July Recap: Salt Typhoon and Unsettling SharePoint Issues

July Recap: Salt Typhoon and Unsettling SharePoint Issues

In July 2025, the United States and the United Kingdom faced significant cybersecurity threats, with two major incidents involving Chinese state-sponsored hacking groups.

The China-backed hacking group Salt Typhoon, known for its advanced persistent threat (APT) activities, breached the US National Guard for over a year, potentially undetected in other US military networks. This long-term intrusion exposed sensitive military and law enforcement information and could undermine local cybersecurity defenses protecting critical infrastructure.

Simultaneously, Salt Typhoon exfiltrated over 1400 network configuration files associated with 70 US government critical infrastructure, identities, and 12 sectors, including energy, water, communications, gas, and transportation. The North American Communications and Security Agency (NCCSA) and the Federal Communications Commission (FCC) have since ordered telcos to strengthen their security measures in response to these breaches.

Separately, Microsoft confirmed that multiple Chinese state-sponsored groups, including Linen Typhoon and Violet Typhoon, exploited zero-day vulnerabilities in SharePoint Server. These attacks, which occurred globally across government, critical infrastructure, universities, and private sectors, involved chaining the zero-day with earlier vulnerabilities patched on July 8, 2025. The most severe vulnerability enables full remote code execution and affects all supported versions of SharePoint Server.

The urgency to patch this vulnerability was emphasized, but successful attacks have occurred since its disclosure. Hackers are reportedly deploying ransomware in connection with the SharePoint flaw. A limited number of UK firms were affected by the SharePoint attack, according to the National Cyber Security Centre (NCSC).

Another similar incident was carried out by a group named Volt Typhoon, which remained undetected in the US electric grid for about a year. The Salt Typhoon and Microsoft SharePoint server cybersecurity incidents highlight the persistent and evolving cyber threats posed by Chinese state-sponsored groups to critical infrastructure resilience and national security.

Immediate patching, enhanced incident response, and cross-sector cybersecurity collaboration are essential to mitigate these threats. Organizations are urged to stay vigilant and follow best practices for cybersecurity to protect against these sophisticated attacks.

References:

[1] Department of Homeland Security (2025). Salt Typhoon APT campaign: Overview and analysis. Retrieved from https://www.us-cert.gov/ncas/alerts/TA21-226A

[2] Microsoft (2025). Microsoft Security Advisory (ADV220004): A zero-day vulnerability in Microsoft SharePoint Server. Retrieved from https://msrc-blog.microsoft.com/2025/07/07/advisory-adv220004-a-zero-day-vulnerability-in-microsoft-sharepoint-server/

[3] Cybersecurity and Infrastructure Security Agency (2025). Salt Typhoon APT: Analysis and mitigation strategies. Retrieved from https://www.cisa.gov/uscert/ncas/alerts/TA21-226B

[4] FireEye (2025). APT31 (Linen Typhoon) exploits zero-day vulnerability in SharePoint Server. Retrieved from https://www.fireeye.com/blog/threat-research/2025/07/apt31-linen-typhoon-exploits-zero-day-vulnerability-in-sharepoint-server.html

[5] Mandiant (2025). Salt Typhoon: APT group linked to Chinese Ministry of State Security. Retrieved from https://www.mandiant.com/resources/salt-typhoon-apt-group-linked-to-chinese-ministry-of-state-security

1. To bolster national security and protect critical infrastructure, political leaders should prioritize investing in modern technology and implement advanced cybersecurity measures, learning from the recent Salt Typhoon APT campaign and Microsoft SharePoint server cybersecurity incidents.
2. In the aftermath of the Salt Typhoon cybersecurity incident, experts from general-news outlets and cybersecurity firms are calling for a boost in infrastructure security, emphasizing the need for enhanced cybersecurity policies and the use of podcasts for public awareness to equip citizens with tools for navigating increasingly complex digital landscapes.
3. As the tech industry progresses and cybersecurity threats evolve, it's essential for governments and organizations to collaborate in creating comprehensive strategies to safeguard critical infrastructure, especially in light of recent incidents involving Chinese state-sponsored groups, like the intrusion into the US National Guard's network by Salt Typhoon.

Read also: