Chinese “threat actors” have hacked Microsoft’s SharePoint document software servers and targeted the data of the businesses using it, the firm has said.
China state-backed Linen Typhoon and Violet Typhoon as well as China-based Storm-2603 were said to have “exploited vulnerabilities” in on-premises SharePoint servers, the kind used by firms, but not in its cloud-based service.
The US tech giant has released security updates in response and has advised all on-premises SharePoint server customers to install them.
“Investigations into other actors also using these exploits are still ongoing,” Microsoft said in a statement.
The firm said it had “high confidence” the hackers would continue to target systems which have not installed its security updates.
It added that it would update its website blog with more information as its investigation continues.
Microsoft said it had observed attacks in which hackers had sent a request to a SharePoint server “enabling the theft of the key material by threat actors”.
Charles Carmakal, chief technology officer at Mandiant Consulting firm, a division of Google Cloud, told the BBC it was “aware of several victims in several different sectors across a number of global geographies”.
Carmakal said it appeared that governments and businesses that use SharePoint on their sites were the primary target.
A number of adversaries who stole material encoded by cryptography were then able to regain ongoing access to the victims’ SharePoint data, he said.
“This was exploited in a very broad way, very opportunistically before a patch was made available. That’s why this is significant,” Carmakal said.
Carmakal said the “China-nexus actor” was deploying techniques similar to previous campaigns associated with Beijing.
Microsoft said Linen Typhoon had “focused on stealing intellectual property, primarily targeting organizations related to government, defence, strategic planning, and human rights” for 13 years.
It added that Violet Typhoon had been “dedicated to espionage”, primarily targeting former government and military staff, non-governmental organizations, think tanks, higher education, the media, the financial sector and the health sector in the US, Europe, and East Asia.
Meanwhile, Storm-2603 was “assessed with medium confidence to be a China-based threat actor”.
The Business Registration Services (BRS) has suffered a significant data breach following a cyber-attack, potentially exposing sensitive information about private companies to the public.
The breach, which occurred on the night of Friday, January 31, has raised serious concerns about the security of confidential data held by government agencies.
A source close to the matter confirmed the breach, revealing that BRS executives were locked in crisis meetings for most of Saturday, February 1, to address the fallout. The source, who spoke on condition of anonymity due to restrictions on speaking to the media, suggested that the breach may have involved an internal actor.
“We still can’t say who is behind the breach, but it looks like the intent is sabotage because the nature of the breach suggests an internal actor,” the source said.
Data Exposed, Dark Web Links Confirmed
The full extent of the stolen data remains unclear, but there are confirmed reports that the compromised information is being sold on the dark web, a hidden part of the internet often used for illegal activities.
Kenya Insights has verified that the leaked data, hosted on a dark web site, includes records of all registered Kenyan companies dating back to 1967. The dump contains confidential information such as the names and contact details of company owners, directors, and beneficial owners.
Data-Rich Target
The BRS is one of the most data-rich entities within the Kenyan government, holding critical information on all registered companies, including their owners, beneficial owners, and directors. This data is typically accessible only through a paid service, but the breach has potentially made it available to anyone, bypassing the usual safeguards.
The agency’s online database, which allows the public to access such information, is currently down and inaccessible. This has raised suspicions that the attackers may have deliberately taken the system offline as part of their operation.
Additionally, the Office of the Official Receiver, which operates under the BRS, maintains records of companies in financial distress. It is feared that this sensitive data may also have been compromised in the breach.
Motive Remains Unclear
While the motive behind the attack is still unknown, sources indicate that authorities have ruled out ransomware as a likely cause. Ransomware attacks typically involve hackers demanding payment in exchange for restoring access to stolen data. In this case, the breach appears to have been aimed at exposing sensitive information rather than financial extortion.
Legal and Regulatory Implications
Under Kenya’s data protection laws, organizations are required to assess the extent of any data breach, notify affected parties, and take steps to contain the situation. The BRS is expected to issue a formal statement once the full scope of the breach is understood.
This incident marks the first major data breach involving a government entity in over a year, following a cyberattack on Kenya Airways in late 2023, which resulted in the loss of significant customer data.
UPDATE: BRS Confirms Data Breach, Investigation Underway
The BRS has officially confirmed reports of a data breach affecting its company registry database.
In a statement on Sunday, February 2, BRS Director General Kenneth Gathuma acknowledged the breach and stated that the agency had initiated an immediate response.
