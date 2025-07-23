The South African National Treasury has discovered malware on its Infrastructure Reporting Model website, which is its online infrastructure reporting and monitoring system.

Treasury indicated that the issue was related to the recent attacks on SharePoint, a widely used web-based platform developed by Microsoft for collaboration and document management.

The security flaws allow hackers to access SharePoint servers and steal keys that let them impersonate users or services. This could enable deep access into compromised networks to steal confidential data.

Microsoft has issued patches to fix the vulnerabilities, but researchers cautioned that hackers may have already gained a foothold into many servers.

“Considering recent media reports since Sunday regarding security incidents affecting Microsoft platforms in the US, Treasury has requested Microsoft’s assistance,” Treasury stated.

The department said it had asked Microsoft to help identify and address any potential vulnerabilities within its ICT environment.

It also said that although it found malware within one system, its other systems and websites continue to operate normally without any disruption.

Treasury said it processes over 200,000 emails each day and blocks around 5,800 security threats – including phishing attempts, malware infections, and spam attacks.

Microsoft first confirmed that there was a critical and actively-exploited vulnerability in SharePoint on Saturday, 19 July 2025.

By Sunday, it had released various fixes and began issuing patches for SharePoint to address the security flaw.

However, many systems that had already been compromised remained vulnerable to further attack.

On Tuesday, Microsoft accused Chinese state-sponsored hackers known as Linen Typhoon and Violet Typhoon of being behind the attacks. It said another China-based hacking group called Storm-2603 also exploited them.

Bloomberg reported that the number of companies and organisations compromised by the security vulnerability in SharePoint is increasing rapidly.

Eye Security, the Dutch cybersecurity company that identified an early wave of the attacks last week, estimated that hackers have breached about 400 government agencies, corporations and other groups.

Earlier in the day, Eye Security had estimated that roughly 60 entities had been hit, saying that most of the victims are in the US, followed by Mauritius, Jordan, South Africa and the Netherlands.

The real number of victims from the SharePoint exploits “might be much higher as there can be many more hidden ways to compromise servers that do not leave traces,” Eye Security’s co-owner, Vaisha Bernard, said.

“This is still developing, and other opportunistic adversaries continue to exploit vulnerable servers.”

Bernard said the organisations compromised in the SharePoint breaches include many working in government, education and technology services.

There were also smaller numbers of victims in countries across Europe, Asia, the Middle East and South America.

U.S. Nuclear Security Administration attacked

The National Nuclear Security Administration, the US agency responsible for maintaining and designing the nation’s cache of nuclear weapons, was among those breached.

Edwin Lyman, director of nuclear power safety for the Union of Concerned Scientists, said that although the National Nuclear Security Administration possesses some of the most restricted and dangerous information in the world, the networks where classified information are stored are isolated from the Internet.

“So even if those networks were compromised, I’m not sure how such information could have been transmitted to the adversaries,” said Lyman.

“But there are other categories of information that are sensitive but unclassified, that may be treated with less care and might have been exposed. This includes some information related to nuclear materials and even nuclear weapons.”

The National Institutes of Health was also impacted through the SharePoint flaws, according to reports on Bloomberg and the Washington Post.

However, a spokesperson said there was currently no indication that any information had been breached as a result of the vulnerability.

The hackers have also used the SharePoint flaws to break into systems belonging to the US Education Department, Florida’s Department of Revenue, and the Rhode Island General Assembly.

The hacks are among the latest major breaches that Microsoft has blamed, at least in part, on China and come amid heightened tensions between Washington and Beijing over global security and trade.

The US has repeatedly criticised China for campaigns that have allegedly stolen government and corporate secrets over a period spanning decades.

State-backed hackers tend to exploit major cybersecurity weaknesses, like the SharePoint vulnerability, in waves, according to Sveva Scenarelli, a threat analyst with Recorded Future.

They start with secretive, targeted hacks and then, once the vulnerability is discovered, will begin using it more indiscriminately, she said.

“Once access has been acquired, individual threat groups can then triage compromised organisations, and prioritise those of particular interest for follow-on activity,” said Scenarelli, of the cyber intelligence firm’s Insikt Group.

She said this can include finding ways to maintain access to a compromised network, burrowing deeper and setting up paths to steal sensitive information.

State-sponsored attacks on Microsoft software

Microsoft has blamed China for major cyberattacks on several occassions. In 2021, an alleged Chinese operation compromised tens of thousands of Microsoft Exchange servers.

In 2023, another alleged Chinese attack on Microsoft Exchange compromised senior US officials’ email accounts. A US government review later accused Microsoft of a “cascade of security failures” over the 2023 incident.

Eugenio Benincasa, a researcher specialising in analysing Chinese cyberattacks, said members of the groups identified by Microsoft had previously been indicted in the US for their alleged involvement in hacking campaigns.

Benincasa, who works at ETH Zurich’s Centre for Security Studies, said they are well known for their “extensive espionage”.

However, he also said the SharePoint breaches were likely being carried out by proxy groups that work with the government rather than by Chinese government agencies directly carrying out the hacking.

Private hacking companies in the country sometimes participate in “hacker for hire” operations, he added.

“Now that at least three groups have reportedly exploited the same vulnerability, it’s plausible more could follow,” he said.

“Cybersecurity is a common challenge faced by all countries and should be addressed jointly through dialogue and cooperation,” said Chinese Foreign Ministry spokesman Guo Jiakun.

“China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues.”

Microsoft said Linen Typhoon was first identified in 2012 and is focused on stealing intellectual property, primarily targeting organisations related to government, defence, strategic planning, and human rights.

Violet Typhoon, first observed in 2015, was “dedicated to espionage” and primarily targeted former government and military personnel, non-governmental organisations, and the media and education sectors in the US, Europe, and East Asia.

Reporting with Bloomberg.