Microsoft announced that a cyber-espionage campaign has intensified, exploiting vulnerabilities in its SharePoint server software and now incorporating ransomware attacks. The group behind this campaign, known as “Storm-2603,” exploits these security flaws to immobilise networks and demands payments in digital currency.
According to Eye Security, a cybersecurity firm based in the Netherlands, the number of victims has skyrocketed from 100 to at least 400 within just a few days.
The campaign is targeting unpatched SharePoint servers. Initially focused on data theft, it has now shifted to deploying ransomware to disrupt operations. According to a blog post by Microsoft, “Storm-2603 is exploiting the vulnerability to introduce ransomware, effectively paralysing victims’ networks.” Vaisha Bernard from Eye Security mentioned, “There are many more victims, as not all attack vectors leave traceable artefacts.”
The National Institutes of Health confirmed a server breach, isolating others as a precaution. NextGov reported that the Department of Homeland Security and five to 12 other U.S. agencies were compromised, while Politico cited breaches across multiple agencies. CISA has not commented.
The victim count surged from 100 to 400, likely underreported due to incomplete tracking. Unlike typical state-backed hacks, ransomware disrupts operations, affecting critical systems and infrastructure. The Washington Post first reported the NIH breach, highlighting the campaign’s reach into government infrastructure.
Microsoft identified the vulnerability after failing to fully patch SharePoint, prompting the need for urgent fixes. Both Microsoft and Alphabet attribute some attacks to Chinese hackers, a claim Beijing denies. Microsoft is working to address the flaw, but did not provide further details about the ransomware.
This escalation highlights the risks associated with unpatched software and the evolving tactics employed by cybercriminals. Organisations must prioritise updates and cybersecurity measures to mitigate threats.
Victim Count Comparison
| Source | Reported Victims | Date |
|---|---|---|
| Eye Security (Initial) | 100 | Weekend, July 2025 |
| Eye Security (Updated) | 400+ | July 23, 2025 |
Data sources: Eye Security, Microsoft.
The Storm-2603 campaign’s shift to ransomware amplifies its threat. With U.S. agencies under attack, urgent patches and heightened vigilance are critical to curb further damage.
