- Joined
- Sep 2, 2023
- Messages
- 4,366
- Points
- 113
https://www.propublica.org/article/microsoft-sharepoint-hack-china-cybersecurity
Skip to content
Donate
Menu
Donate
Close
Donate
Search ProPublica:
Search
Topics
Browse by Place
Type
Info
Follow ProPublica
The Microsoft headquarters in Redmond, Washington Credit:Greg Kahn, special to ProPublica
Technology
ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they’re published.
Last month, Microsoft announced that Chinese state-sponsored hackers had exploited vulnerabilities in SharePoint, the company’s widely used collaboration software, to access the computer systems of hundreds of companies and government agencies, including the National Nuclear Security Administration and the Department of Homeland Security.
The company did not include in its announcement, however, that support for SharePoint is handled by a China-based engineering team that has been responsible for maintaining the software for years.
ProPublica viewed screenshots of Microsoft’s internal work-tracking system that showed China-based employees recently fixing bugs for SharePoint “OnPrem,” the version of the software involved in last month’s attacks. The term, short for “on premises,” refers to software installed and run on customers’ own computers and servers.
Microsoft said the China-based team “is supervised by a US-based engineer and subject to all security requirements and manager code review. Work is already underway to shift this work to another location.”
It’s unclear if Microsoft’s China-based staff had any role in the SharePoint hack. But experts have said allowing China-based personnel to perform technical support and maintenance on U.S. government systems can pose major security risks. Laws in China grant the country’s officials broad authority to collect data, and experts say it is difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement. The Office of the Director of National Intelligence has deemed China the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.”
ProPublica revealed in a story published last month that Microsoft has for a decade relied on foreign workers — including those based in China — to maintain the Defense Department’s cloud systems, with oversight coming from U.S.-based personnel known as digital escorts. But those escorts often don’t have the advanced technical expertise to police foreign counterparts with far more advanced skills, leaving highly sensitive information vulnerable, the investigation showed.
ProPublica found that Microsoft developed the escort arrangement to satisfy Defense Department officials who were concerned about the company’s foreign employees, and to meet the department’s requirement that people handling sensitive data be U.S. citizens or permanent residents. Microsoft went on to win federal cloud computing business and has said in earnings reports that it receives “substantial revenue from government contracts.” ProPublica also found that Microsoft uses its China-based engineers to maintain the cloud systems of other federal departments, including parts of Justice, Treasury and Commerce.
In response to the reporting, Microsoft said that it had halted its use of China-based engineers to support Defense Department cloud computing systems, and that it was considering the same change for other government cloud customers. Additionally, Defense Secretary Pete Hegseth launched a review of tech companies’ reliance on foreign-based engineers to support the department. Sens. Tom Cotton, an Arkansas Republican, and Jeanne Shaheen, a New Hampshire Democrat, have written letters to Hegseth, citing ProPublica’s investigation, to demand more information about Microsoft’s China-based support.
Microsoft said its analysis showed that Chinese hackers were exploiting SharePoint weaknesses as early as July 7. The company released a patch on July 8, but hackers were able to bypass it. Microsoft subsequently issued a new patch with “more robust protections.”
The U.S. Cybersecurity and Infrastructure Security Agency said that the vulnerabilities enable hackers “to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.” Hackers have also leveraged their access to spread ransomware, which encrypts victims’ files and demands a payment for their release, CISA said.
A DHS spokesperson said there is no evidence that data was taken from the agency. A spokesperson for the Department of Energy, which includes the National Nuclear Security Administration, said in a statement the agency was “minimally impacted.”
“At this time, we know of no sensitive or classified information that was compromised,” the spokesperson, Ben Dietderich said.
Microsoft has said that, beginning next July, it will no longer support on-premises versions of SharePoint. It has urged customers to switch to the online version of the product, which generates more revenue because it involves an ongoing software subscription as well as usage of Microsoft’s Azure cloud computing platform. The strength of the Azure cloud computing business has propelled Microsoft’s share price in recent years. On Thursday, it became the second company in history to be valued at more than $4 trillion.
Doris Burke contributed research.
