At least three UK organizations hit by SharePoint zero-day hacking campaign

Within days of several vulnerabilities being discovered in on-premise Microsoft SharePoint servers last month, three British organizations reported to the country’s data protection regulator that hackers had exploited the bugs to compromise personal information.

The identities of the organizations are not known. The vulnerabilities set off alarms because of the prevalence of on-premise SharePoint servers among governments, large corporations, universities and other sensitive entities.

Microsoft issued an alert on July 19 described by one expert as “uniquely urgent and drastic” about the security flaws, with affected customers urged to either immediately reconfigure their systems or disconnect their SharePoint servers until a patch was available.

The vulnerabilities were rapidly exploited in so-called “ToolShell attacks” by at least two Chinese state-sponsored threat groups, who were quickly followed by another potentially financially-motivated China-based group. It is not yet clear what links, if any, the groups might share.

On July 22, the National Cyber Security Centre said it and Microsoft had observed “a limited number” of active attacks in the United Kingdom, but did not disclose which sectors these attacks targeted. On-premise SharePoint servers are widely used across the British government and public sector.

Responding to a Freedom of Information Act request by Recorded Future News, the cyber incident and investigation team at Britain’s Information Commissioner’s Office (ICO) said as of July 28 it had received at least three reports of personal data breaches linked to the SharePoint vulnerability.

The true number of organizations in Britain that have suffered data breaches as a result of the bug may be higher. The ICO’s casework management system does not have a field that records whether breaches are the result of a specific hacking campaign, and reporting organizations are not asked to provide that information.

The incidents the ICO disclosed that were tied to the SharePoint vulnerabilities were manually logged as such based on the reporting organization’s submission.

The ICO said some other breaches reported to it “may be related to the SharePoint vulnerability but it may not yet be clear that this is the case.” 

“Similarly,” they added, “reports that suggest the SharePoint vulnerability is a factor may later be understood differently.”