Microsoft says the SharePoint hackers have escalated their attack with ransomware

Microsoft said Wednesday that some of the hackers involved in an on-going attack on its SharePoint platform have escalated their tactics and are now using ransomware. 

The tech company said Storm-2603 — a hacker group Microsoft believes is based in China — is now using Warlock ransomware in its attack on the company’s SharePoint platform, according to an updated company blog post. 

The zero-day SharePoint attacks began on July 18 and only impacted users running the workplace file-sharing software on their own servers. SharePoint Online in Microsoft 365 wasn’t impacted by the hack. 

Microsoft has since blamed the breach on Chinese state-sponsored hackers, naming groups including Linen Typhoon, Violet Typhoon, and Storm-2603 as responsible. Those groups allegedly exploited flaws in SharePoint to break into government systems, steal credentials, and potentially maintain long-term access.

The Washington Post first reported news of the attack’s direct impact on U.S. federal and state agencies. Among the targets was the National Nuclear Security Administration (NNSA), a semi-autonomous arm of the Department of Energy responsible for everything from building nuclear warheads to dismantling them and responding to radiological emergencies, Bloomberg reported.

The Education Department, the Florida Department of Revenue, the Rhode Island General Assembly, and even national governments in Europe and the Middle East were also affected, according to Microsoft.

Microsoft said in the blog post it assesses with “high confidence” that hackers will keep exploiting certain vulnerabilities in the program in their attacks. 

The company has been the center of multiple cyberattacks from Chinese and Russian hackers over the years, in a series of events a U.S. review board called a “cascade of security failures” last year. 

- Emily Price contributed to this article.