Renee Dudley
I am a ProPublica reporter focused on technology, cybersecurity and business.
If you don’t have a specific tip or story in mind, we could still use your help. Sign up to be a member of our federal worker source network to stay in touch.
More in Technology
Zero Trust
© Copyright 2025 Pro Publica Inc.
Sites
Sections
Info
Follow
More
Thank you for your interest in republishing this story. You are free to republish it so long as you do the following:
Skip to content
Investigative Journalism in the Public Interest
MenuSearchDonate
Menu
Donate
Close
Donate
Search ProPublica:
Search
Topics
Browse by Place
Type
Info
Follow ProPublica
The Microsoft headquarters in Redmond, Washington Credit:Greg Kahn, special to ProPublica
Technology
Microsoft Used China-Based Engineers to Support Product Recently Hacked by China
Microsoft announced that Chinese state-sponsored hackers had exploited vulnerabilities in its popular SharePoint software but didn’t mention that it has long used China-based engineers to maintain the product.
by Renee DudleyAug. 1, 2025, 3:15 p.m. EDT
Series:Zero Trust: Inside Microsoft’s Cybersecurity Failures
More in this series Last month, Microsoft announced that Chinese state-sponsored hackers had exploited vulnerabilities in SharePoint, the company’s widely used collaboration software, to access the computer systems of hundreds of companies and government agencies, including the National Nuclear Security Administration and the Department of Homeland Security.
The company did not include in its announcement, however, that support for SharePoint is handled by a China-based engineering team that has been responsible for maintaining the software for years.
ProPublica viewed screenshots of Microsoft’s internal work-tracking system that showed China-based employees recently fixing bugs for SharePoint “OnPrem,” the version of the software involved in last month’s attacks. The term, short for “on premises,” refers to software installed and run on customers’ own computers and servers.
Microsoft said the China-based team “is supervised by a US-based engineer and subject to all security requirements and manager code review. Work is already underway to shift this work to another location.”
It’s unclear if Microsoft’s China-based staff had any role in the SharePoint hack. But experts have said allowing China-based personnel to perform technical support and maintenance on U.S. government systems can pose major security risks. Laws in China grant the country’s officials broad authority to collect data, and experts say it is difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement. The Office of the Director of National Intelligence has deemed China the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.”
ProPublica revealed in a story published last month that Microsoft has for a decade relied on foreign workers — including those based in China — to maintain the Defense Department’s cloud systems, with oversight coming from U.S.-based personnel known as digital escorts. But those escorts often don’t have the advanced technical expertise to police foreign counterparts with far more advanced skills, leaving highly sensitive information vulnerable, the investigation showed.
ProPublica found that Microsoft developed the escort arrangement to satisfy Defense Department officials who were concerned about the company’s foreign employees, and to meet the department’s requirement that people handling sensitive data be U.S. citizens or permanent residents. Microsoft went on to win federal cloud computing business and has said in earnings reports that it receives “substantial revenue from government contracts.” ProPublica also found that Microsoft uses its China-based engineers to maintain the cloud systems of other federal departments, including parts of Justice, Treasury and Commerce.
In response to the reporting, Microsoft said that it had halted its use of China-based engineers to support Defense Department cloud computing systems, and that it was considering the same change for other government cloud customers. Additionally, Defense Secretary Pete Hegseth launched a review of tech companies’ reliance on foreign-based engineers to support the department. Sens. Tom Cotton, an Arkansas Republican, and Jeanne Shaheen, a New Hampshire Democrat, have written letters to Hegseth, citing ProPublica’s investigation, to demand more information about Microsoft’s China-based support.
Microsoft said its analysis showed that Chinese hackers were exploiting SharePoint weaknesses as early as July 7. The company released a patch on July 8, but hackers were able to bypass it. Microsoft subsequently issued a new patch with “more robust protections.”
The U.S. Cybersecurity and Infrastructure Security Agency said that the vulnerabilities enable hackers “to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.” Hackers have also leveraged their access to spread ransomware, which encrypts victims’ files and demands a payment for their release, CISA said.
A DHS spokesperson said there is no evidence that data was taken from the agency. A spokesperson for the Department of Energy, which includes the National Nuclear Security Administration, said in a statement the agency was “minimally impacted.”
