A recent investigation has revealed that Microsoft employed China-based engineers to maintain and support SharePoint software, the same collaboration platform that was recently compromised by Chinese state-sponsored hackers.
This revelation raises significant concerns about cybersecurity practices and potential insider threats within critical infrastructure systems used by hundreds of government agencies and private companies.
The cybersecurity incident, which Microsoft disclosed last month, involved sophisticated attacks on SharePoint “OnPrem” installations beginning as early as July 7, 2025.
Chinese hackers successfully exploited vulnerabilities in the on-premises version of SharePoint, gaining unauthorized access to computer systems across multiple high-profile targets, including the National Nuclear Security Administration and the Department of Homeland Security.
The attack demonstrated advanced persistent threat capabilities, with hackers maintaining access even after Microsoft’s initial security patch on July 8.
ProPublica analysts identified the concerning operational structure through internal Microsoft work-tracking system screenshots, revealing that China-based engineering teams had been responsible for SharePoint maintenance and bug fixes for several years.
This discovery adds a troubling dimension to the security breach, as the same personnel tasked with maintaining the software’s integrity may have inadvertently created vulnerabilities that adversaries could exploit.
The technical scope of the vulnerability was extensive, with the U.S. Cybersecurity and Infrastructure Security Agency confirming that the exploits enabled attackers to “fully access SharePoint content, including file systems and internal configurations, and execute code over the network.”
The attack vector allowed for remote code execution, effectively granting hackers administrative privileges over compromised systems.
Persistence and Evasion Mechanisms
The SharePoint exploit demonstrated sophisticated persistence tactics that allowed attackers to maintain access even after initial remediation efforts.
When Microsoft released the first security patch on July 8, the threat actors quickly adapted their methods to bypass the new protections, forcing the company to develop additional “more robust protections” in subsequent patches.
The persistence mechanism likely involved embedding malicious code within SharePoint’s configuration files and leveraging the platform’s extensive file system access capabilities.
Attackers could establish backdoors by modifying authentication modules or creating hidden administrative accounts within the SharePoint infrastructure. This approach enabled sustained access to sensitive government and corporate data while remaining undetected by standard security monitoring tools.
Microsoft has acknowledged the security implications and announced plans to relocate China-based support operations to alternative locations.
The company emphasized that all work was conducted under U.S.-based supervision with mandatory security reviews, though experts question whether such oversight measures adequately mitigate the inherent risks of foreign personnel handling sensitive system maintenance.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
