US DHS Reportedly Breached in SharePoint Hack, Storm-2603 Confirmed via Warlock Ransomware Deployment in Separate Event

• Impacted entities: Several government entities have reportedly been compromised, among which may be the DHS.
• Chinese involvement: The global Microsoft SharePoint flaw exploit was linked to Chinese state-aligned actors, but not to this specific event.
• Microsoft confirms: While the involvement of Linen Typhoon, Violet Typhoon, and Storm-2603 was previously suspected, all three have now been confirmed.

The Department of Homeland Security (DHS) is reportedly among several U.S. agencies affected by a significant cybersecurity breach in 2025, according to sources familiar with the investigation. Sources indicate that the National Institutes of Health may also be impacted.

Breach Impact 

The breach targeted on-premises Microsoft SharePoint Servers, exploiting a zero-day vulnerability to bypass authentication protocols and execute code remotely for espionage and data theft. 

Almost 100 organizations and dozens of servers were impacted by a ToolShell exploit chaining spoofing vulnerability CVE-2025-49706 and remote code execution flaw CVE-2025-49704.

NextGov reported that some sources say at least five entities have reportedly been compromised, while others estimate four to five. The Cybersecurity and Infrastructure Security Agency allegedly notified over 12 federal entities of the possible compromise. 

Qatari government systems are also possibly affected, according to two people familiar with the matter.

The National Institutes of Health may also have been affected, according to The Washington Post.

Multiple people familiar with the matter told NextGov that the DHS was affected by the SharePoint incident. The department includes major operational agencies such as:

• Customs and Border Protection (CBP)
• Immigration and Customs Enforcement (ICE)
• United States Secret Service (USSS)
• Countering Weapons of Mass Destruction Office (CWMD)
• Transportation Security Administration (TSA)
• Cybersecurity and Infrastructure Security Agency (CISA)
• Federal Emergency Management Agency (FEMA)
• Federal Law Enforcement Training Centers (FLETC)

The U.S. National Nuclear Security Administration (NNSA) confirmed being compromised in a Bloomberg News report, which also talked about the Department of Education allegedly being affected.

Threat Actors

This SharePoint vulnerability exploit has been attributed to Chinese hacker groups Linen Typhoon, Violet Typhoon, and Storm-2603. However, they were not directly linked to the DHS breach.

Microsoft assessed Storm-2603 with medium confidence as a China-based actor unlinked to other known Chinese groups, but associated with attempts to steal MachineKeys by exploiting SharePoint flaws and the deployment of Warlock and Lockbit ransomware in the past.

Starting on July 18, 2025, Microsoft observed Storm-2603 deploying Warlock ransomware, leveraging these SharePoint flaws.

These groups use stolen credentials to establish persistent backdoors, says Bob Huber, Tenable's Chief Security Officer, Head of Research, and President of Public Sector. 

“This means that even after the initial vulnerability is patched, these attackers can remain hidden inside a network, ready to launch future espionage campaigns. By the time an organisation sees evidence of a new intrusion, the damage has already been done,” Huber added.

Response and Mitigation  

Federal agencies have been advised to apply Microsoft’s recently released security patches for all affected SharePoint versions, including 2016, 2019, and the Subscription Edition.  

“The fact that hackers gained access to cryptographic keys that could allow re-entry even after patching highlights why surface-level fixes aren't sufficient when the underlying security architecture lacks depth,” commented Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer at AvePoint.

While the exact motive behind the attack remains unclear, experts speculate that the data breach is part of a broader campaign of state-sponsored cyber espionage. 

This marks another instance in which Chinese state-aligned hackers have targeted critical U.S. infrastructure. Recently, it was revealed that the National Guard was hacked by China's Salt Typhoon, which maintained access for almost 1 year.

The reported DHS SharePoint hack highlights the persistent challenges posed by nation-state actors exploiting unpatched vulnerabilities. More victims are likely to be confirmed in the coming days.

Building on that concern, Huber stressed that organizations face a broader architectural risk when they depend on a single ecosystem for both software and security enforcement:

“For on-premises software like SharePoint, which is deeply integrated into the Microsoft identity stack, there are multiple points of exposure that need to be continuously monitored in order to know, expose and close critical gaps in cyber defences. Further complicating things, many customers are using Microsoft’s security products to secure Microsoft software, creating a massive single point of failure when these types of credential breaches occur."

He further added, "Organisations need a unified view of their entire infrastructure, which requires an exposure management platform that can integrate with all of the security tools they already use. This is the only way to see the complex attack paths before they are exploited. Given how deeply embedded Microsoft is within government infrastructure worldwide, this isn't just a corporate issue — it's become a matter of national security for dozens of countries and should be considered a top priority to address.”