Digital state crime: China unleashes its "liminal warfare" against the West, with the SharePoint attack the latest scar - Analysis

Beijing's shadow extends into a ruthless cyberwarfare: the devastating attack on Microsoft SharePoint, which compromised hundreds of global organizations, including the U.S. National Security Agency, is just the latest brutal offensive. China, a true rogue cyber superpower, is systematically undermining the world's digital defenses, posing an existential threat to global security and the global economy with its relentless "liminal warfare"

The global geopolitical landscape is increasingly defined by a ruthless struggle for technological supremacy, where cyberspace has devolved into a crucial, clandestine battlefield. The latest wave of devastating offensives, chillingly orchestrated by hacker groups inextricably linked to the Chinese state, has brutally exploited critical vulnerabilities in Microsoft's SharePoint software, compromising hundreds of government and private organizations worldwide. This calculated attack, which has already breached over 400 entities, including the paramount U.S. National Nuclear Security Administration (NNSA), and sent urgent alerts reverberating through the Italian National Cybersecurity Agency (ACN), is far from an isolated incident. Instead, it represents yet another chilling chapter in a prolonged, relentlessly aggressive cyberwarfare campaign that is fundamentally reshaping the boundaries of competition between the United States and China. In this escalating conflict, the brazen theft of vital secrets, the relentless pursuit of strategic advantages, and the deliberate destabilization of digital infrastructures have been weaponized as instruments of raw power.

As chillingly detailed in the new report “BEFORE VEGAS” by Eugenio Benincasa (CSS, ETH Zürich), China has achieved a "meteoric rise" to global cyber power, ruthlessly orchestrating an aggressive cyber espionage campaign through its intelligence agencies and private contractors. This grim reality was starkly confirmed in 2023 by Christopher Wray, then director of the FBI, who unequivocally declared that China's digital strategy was "bigger than that of every other major nation combined." This is no mere conventional conflict; it is a insidious "Liminal War"—an incremental, pervasive, and utterly unforgiving conflict, where every sector, from political governance to economic stability, from critical national infrastructure to the systematic theft of intellectual property, has been transformed into a global battlefield. At the malevolent heart of this audacious vision lies the perversion of China's "red hackers," infamously known as Honkers (红客, Hong Ke), whose origins, transformations, and current chilling integration with the state apparatus have been meticulously unveiled in the report Benincasa.

Beijing has brazenly forged a doctrine of "Liminal Warfare" that seamlessly integrates political espionage, outright sabotage of critical infrastructure, and the systematic, planetary-scale theft of intellectual property. This audacious program, chillingly catalyzed by Edward Snowden's revelations in 2013 and the ominous advent of Xi Jinping, relentlessly absorbs elite cyber-talents. These individuals are forged in an increasingly sophisticated and militarized ecosystem, starkly exposing the ubiquitous threat and China's unwavering will to redefine global balances through sheer cyber dominance. China aggressively employs integrated computer network operations, electronic warfare, and a panoply of economic, diplomatic, legal, intelligence, psychological, military deception, and security tactics. Its objective: to systematically weaken sovereign states, ensnare them in economic dependence on Beijing, and render them more receptive to a tyrannical new world order, stamped with distinct Chinese authoritarian characteristics. This insidious approach is chillingly consistent with the "Liminal Warfare" concept, an incremental, all-encompassing conflict where the spectrum of confrontation with the West is so vast that the battlefield is ubiquitous and the war is total, as chillingly described in the 1999 book Unrestricted Warfare by two PLA colonels.

Previous, highly damaging attacks have already brutally demonstrated the sheer sophistication and expansive scale of Chinese operations. Among the most notorious are the devastating Microsoft Exchange server breach in 2021, which catastrophically compromised over 250,000 servers globally, and for which Microsoft unequivocally identified a Chinese government-sponsored group known as Silk Typhoon (or APT17). Equally alarming was the brazen theft of thousands of emails from senior U.S. government officials in 2023. These attacks not only plunder invaluable data but frequently enable the clandestine installation of persistent backdoors through the illicit extraction of cryptographic keys, thereby guaranteeing attackers long-term, unauthorized access to ruthlessly compromised systems. The latest assault on SharePoint merely intensifies this grim pattern, dramatically escalating the sense of vulnerability and reinforcing the perception of a relentless, systemic threat.

