A wave of cyber attacks targeting Microsoft’s SharePoint document management system has affected at least 400 organisations worldwide, including South Africa’s National Treasury, putting government-specific and other sensitive data at risk.
Bitdefender’s investigations detected that entities in numerous countries, including the US, Canada, Austria, Jordan, Mexico, Germany, South Africa, Switzerland and the Netherlands, have been impacted.
The National Treasury confirmed it had identified malware on its Infrastructure Reporting Model website, an online system that tracks how public funds are spent on building and maintaining infrastructure.
The impact on National Treasury could potentially expose or manipulate sensitive data about public infrastructure projects, enabling fraud, concealing corruption or disrupting service delivery. It also risks undermining trust in government systems, delaying planning and oversight, and creating national security vulnerabilities, explains ICT veteran commentator Adrian Schofield.
The hack, first identified last Friday by software security company Eye Security, has “actively compromised… more than 400 systems. Using internal telemetry, Eye Security has scanned more than 23 000 public-facing SharePoint environments,” according to its continuously updated blog.
Microsoft says two Chinese state-linked hacking groups, Linen Typhoon and Violet Typhoon, are exploiting vulnerabilities in internet-facing SharePoint servers, while a third group, Storm-2603, has used the same flaws to deploy ransomware. Investigations into other threat actors are ongoing.
The software company is releasing emergency security updates to fix the vulnerabilities and urges organisations to apply patches immediately, restart systems and improve security settings. Microsoft is working closely with government agencies, including the US Department of Defence Cyber Command, to track attackers and prevent further incidents.
Palo Alto Networks states that attackers are bypassing identity controls, such as multi-factor authentication and single sign-on, to gain privileged access. “Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors and stealing cryptographic keys,” it says.
Eye Security notes the risk is ongoing and “is not theoretical”. The first wave occurred on 17 July, followed by further attacks over the next two days, with multiple attacks on 21 July, it says.
National Treasury says its systems and websites continue to operate normally, despite the attack. Its ICT department processes more than 200 000 e-mails and handles over 400 000 user connections daily, says the finance ministry.
“On average, the ICT team successfully detects and blocks approximately 5 800 security threats directed at systems each day,” National Treasury states. These include phishing attempts, malware infections and spam attacks.
The department has isolated affected servers to assess the magnitude of the breach and secure systems. In a statement, it says it “has requested Microsoft’s assistance in identifying and addressing any potential vulnerabilities within its ICT environment”.
On 15 July, minister in the Presidency Khumbudzo Ntshavheni said government is repositioning cyber security as a core component of its national security strategy.
Schofield notes that “every company everywhere is at risk”. He states that many cyber attacks are state sponsored for intelligence gathering or political advantage. “Much of it is for illicit gain. Much of it is just because the hackers can.”
Jacqui Muller, director of IT consultancy JPanda Solutions, says the hack “underscores a growing concern. Cyber security can no longer be treated as a tick-box exercise”. She notes that AI is increasing the sophistication of cyber attacks, which now also come from “enthusiastic amateurs with access to dark web scripts”.
“The reality is stark. We can expect more of these incidents in coming months. Now is the time to invest in securing your digital estate,” Muller says. She adds that local companies “now have to sweep up the mess, which is like closing the barn door after the horse has bolted,” which is why they need independent strategies rather than relying solely on vendors.
Eye Security describes the exploit as rapidly-evolving and targeted. It warns that “organisations with unpatched SharePoint servers should not wait for a fix. They should assess for compromise immediately and respond accordingly.”
According to Microsoft, Linen Typhoon, active since 2012, focuses on stealing intellectual property from government, defence and human rights organisations using known exploits.
Violet Typhoon, active since 2015, targets NGOs, think tanks and sectors like health and finance by exploiting exposed web infrastructure.
Storm-2603, a separate group, has used the same vulnerabilities to steal encryption keys and, since 18 July 2025, to deploy ransomware, though its broader objectives are unclear.
Share