Hurricane Monthly Update: Salt Typhoon and Frightening Incidents in SharePoint
In July 2025, two significant cybersecurity incidents shook both the US National Guard and on-premises Microsoft SharePoint servers, with serious implications for national security and the tech sector.
First, the US Department of Homeland Security (DHS) revealed that the China-backed hacking group Salt Typhoon breached the Army National Guard networks, exposing administrative credentials and sensitive network diagrams. This breach raised concerns about potential exposure of military and law enforcement information, especially since Army National Guard units are integrated with state fusion centers responsible for cyber threat information sharing and network defense. The intrusion threatens local cybersecurity efforts protecting critical infrastructure across at least 14 states.
Second, a critical zero-day vulnerability (CVE-2025-53770) in on-premises Microsoft SharePoint servers was actively exploited starting around July 20, 2025. This unauthenticated remote code execution vulnerability, rated CVSS 9.8, allowed attackers to run arbitrary code and access all files on affected servers without credentials. The attacks, linked to the “ToolShell” attack chain and attributed to multiple China-linked APT groups, targeted sensitive data including contracts, financials, and source code. Numerous U.S. federal agencies and global organizations across sectors like energy, education, and telecom were impacted.
The implications are wide-reaching: The Army National Guard breach risks undermining state-level cybersecurity defenses critical to protecting US infrastructure, while the SharePoint zero-day compromises trust in foundational enterprise collaboration platforms, jeopardizing sensitive corporate and government data. The tech sector faces heightened urgency to patch vulnerable SharePoint servers and reassess security protocols around critical infrastructure and data-sharing hubs.
Microsoft urged users to patch the vulnerability in SharePoint servers as soon as possible, stating that hackers had been attempting to exploit this flaw since July 7. Hackers are reportedly deploying ransomware following the SharePoint flaw. In response, the Federal Communications Commission (FCC) has ordered telcos to strengthen their security measures following the Salt Typhoon chaos.
The theft of these configuration files is considered devastating. The breach by Salt Typhoon potentially went undetected in other US military networks, and the UK cyber experts are on high alert due to Salt Typhoon attacks on US telcos. The DoD report states that Salt Typhoon exfiltrated over 1400 network configuration files, affecting 70 US government critical infrastructure, identities, and 12 sectors.
In summary, July 2025 saw coordinated large-scale cyber intrusions affecting US defense and government entities and critical enterprise platforms, emphasizing the critical need for robust, multi-layered cybersecurity strategies spanning the public and private sectors.
- In light of the vulnerability in Microsoft SharePoint servers and the ongoing intrusion by China-backed hacking groups like Salt Typhoon, there is a growing need for the tech sector to improve cybersecurity measures, particularly in regards to critical infrastructure and data-sharing hubs.
- The breach of the US Army National Guard networks by Salt Typhoon has raised concerns about the potential exposure of sensitive military and law enforcement information, as cyber threat information sharing and network defense relies heavily on state fusion centers, making podcasts about cybersecurity and its implications on infrastructure even more crucial.