While the U.S. continues to bear the brunt of these attacks, Italy, the United Kingdom, France, and other European nations now find themselves squarely within the rapidly expanding and deeply concerning reach of these cyber criminals. Strategic sectors such as financial services, business services, and consumer goods are increasingly becoming prime targets in this digital onslaught.

The SharePoint attack in detail: vulnerability and speed of exploitation

The complex, unfolding narrative of this attack began in May, when Vietnamese researcher Dinh Ho Anh Khoa from Viettel starkly exposed a SharePoint vulnerability at the Pwn2Own security conference in Berlin. This event, intended to reward ethical disclosure, provided Microsoft with a critical window to respond. The company released an initial patch on July 8, but this fix proved catastrophically ineffective, allowing relentless hackers to bypass it with alarming ease. This initial failure tragically opened a gaping opportunity for the aggressors.

The situation spiraled further into crisis as the suspicious timing of the breaches became starkly apparent. Members of the Microsoft Active Protection Program (MAPP)—an initiative ostensibly designed to provide early vulnerability information to security partners—were ominously informed of the bugs on June 24, July 3, and July 7. Crucially, on July 7 itself, Microsoft disturbingly detected the very first exploit attempts by Chinese hackers, a mere day before the public release of the patches. This disturbingly close temporal coincidence ignited strong suspicions of a potential leak from MAPP. Dustin Childs of Trend Micro (Pwn2Own organizer) openly and damningly suggested that "the most likely scenario is that someone in the MAPP program used that information to create the exploits". If confirmed, such a treacherous breach within a program meant for sensitive information sharing would represent a devastating betrayal of trust and severely cripple the effectiveness of collective defenses, cynically transforming a protection tool into a potent weapon for adversaries. This would not be an isolated incident: over a decade ago, Microsoft was compelled to expel Hangzhou DPTech Technologies Co., Ltd., a Chinese company, from the program for a similar, egregious breach.

The exploited vulnerabilities, identified as CVE-2025-53770, and carrying a CVSS v3.x score of a critical 9.8, brazenly allow attackers to forge authentication credentials and execute arbitrary code remotely on servers. This severe vulnerability is rooted in untrusted data deserialization within the ASP.NET framework, a core component utilized by SharePoint. The attack, shockingly, does not require authentication. It is conducted via meticulously crafted HTTP POST requests directed at the resource /_layouts/15/ToolPane.aspx?DisplayMode=Edit. This specific page, intended for displaying and modifying SharePoint Web Parts, contains a hidden field named __VIEWSTATE. If this field is not rigorously signed or validated, it allows a malicious actor to submit a devastating payload that, once deserialized by the server, enables the execution of arbitrary, hostile code on the affected system. The public availability of a Proof of Concept (PoC) for this critical vulnerability online has only catastrophically accelerated the unchecked spread of these attacks.

The scope and targets of the offensive: who is affected and why

The sheer scale of this attack is staggering and continues to expand its malicious reach. The Dutch cybersecurity firm Eye Security has laid bare the vast extent of the compromise, chillingly detecting "unusual activity" on a client's on-premises SharePoint server as early as the evening of July 18. A subsequent forensic scan of over 8,000 publicly accessible SharePoint servers worldwide horrifyingly revealed dozens of compromised systems, confirming a "coordinated mass exploitation campaign". The overwhelming majority of victims are located in the United States, a damning statistic that underscores the distinctly strategic and deeply targeted nature of this espionage operation.

Among the most critically impacted victims is the U.S. National Nuclear Security Administration (NNSA), the agency entrusted with overseeing nuclear weapons, as grimly reported by Bloomberg. This particular compromise, alongside the previously confirmed breach of the Department of Energy, starkly highlights a clear and chilling intent by the attackers to target assets absolutely fundamental to U.S. national security and its critical infrastructure. Eye Security's ominous warning that the number of victims "could continue to increase as investigations progress" resonates as a sinister prophecy, indicating an ongoing and uncontained campaign.