“At this time, we know of no sensitive or classified information that was compromised,” the spokesperson, Ben Dietderich said.
Microsoft has said that, beginning next July, it will no longer support on-premises versions of SharePoint. It has urged customers to switch to the online version of the product, which generates more revenue because it involves an ongoing software subscription as well as usage of Microsoft’s Azure cloud computing platform. The strength of the Azure cloud computing business has propelled Microsoft’s share price in recent years. On Thursday, it became the second company in history to be valued at more than $4 trillion.
Doris Burke contributed research.
Filed under —
Renee Dudley
I am a ProPublica reporter focused on technology, cybersecurity and business.
- More Stories
- Have a Tip for a Story?
What We’re Watching
During Donald Trump’s second presidency, ProPublica will focus on the areas most in need of scrutiny. Here are some of the issues our reporters will be watching — and how to get in touch with them securely.
More in Technology
Inside the Memphis Chamber of Commerce’s Push for Elon Musk’s xAI Data Center
Local Reporting NetworkZero Trust
Microsoft Failed to Disclose Key Details About Use of China-Based Engineers in U.S. Defense Work, Record Shows
Zero TrustMicrosoft Used China-Based Support for Multiple U.S. Agencies, Potentially Exposing Sensitive Data
Zero TrustMicrosoft’s “Digital Escort” Program Could Leave Sensitive Government Info Vulnerable to Espionage. Here’s What to Know.
Zero TrustA Little-Known Microsoft Program Could Expose the Defense Department to Chinese Hackers
How Foreign Scammers Use U.S. Banks to Fleece Americans
Most Read
The Federal Farm Policy Trap: Why Some Farmers Are Stuck Raising Crops That No Longer Thrive
Trump Says America’s Oil Industry Is Cleaner Than Other Countries’. New Data Shows Massive Emissions From Texas Wells.
What One Man’s 45-Year-Old Case Tells Us About the “Jim Crow Juries” Haunting Louisiana
“The Intern in Charge”: Meet the 22-Year-Old Trump’s Team Picked to Lead Terrorism Prevention
Pentagon Warns Microsoft: Company’s Use of China-Based Engineers Was a “Breach of Trust”
© Copyright 2025 Pro Publica Inc.
Sites
Sections
Info
- About
- Board and Advisors
- Officers and Staff
- Diversity
- Jobs and Fellowships
- Media Center
- Reports
- Impact
- Awards
- Corrections
Follow
More
Close this dialogue
Republish This Story for Free
Creative Commons License (CC BY-NC-ND 3.0)Thank you for your interest in republishing this story. You are free to republish it so long as you do the following:
- You have to credit ProPublica and any co-reporting partners. In the byline, we prefer “Author Name, Publication(s).” At the top of the text of your story, include a line that reads: “This story was originally published by ProPublica.” You must link the word “ProPublica” to the original URL of the story.
- If you’re republishing online, you must link to the URL of this story on propublica.org, include all of the links from our story, including our newsletter sign up language and link, and use our PixelPing tag.
- If you use canonical metadata, please use the ProPublica URL. For more information about canonical metadata, refer to this Google SEO link.
- You can’t edit our material, except to reflect relative changes in time, location and editorial style. (For example, “yesterday” can be changed to “last week,” and “Portland, Ore.” to “Portland” or “here.”)
- You cannot republish our photographs or illustrations without specific permission. Please contact [email protected].
- It’s okay to put our stories on pages with ads, but not ads specifically sold against our stories. You can’t state or imply that donations to your organization support ProPublica’s work.
- You can’t sell our material separately or syndicate it. This includes publishing or syndicating our work on platforms or apps such as Apple News, Google News, etc.
- You can’t republish our material wholesale, or automatically; you need to select stories to be republished individually. (To inquire about syndication or licensing opportunities, contact [email protected].)
- You can’t use our work to populate a website designed to improve rankings on search engines or solely to gain revenue from network-based advertisements.
- We do not generally permit translation of our stories into another language.
- Any website our stories appear on must include a prominent and effective way to contact you.
Copy HTML
