A new investigation has revealed that Microsoft relied on China-based engineers to provide technical support and bug fixes for SharePoint, the same collaboration software that was recently exploited by Chinese state-sponsored hackers in a massive cyberattack affecting hundreds of organizations, including sensitive U.S. government agencies.
Last month, Microsoft announced that Chinese hackers had successfully exploited vulnerabilities in SharePoint to breach the computer systems of numerous companies and government agencies, including the National Nuclear Security Administration and the Department of Homeland Security.
However, what the company failed to disclose in its announcement was that SharePoint support has been handled by a China-based engineering team for years.
According to internal Microsoft work-tracking system screenshots reviewed by ProPublica, China-based employees were recently fixing bugs for SharePoint “OnPrem” – the on-premises version of the software that was targeted in last month’s attacks.
This version refers to software installed and operated on customers’ own computers and servers, making it particularly vulnerable to direct manipulation.
When confronted about this arrangement, Microsoft defended its practices, stating that the China-based team “is supervised by a US-based engineer and subject to all security requirements and manager code review.”
The company also announced that “work is already underway to shift this work to another location,” though no specific timeline was provided.
While it remains unclear whether Microsoft’s China-based staff played any role in the SharePoint hack, cybersecurity experts have consistently warned about the significant security risks posed by allowing Chinese personnel to perform technical support and maintenance on U.S. government systems.
The Broader Pattern of Concern
This revelation is part of a larger pattern that has emerged regarding Microsoft’s reliance on foreign workers. ProPublica’s investigation found that for over a decade, Microsoft has depended on foreign workers – including those based in China – to maintain the Defense Department’s cloud systems.
The oversight of these foreign workers comes from U.S.-based personnel known as “digital escorts,” who often lack the advanced technical expertise necessary to effectively monitor their foreign counterparts.
The escort arrangement was originally developed by Microsoft to satisfy Defense Department officials who were concerned about foreign employees and to meet requirements that people handling sensitive data be U.S. citizens or permanent residents.
Despite these measures, the system has left highly sensitive information vulnerable due to the technical skill gap between escorts and the foreign engineers they supervise.
The revelations have prompted significant government response. Defense Secretary Pete Hegseth launched a comprehensive review of tech companies’ reliance on foreign-based engineers to support the department.
Additionally, Senators Tom Cotton (R-Arkansas) and Jeanne Shaheen (D-New Hampshire) have written multiple letters to Hegseth, citing ProPublica’s investigation and demanding more detailed information about Microsoft’s China-based support operations.
In response to the mounting pressure, Microsoft announced it had halted its use of China-based engineers to support Defense Department cloud computing systems and was considering implementing the same change for other government cloud customers.
The timing of these revelations is particularly concerning given the scope of the recent SharePoint attack. Microsoft’s analysis showed that Chinese hackers began exploiting SharePoint weaknesses as early as July 7, 2025.
The company released an initial patch on July 8, but hackers successfully bypassed it, forcing Microsoft to issue a more robust patch with enhanced protections.
The U.S. Cybersecurity and Infrastructure Security Agency warned that these vulnerabilities enable hackers to “fully access SharePoint content, including file systems and internal configurations, and execute code over the network.”
The attacks have also been used to spread ransomware, which encrypts victims’ files and demands payment for their release.
Impact and Future Implications
Government agencies have reported varying levels of impact from the breach. The Department of Homeland Security stated there is no evidence that data was taken from the agency, while the Department of Energy, which oversees the National Nuclear Security Administration, described the impact as “minimal” with no sensitive or classified information compromised.
Looking ahead, Microsoft has announced that beginning next July, it will no longer support on-premises versions of SharePoint, urging customers to migrate to the online version.
This transition aligns with Microsoft’s broader business strategy of promoting subscription-based services and its Azure cloud computing platform, which has significantly contributed to the company’s recent valuation milestone of becoming the second company in history to exceed $4 trillion in market value.
This investigation raises fundamental questions about the security protocols surrounding critical software infrastructure and the potential risks of international staffing arrangements in an increasingly complex cybersecurity landscape.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