Microsoft has identified three distinct hacker groups that have actively and ruthlessly exploited the on-premises SharePoint vulnerabilities:

• Linen Typhoon: This group, chillingly backed by the Chinese state, is notoriously and demonstrably focused on intellectual property theft. Since 2012, it has systematically targeted key organizations in government, defense, strategic planning, and human rights. Its relentless persistence and malicious objectives starkly mirror China's long-term, predatory strategy to acquire critical technological know-how and illicit economic advantages.

• Violet Typhoon: This actor, also undeniably linked to the Chinese state, has been dedicated to espionage since 2015. Its targets are alarmingly broad and include former government and military personnel, non-governmental organizations (NGOs), think tanks, higher education institutions, digital and print media, and financial and healthcare sectors across the U.S., Europe, and East Asia. This attack profile conclusively points to a 360-degree, all-encompassing interest in wide-scale intelligence gathering, which can be maliciously wielded to influence policies, economic decisions, and the strategies of adversaries.

• Storm-2603: Microsoft cautiously expresses "medium confidence" that this third group is based in China, although it has not yet established direct, firm links to other known Chinese threat actors. This could indicate the unsettling emergence of new, unidentified actors in the Chinese cyber landscape or a deliberate, sophisticated diversification strategy designed to evade unambiguous attribution.

The Chinese cyber power: anatomy of a state force for digital dominance

To truly grasp the horrifying scope of attacks like the one on SharePoint, it is absolutely essential to dissect the doctrine and terrifying organization of Chinese cyber power. The People's Republic of China (PRC) has consistently and ruthlessly worked to dramatically improve its cyberwarfare capabilities over the past decades, particularly within the armed wing of the Chinese Communist Party (CCP), the People's Liberation Army (PLA). The CCP's openly declared, ominous goal is to become a "cyber superpower", and China is chillingly well on its way to achieving that goal. CCP leaders possess an uncomfortably clear understanding of the cyber domain and how to exploit cyber power to achieve existing strategic goals—particularly those related to pervasive domestic surveillance, aggressive defense, absolute information dominance, illicit economic growth, control over technical standards, and, most importantly, formidable offensive capabilities. Cyberspace is a disturbingly prioritized domain in China's rhetoric, regulation, and aggressive actions.

The roots of the "Honkers": from self-taught patriotism to state integration

The chilling dawn of Chinese hacker culture, as meticulously documented in Eugenio Benincasa's report, ominously coincides with China's official connection to the Internet on April 20, 1994, via a dedicated data transmission line through the U.S. telecommunications company Sprint. A mere few months later, China Telecom launched ChinaNet, ushering in public Internet services. Universities, disturbingly, played a pioneering role, with the creation, also in 1994, of networks such as the China Education and Research Network (CERNET) and the Chinese Academy of Sciences' CSTNET, which connected academic institutions and ominously promoted knowledge sharing among students and researchers years before widespread public Internet access. These university environments became veritable "incubators" for hackers, fostering technical experimentation and the emergence of a menacingly native hacker culture.

Initially, these hackers were largely self-taught technology enthusiasts who coalesced on bulletin boards (BBSs) and early websites to illicitly exchange tips on programming, network security, and hacking techniques. Initial efforts were fragmented and lacked formal group structure. They heavily relied on foreign malware, such as the infamous "Black Orifice" Trojan released at DEFCON in 1998, to maliciously send spam and perform Distributed Denial-of-Service (DDoS) attacks. The true, pivotal turning point, however, occurred between 1998 and 2001, a period chillingly defined by a series of "patriotic cyber wars" that solidified the collective identity of Chinese hackers. Incidents such as the violent riots against ethnic Chinese communities in Indonesia in 1998 and the heinous bombing of the Chinese Embassy in Belgrade by the United States in 1999 inflamed waves of rabid nationalism and seething anger. In response, Chinese hackers brazenly organized themselves, creating the "Chinese Hacker Emergency Conference Center" (中国黑客紧急会议中心) and launching coordinated, aggressive operations, including website defacements and DoS attacks against Indonesian government targets. The Belgrade event, in particular, spurred the rapid and menacing formation of the "Red Hacker Alliance" (RHA), a broad, intimidating coalition of groups including the Honker Union of China (HUC) and the Green Army. The term "Honker" (红客) became a common, ominous reference for patriotic hackers, a label still used today to describe the act of patriotic hacking. These Honkers are best categorized as "hacktivists," individuals who wickedly use digital tools to promote political or social causes. Their activities were largely and disturbingly aligned with Beijing's geopolitical interests, relentlessly targeting entities in the U.S., Taiwan, and Japan.