“Upon receiving this information, we immediately activated our Incident Response Plan, launched a comprehensive investigation, and notified the relevant regulatory authorities,” the statement read.
BRS further stated that its cybersecurity experts are working closely with law enforcement, investigative agencies, and cybersecurity partners to determine the extent of the breach and implement necessary containment measures.
“Our cybersecurity experts, in collaboration with our cybersecurity partner, law enforcement, and investigative agencies, are assessing the scope of the incident, determining any potential impact, and implementing necessary containment and mitigation measures,” the agency added.
BRS Director General Kenneth Gathuma.
However, BRS noted that it is still in the process of verifying the details of the breach, including the nature and impact of any compromised data.
“At this stage, we are still verifying the details of the alleged breach, including the nature and extent of any compromised data,” the statement continued.
The agency assured stakeholders that affected parties would be directly engaged once the investigation is concluded.
Strengthening Security Measures
To mitigate further risk, BRS has implemented additional security measures to reinforce its cybersecurity infrastructure and prevent future incidents.
Additionally, the agency has pledged to maintain transparency throughout the investigation process, promising regular updates to the public and business stakeholders.
“Once the investigation is complete, we will provide an update and directly engage with any affected parties,” BRS stated.
BRS has also called for cooperation from all relevant parties as it works toward a swift resolution.
“We want to assure all stakeholders that the security and integrity of the company registry remain our top priority. As a precautionary measure, we have strengthened our security protocols to safeguard our systems and prevent future incidents,” added Director General Gathuma.
The investigation is ongoing, with further updates expected as new information becomes available.
Chinese startup DeepSeek said on Monday it will temporarily limit registrations due to a cyberattack after the company’s AI assistant amassed sudden popularity.
The startup earlier in the day was also hit by outages on its website after its AI assistant became the top-rated free application available on Apple’s App Store in the United States.
The company resolved issues relating to its application programming interface and users’ inability to log in to the website, according to its status page. The outages on Monday were the company’s longest in around 90 days and coincides with its sky-rocketing popularity.
DeepSeek last week launched a free assistant it says uses less data at a fraction of the cost of incumbent players’ models, possibly marking a turning point in the level of investment needed for AI.
Powered by the DeepSeek-V3 model, which its creators say “tops the leaderboard among open-source models and rivals the most advanced closed-source models globally”, the artificial intelligence application has surged in popularity among U.S. users since it was released on Jan. 10, according to app data research firm Sensor Tower.
The milestone highlights how DeepSeek has left a deep impression on Silicon Valley, upending widely held views about U.S. primacy in AI and the effectiveness of Washington’s export controls targeting China’s advanced chip and AI capabilities.
Technology stocks were hammered on Monday, sending the shares of Nvidia and Oracle plummeting.
AI models from ChatGPT to DeepSeek require advanced chips to power their training. The Biden administration has since 2021 widened the scope of bans designed to stop these chips from being exported to China and used to train Chinese firms’ AI models.
However, DeepSeek researchers wrote in a paper last month that the DeepSeek-V3 used Nvidia’s H800 chips for training, spending less than $6 million.
Although this detail has since been disputed, the claim that the chips used were less powerful than the most advanced Nvidia products Washington has sought to keep out of China, as well as the relatively cheap training costs, has prompted U.S. tech executives to question the effectiveness of tech export controls.
Little is known about the company behind DeepSeek, a small Hangzhou-based startup founded in 2023, when search engine giant Baidu released the first Chinese AI large-language model.
Since then, dozens of Chinese tech companies large and small have released their own AI models, but DeepSeek is the first to be praised by the U.S. tech industry as matching or even surpassing the performance of cutting-edge U.S. models.
A hacker group claimed to have breached the Israeli Defense Ministry’s computers and obtained sensitive information.
Security sources confirmed to Israel Hayom daily on Tuesday that there had been indeed a breach into the ministry’s computers.
The hacker group that made the claims on Telegram asserted that it had successfully accessed data from the Defense Ministry’s computer systems, the daily added.
Among the documents allegedly belonging to the Defense Ministry were “communications and orders,” which the hackers offered for sale for 50 bitcoins (about $3.45 million).
Moreover, the Israeli daily reported that the hackers had obtained extensive data but would only consider selling it if Israel agreed to release 500 Palestinian prisoners.
Security sources confirmed to Israel Hayom daily that the breach of the ministry’s systems had occurred, but they did not specify whether the stolen data was sensitive.
