SharePoint's Zero-Day Slay: Beijing's Typhoon Trifecta Rocks D.C. & Beyond

This is your Cyber Sentinel: Beijing Watch podcast.

I’m Ting and if you’ve been glancing at your firewalls wondering what all the alarms are about, buckle up, because it’s Cyber Sentinel: Beijing Watch, and the last week has been a crash course in cat-and-mouse – with the cat possibly named Linen Typhoon and the mouse being, well, all of us.

Jumping right in, the big headline: Microsoft and multiple security firms just confirmed that three Chinese state-linked groups—Linen Typhoon, Violet Typhoon, and Storm-2603—have been hammering away at critical vulnerabilities in SharePoint, specifically on systems that aren’t using Microsoft’s own cloud. According to Microsoft, these exploits have led to actual breaches, including the US National Nuclear Security Administration. Yikes, right? The same NNSA responsible for the nuclear stockpile. Fortunately, the Department of Energy insists their hit was “minimal,” mostly thanks to swift detection and patching—give it up for those SOC teams in the basement.

The attack used what’s called a zero-day—meaning nobody knew it existed, not even Microsoft. Hackers were able to run malicious code, steal credentials, and possibly open secondary pathways into ultra-high-value networks. According to Google Cloud’s Mandiant, at least one “China-nexus” threat actor moved with lightning speed, targeting not only the US government but over 100 organizations globally—universities, energy firms, even consulting companies found themselves unwilling extras in Beijing’s cyber theater. The exploit chain involved a spoofing plus remote code execution tactic (labels: CVE-2025-49704, 49706, and 53770, for everyone who loves exploiting version numbers).

So, is it definitely China? Microsoft, Bloomberg, and others say yes, with attribution based on code signatures and C2 (Command and Control) infrastructure. The Chinese Embassy, of course, says “Hey, not us—show solid evidence, don’t smear.” Classic playbook. But the U.S. government is not buying plausible deniability; just this January, new sanctions hit Sichuan Juxinhe Network Technology for facilitating RedMike, another infamous Chinese APT group.

Industry targets? Government networks are the juiciest, but OT—operational tech, like those running power grids and water plants—are getting more attention than ever. The House just wrapped a hearing, nodding grimly to the fact we’ve made painfully slow progress since Stuxnet. As highlighted by cybersecurity experts, the scariest malware families now (think PIPEDREAM) can move easily across energy, manufacturing, and defense—all highly tempting for adversaries trying to either spy or disrupt.

Internationally, the UK is also getting hit; their National Cyber Security Centre says multiple government and business systems took fire due to the same SharePoint bug. Meanwhile, the US mandates urgent patching across all federal agencies, with CISA setting aggressive deadlines, but an estimated 20 percent of systems remain unpatched. Attackers are heavily focused on on-premises servers; for now, users of M365 cloud are relatively safer.

Tactical implication: Patch like your digital life depends on it, because it does. Audit any SharePoint instance, especially on-site ones. Invest in behavioral analytics—so you can spot the weird logins before your crown jewels walk out the door.

Strategically, the persistent targeting of government and infrastructure by industrialized threat actors means security must move past periodic compliance: think “assume breach, detect early, respond fast.” Also, public-private sector partnerships and robust supply chain transparency aren’t just talking points, they’re survival tools now.

Thanks for tuning in, listeners—don’t forget to subscribe for the latest on Cyber Sentinel: Beijing Watch. This has been a quiet please production, for more check out quiet please dot ai.

For more