While tens of thousands of members are often cited, such as the alleged 80,000 of the Honker Union or the 3,000 of the Green Army, Benincasa's report unequivocally clarifies that these figures masked a crucial distinction between a small, highly effective "core" of active members (Gong Wei (Goodwell), founder of the Green Army, cited only 40 core members, while some sources disturbingly suggested that the core of the Honker Union consisted of only eight) and a much larger base of registered users on the forums. These core members were solely responsible for technical operations and strategic decisions, possessing significantly higher levels of technical skill than the larger registered user base who primarily engaged in passive forum discussions.

The evolution and professionalization: from "learning by doing" to the modern offensive ecosystem

For Chinese hackers in the early 2000s, the glaring lack of formal educational pathways for developing technical skills was a significant obstacle. Chinese universities offered a paltry few dedicated cybersecurity programs, and the infrastructure for practical training, such as Capture the Flag (CTF) competitions or bug bounty programs, was either scarce or nonexistent. In this institutional void, hacker groups disturbingly transformed into de facto training academies. Collectives such as the EvilOctal Security Team, the Green Army, and the China Eagle Union established structured, self-managed communities chillingly focused on collaboration, illicit knowledge sharing, and skills development. For many, the outright hacking of real targets became the primary, illicit means of gaining practical experience. A key, nefarious influence on this first generation was Taiwanese hacker Lin Zhenglong (林正龙), known online as "coolfire." His "Hacker Entry-Level Tutorial Series" (黑客入门教程系列), published in 1995 and consisting of eight articles, became the first structured, clandestine hacker training resource available in Chinese, profoundly influencing key figures such as Wang Yingjian (Casper) of Xfocus and Gong Wei (Goodwell) of Green Army. His sinister philosophy of "defense through offense"—the malevolent idea that mastering offensive techniques was crucial to understanding and improving one's defensive capabilities—and an informal ethical code focused on illicit learning, chillingly shaped an entire generation.

Between 1997 and 2002, the Chinese hacker community began aggressively developing its own offensive tools. Initially reliant on foreign malware such as the infamous "Black Orifice" Trojan released at DEFCON in 1998, Chinese hackers rapidly created "Glacier" (the first domestic remote access Trojan (RAT) developed by Huang Xin (glacier) in 1999) and "X-Scan" (a network vulnerability scanner developed in 2000 by Huang Xin and Yang Yong (coolc) that is still widely used today and praised as "the brainchild of many hackers in China"). These tools disturbingly lowered the barrier to entry for aspiring hackers and marked a sinister turning point, leading to the creation of a distinctive domestic ecosystem and a stark departure from Western hacker culture. Crucially, around the mid-2000s, there was an alarming shift towards the exploitation of zero-day vulnerabilities, signaling the menacing emergence of a distinctly Chinese approach to developing offensive cyber capabilities.

Talent identification was often informal and driven by clandestine personal networks. Conferences like XCon, founded in 2002 by Wang Yingjian (casper) of Xfocus and ominously modeled after international events like DEFCON, became crucial platforms for illicit skills demonstration and informal recruitment. Even state agencies, such as the PLA, began unethically using hacking competitions to evaluate and recruit qualified individuals, as in the case of Tan Dailin (wicked rose) in 2005, who was recruited by the Sichuan Military Command for an attack-defense competition. Benincasa's report introduces the chilling concept of the "Red 40," a group of 40 highly influential individuals selected from the approximately 200 core members of the most important hacker groups. These individuals have played significant and nefarious roles in the evolution of China's cyber landscape over the past two to three decades, founding groups, launching patriotic campaigns, and developing key tools, before ominously assuming senior positions in government and industry.

