the breach remains uncertain. (techradar.com)
Microsoft has confirmed that known vulnerabilities in SharePoint Server were recently exploited in active cyberattacks by suspected Chinese nation-state actors—Linen Typhoon, Violet Typhoon, and Storm-2603. These groups used a spoofing and a remote code execution vulnerability to gain access to on-premises SharePoint systems, impacting around 100 organizations, primarily in the U.S. and Germany. Notably, the U.S. National Nuclear Security Administration was among the entities breached, though no classified data was reportedly accessed. The exploited flaws (CVE-2025-49706 and CVE-2025-49704) were initially discovered during a Berlin hacking competition in May, and a patch released earlier failed to fully resolve them. Microsoft has since issued successful patches and strongly advises all affected users to update their systems immediately. Additional security recommendations include enabling AMSI and Microsoft Defender Antivirus, rotating machine keys, restarting web servers, and deploying endpoint protection. While China’s embassy has denied involvement, urging evidence-based reporting, the incident recalls a major 2023 Microsoft-related email hack and raises questions about systemic vulnerabilities in government-linked infrastructure. (pcgamer.com)
Cybercriminals are increasingly collaborating with authoritarian governments such as Russia, China, and Iran to conduct cyberespionage and hacking operations against the US and its allies, according to a recent report by Microsoft. This trend of melding state-sponsored and criminal activities has raised alarms among national security officials and cybersecurity experts. For instance, an Iranian-linked hacking group infiltrated an Israeli dating site to both embarrass Israelis and make financial gains. Similarly, a Russian criminal network accessed Ukrainian military devices, likely in support of Russia's invasion of Ukraine. These collaborations provide mutual benefits: governments enhance the scale and impact of their cyber activities without incurring additional costs, while criminals find new profits and government protection. Notably, Russia, China, and Iran have also targeted American voters with misinformation campaigns. Despite the efforts of federal authorities to counter these threats, the swift adaptability of these cybercriminal networks poses ongoing challenges. (apnews.com)
In July 2021, the US led allies in a sharp condemnation of China for “malicious” cyberattacks, including a hack of Microsoft Exchange email server software that compromised tens of thousands of computers around the world earlier that year. The US justice department charged four Chinese nationals with hacking, as Washington accused Beijing of extortion and threatening national security. The Microsoft hack affected at least 30,000 US organisations including local governments as well as entities worldwide and was disclosed in March. US Secretary of State Antony Blinken accused China of being responsible and said it was part of a “pattern of irresponsible, disruptive and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security”. (theguardian.com)
China has denied allegations that it carried out a major cyber-attack against tech giant Microsoft. The US and other Western countries on Monday accused China of hacking Microsoft Exchange - a popular email platform used by companies worldwide. They said it was part of a broader pattern of "reckless" behaviour that threatened global security. China says it opposes all forms of cyber-crime, and has called the claims "fabricated". China's foreign ministry spokesman said the US had got its allies to make "unreasonable criticisms" against China. The UK, EU, New Zealand, Australia and others joined the US to accuse Chinese state-sponsored hackers. Microsoft's Exchange system powers the email of huge corporations small businesses and public bodies. The hack affected at least 30,000 organisations around the world. Microsoft blamed a Chinese cyber-espionage group for targeting a weakness in Microsoft Exchange, which allowed hackers to get into email inboxes. It said the group, known as Hafnium, was state-sponsored and based in China. Western security sources believe Hafnium knew Microsoft had planned to deal with the weakness, and so shared it with other China-based hackers. The sources say the hack seems to signal a shift from a targeted espionage campaign to a smash-and-grab raid, leading to concerns that Chinese cyber-behaviour is escalating. The UK Foreign Office said the Chinese government had "ignored repeated calls to end its reckless campaign, instead allowing state-backed actors to increase the scale of their attacks". US President Joe Biden said the Chinese government may not have been carrying out the attacks itself, but was "protecting those who are doing it. And maybe even accommodating them being able to do it". The US Department of Justice on Monday announced criminal charges against four hackers linked to China's Ministry of State Security. It said they were connected to a long-term campaign targeting foreign governments and entities in key sectors in a least a dozen countries. (bbc.com)
In July 2021, the US, UK, and EU accused China of carrying out a major cyber-attack earlier that year. The attack targeted Microsoft Exchange servers, affecting at least 30,000 organisations globally. Western security services believe it signals a shift from a targeted espionage campaign to a smash-and-grab raid, leading to concerns Chinese cyber-behaviour is escalating. The Chinese Ministry of State Security (MSS) has also been accused of wider espionage activity and a broader pattern of "reckless" behaviour. China has previously denied allegations of hacking and says it opposes all forms of cyber-crime. The unified call-out of Beijing shows the gravity with which this case has been taken. Western intelligence officials say aspects are markedly more serious than anything they have seen before. It began in January when hackers from a Chinese-linked group known as Hafnium began exploiting a vulnerability in Microsoft Exchange. They used the vulnerability to insert backdoors into systems which they could return to later. The UK said the attack was likely to enable large-scale espionage, including the acquisition of personal information and intellectual property.
Source: Tech in Asia https://www.techinasia.com/news/china-accuses-us-of-cyberattacks-via-microsoft-flaw/