SharePoint ShakeUp: China's Cyber Spies Crash the Party!

This is your Red Alert: China's Daily Cyber Moves podcast.

Today is July 21, 2025, and frankly, it’s been another scorched-earth week on the China cyber front—Ting here, and yes, I do read Chinese malware for fun. Let’s jump right into the red alert status.

Over just the past few days, CISA and the FBI have been burning the midnight oil—issuing back-to-back emergency alerts as hackers linked to the Chinese state stepped up operations against US targets. The hottest ticket in town? A zero-day exploit in Microsoft SharePoint, that Swiss Army knife of internal comms for so many agencies and companies. According to the Washington Post and confirmed by Microsoft, several US federal agencies fell victim to unauthenticated attacks, meaning hackers could waltz right in without so much as knocking, grabbing passwords, internal configs, sensitive files, and essentially running code as if they owned the place. Microsoft dropped a patch for the most common version, but for at least two others, admins are still crossing their fingers while patch teams scramble to catch up. CISA’s alert on Sunday boiled down to: “All hands on deck now, or risk your SharePoint battlefield turning into a liability nation.” They’re urging everyone to segment networks, isolate vulnerable systems, revoke all unnecessary service accounts, and basically treat every internal email like it’s pretext from Xiao the Phisher.

Meanwhile, over at Mandiant and Google’s security teams, alarms are blaring about UNC3886—a group that keeps ping-ponging between Asia and the US, laser-focused on critical infrastructure like energy grids, defense contractors, and yes, telecoms. Singapore’s national security minister called this group a “serious threat,” hitting vital services in ways that, if mirrored in the US, would trigger emergency protocols at the highest level. The Chinese embassy predictably called the allegations “groundless smears,” but UNC3886’s toolkit isn’t shy: tailored malware, credential harvesting, lateral movement across networks, and a knack for living-off-the-land by hijacking SharePoint servers as control channels. That’s not your garden-variety ransomware crew.

It doesn’t stop there. Broader analysis from Microsoft reveals a pattern: advanced persistent threat actors—think APT41 ramping up campaigns in Africa, but still active everywhere—shifting resources to probe US government, tech, and especially finance targets, using new combos of spear phishing and backdoored web shells. While China’s disinformation has mostly steered clear of the Kamala-Trump presidential cage match (unlike Russia), their cyber ops are laser-focused on the congressional down-ballot, plus direct attacks on heavyweights like Taiwan’s semiconductor industry—no surprise after those analyst breaches in Asia last week.

Here’s your escalation timeline: Last Thursday, the SharePoint exploit was spotted in the wild. Friday, attackers breached at least two US federal agency networks and several European partners. Over the weekend, CISA and FBI went live with emergency directives. Today, Monday, IT admins across the world are racing the clock to patch and rearchitect networks, while incident responders hunt for indicators of compromise stubbornly hiding in trusted Microsoft processes.

If these threats keep evolving, we’re staring down scenarios where supply chain attacks ripple into energy outages or critical financial data leaks. The most immediate priorities? Patch, monitor, lock down your internal assets—and don’t let those SharePoint “CommandHandler” web shells turn your boardroom into an open mic night for cyber espionage.

Thanks for tuning in—I’m Ting, and if you enjoy a breezy update on the darkest corners of China’s cyber playbook, make sure to subscribe. This has been a quiet please production, for more check out quiet please dot ai.

For more