The gradual demise of the Honker groups era was influenced by a confluence of factors: the decline of large-scale politically motivated attacks, the dissolution or transformation of many groups, the launch of the first commercial initiatives, and a tightening of the Chinese regulatory framework. The Chinese government, which had initially tolerated the Honkers' activities as they deceptively promoted national unity without direct involvement in international conflicts, began to show profound discomfort with the lack of oversight and the dangerous unpredictability of these actions. As early as May 1, 2001, following the China-U.S. "Cyber War," the People's Daily (人民日报), the official mouthpiece of the Chinese Communist Party, outright condemned the young hackers' campaigns as "unforgivable" and akin to "web terrorism." In 2002, the head of the Internet Society of China issued a statement via Xinhua News Agency formally opposing cyber operations launched by any organization or individual "for any reason and in any form."

Facing these mounting pressures, many groups began to fragment or ominously reinvent themselves. The decline of hacker activism chillingly coincided with the rampant rise of China's cybercrime industry, which expanded rapidly in the mid- to late-2000s. In the glaring absence of a mature cybersecurity industry, some former patriotic hackers disturbingly turned to illicit activities, including the outright sale of malware, the commission of banking fraud, and online gambling scams. This period marked a sinister transitional phase between the decline of grassroots hacker activism and the emergence of a more organized cybersecurity industry, which only began to accelerate in the early 2010s.

A legal turning point came with the adoption in 2009 by the Standing Committee of the National People's Congress (NPCSC) of Criminal Law Amendment VII, which drastically expanded the penalties for unauthorized intrusions into computer systems, including provisions targeting those who provided tools that facilitated such intrusions. This directly led to the forced shutdown of platforms like Black Hawk Security Network and the arrest of key figures like Tan Dailin (wicked rose), founder of NCPH.

The members of the Red 40, in this drastically changing context, ominously turned to the business world, seizing illicit opportunities in a Chinese cybersecurity sector then deceptively perceived as "weak" and "deteriorating." Many assumed key roles at established cybersecurity firms like Venustech and Topsec, or at tech giants like Baidu, Alibaba, Tencent, and Huawei. Some brazenly founded their own cybersecurity startups, such as NSFOCUS (founded in 2000 by Shen Jiye (沈继业), a former member of the Green Army) and Knownsec (founded in 2007 by Zhao Wei (icbm), Yang Jilong (watercloud), and Fang Xing (flashsky), former members of 0x557 and Xfocus).

Concurrently, collaboration with government agencies intensified to an alarming degree. In 2009, U.S. diplomats chillingly raised concerns that the PRC was "harvesting its private sector talent to strengthen its offensive and defensive network operations capabilities." Topsec and Venustech, among the few ostensibly mature cybersecurity firms at the time, had disturbingly close ties to the PLA and the Ministry of State Security (MSS). In 2006, the Network Crack Program Hacker (NCPH) group, led by Tan Dailin (wicked rose), conducted a series of successful cyber espionage campaigns, almost certainly on behalf of the PLA. These "hackers-for-hire" were often compensated to complete illicit intrusions.

The reorganization military and the civil-military fusion

Under the menacing leadership of Xi Jinping, Chinese rhetoric and capabilities concerning cybersecurity and cyberwarfare have been dramatically and alarmingly escalated. Xi has ruthlessly reorganized the PLA, downsizing its traditional land-based army, which it had relied on for decades, to forge a formidable Strategic Support Force (SSF), chillingly focused on cyber, space, and electronic warfare. Formed during the sweeping 2016 reorganization of the PLA, the SSF possesses the clear mandate, the insidious organization, and the combined, malevolent capabilities to prosecute layered strategic cyberwarfare operations. Its ultimate goal: to relentlessly deny, destroy, disrupt, and degrade an adversary's critical infrastructure in pursuit of broader, hostile political and societal effects. This reorganization ominously accelerated a fundamental shift in military posture from land-based territorial protection to aggressive, extended power projection, with joint forces and advanced technology serving as lethal enablers.

To complement this new, menacing joint force, Xi has aggressively advanced a strategy of military-civil fusion (MCF), fundamentally restructuring Chinese science and technology enterprise to simultaneously innovate for both economic gain and military development. This sinister strategy enables a vast number of civilian companies, such as Baidu and Alibaba, to participate in classified military research and development. Chinese contractors have also directly and illicitly engaged in cyber operations on behalf of the Chinese government. Chinese telecom and infrastructure companies like Huawei have been implicated in Chinese cyber espionage campaigns in the past, raising profound security concerns. This chilling civil-military integration is a hallmark of Chinese cyber power, starkly differentiating it from Western approaches.

Key actors and attack methodologies: the stratification of Chinese espionage

Investigations into the most recent intrusions have chillingly reinforced the undeniable conviction that at least some of the initial attacks were launched by hackers unequivocally linked to the Chinese government. Charles Carmakal, CTO of Mandiant Consulting (a division of Google Cloud), flatly and damningly stated: "We believe that at least one of the actors responsible for this early exploitation is a China-connected threat actor." This damning assessment is buttressed by further irrefutable evidence, with federal investigators identifying connections from compromised SharePoint servers in the U.S. to malicious IP addresses in China. The predatory interest of state actors, particularly those explicitly linked to the Chinese government, consistently targets industrial espionage, the wholesale theft of intellectual property, and the clandestine collection of sensitive government information.

The Chinese government actively and aggressively coordinates cyber espionage operations through its intelligence agencies, primarily the Ministry of State Security (MSS) and the PLA, making increasing, cynical use of private contractors. Mandiant Threat Intelligence grimly reports that since Xi Jinping's 2016 military and intelligence overhaul, the technology employed by China-affiliated cyber espionage groups has steadily evolved, becoming more insidious, stealthy, and agile. Beijing's cyber espionage operations are conducted by both the MSS and the PLA, but they are chillingly differentiated by their geographic scope, operational alignment, and the types of victims they ruthlessly target.

• Political espionage and surveillance (MSS): Chinese political cyber espionage and surveillance operations are primarily orchestrated by the Ministry of State Security (MSS), China's foreign intelligence service. Last year, it came to light that a Chinese hacker group, ominously nicknamed Salt Typhoon, brazenly hacked at least nine American telephone companies, gaining illicit access to calls and messages of top officials. Ciaran Martin, who headed the British cyber defense agency from 2016 to 2020, chillingly compared this operation to the 2013 revelations by Edward Snowden, branding it "a strategic espionage operation of breathtaking audacity". According to Google Threat Intelligence Group, China is audaciously escalating its espionage operations by employing advanced persistent threat (APT) groups like APT41 to combine the distribution of ransomware with intelligence gathering. This deliberate, deceptive "mixing" cynically supports the Chinese government's public efforts to confuse attribution, cunningly masking heinous cyber espionage activities behind ostensible ransomware operations. APT41 is believed to operate from China and is "most likely a contractor of the Ministry of State Security", possessing a long, dark history of financially motivated operations, primarily focused on victimizing the video game industry, including the distribution of ransomware. Mandiant observed that one of the most prolific Chinese cyber espionage groups, APT41, had conducted a large-scale campaign ruthlessly exploiting vulnerabilities in corporate networking and endpoint management devices from Citrix, Cisco, and Zoho, successfully targeting more than 75 companies in over 20 countries with operations ranging from aerospace and defense to pharmaceuticals, energy, and utilities.

• Critical infrastructure sabotage (PLA): In the realm of electronic warfare, hacking is utilized for deliberate sabotage in times of crisis or war. These destructive efforts are led by the People's Liberation Army (PLA), the armed wing of the Chinese Communist Party. In 2023, it was horrifyingly discovered that a linked hacker group known as Volt Typhoon had deeply penetrated an extraordinary array of American critical infrastructure over several years, from vital ports to crucial factories to essential water treatment plants, spanning across the continental United States and into strategic American territories such as Guam. Ciaran Martin starkly stated that "Volt Typhoon is a military operation for strategic political and potentially military purposes", chillingly run by the People’s Liberation Army’s cyber unit. This involves the insidious insertion of preparatory implants—“digital traps”—into all manner of American critical infrastructure, laying the groundwork for future destructive actions.

• Intellectual property theft: The most damaging and pervasive channel for intellectual property theft is cyber espionage. Cyber intrusions enable Chinese companies, in some cases acting under the direct, insidious direction of the CCP or with government assistance (so-called state cyberespionage), to illicitly access proprietary operations and project financing information from foreign companies, as well as to brazenly steal vital IP and technology. China aggressively employs government-coordinated and supported cyber espionage campaigns to plunder information from a wide variety of foreign commercial companies, including those in the oil and energy, steel, and aviation industries.

What truly distinguishes China's cyber espionage activity from that of other states is the sheer national interest relentlessly pursued and the overwhelming scale of its operations. Mandiant unequivocally states that China-linked state groups conducting compromises exploit more zero-days and are numerically larger than those of other states. Chinese actors employ a devastating variety of “initial access vectors” such as sophisticated phishing via email and social engineering, strategic web compromise, and SQL injection. They have also effectively exploited zero-day compromises in 2020/2021 more ruthlessly than any other state.

Offensive cyber capabilities and disregard for norms

China is a major peer adversary in cyberspace, boasting offensive cyber capabilities that unequivocally rival or even surpass those of the United States. The country disturbingly demonstrates a clear development of asymmetric capabilities that enable it to achieve strategic goals with impunity. These capabilities, which the U.S. is currently constrained from developing by international or domestic law, chillingly include the cynical use of the private sector for cyber operations and a blatant, audacious disregard for any efforts to name and shame their reprehensible behavior.

Hackers in China are discovering vulnerabilities in U.S. software at an alarming and accelerating rate, and China actively and maliciously exploits these vulnerabilities in its cyber operations before they can even be fixed. Every year, China hosts a hacking competition, the Tianfu Cup, for its top hackers to uncover vulnerabilities. However, unlike equivalent competitions elsewhere that commonly disclose the flaws directly to impacted companies, flaws found at Chinese hacking competitions are illicitly given to the Chinese government before companies are even made aware of them. For example, a flaw in Apple software reported at Tianfu Cup in 2018 was ruthlessly used in Chinese cyber espionage campaigns for two months before the vulnerability was even discovered and fixed. In 2021, Tianfu Cup reported a shocking 30 successful demonstrations exploiting new vulnerabilities in U.S. software products, including Windows 10, Apple iOS, Safari, and Chrome. This was a disturbing 40% more than the number of successful demonstrations at Pwn2Own, an equivalent international competition, in the same year.

Furthermore, Chinese companies are severely punished when they dare to disclose vulnerabilities to vendors without first consulting the Chinese government. The most striking and egregious example is the case of Log4j, one of the most severe vulnerabilities in recent decades: an engineer at Alibaba who reported the flaw directly to Apache (the U.S. vendor) instead of the Chinese government saw his company face a draconian six-month suspension of its information-sharing partnership, with the improper Log4j disclosure explicitly cited as the primary reason. This utterly demonstrates the iron-fisted state control over vulnerability discovery and disclosure, brazenly leveraged to the benefit of its own predatory offensive operations.

Attack strategies consistently exhibit worrying similarities to previous compromises unequivocally attributed to Chinese hackers. Piet Kerkhofs, CTO and co-founder of Eye Security, has observed common characteristics with vulnerabilities exploited in the past, such as that in Citrix NetScaler, where the transformation of a new vulnerability into a potent "exploit" occurred with extreme and alarming rapidity, "from hours to days."

Information control and influence operations

Xi Jinping has also starkly emphasized the critical importance of "discourse power" and information dominance in cyberspace. This represents a chillingly marked shift in priorities from mere domestic censorship to absolute global information control. Information operations originating from China have been strategically and malevolently redirected towards the West over the last two years, explicitly designed to sow discord and aggressively project power abroad. Its propaganda apparatus is actively attempting to produce targeted content that promotes pro-China narratives in the West, specifically tailored for "international youths", and brazenly hired a New Jersey consulting firm to disseminate pro-Beijing content for the 2022 Olympics via online influencers. TikTok, a widely popular Chinese social media app, actively and unapologetically censors content unfavorable to Beijing. China also commands a sprawling, covert propaganda network conducting sophisticated disinformation operations on social media, which has disturbingly begun to develop measurable international reach.

The fundamental role of universities in Chinese cyber-espionage

Chinese universities are deeply and disturbingly collaborating with the PLA and the MSS to carry out state-sponsored cyber espionage. Shanghai Jiao Tong University actively aids in conducting operations for the Chinese military. Zhejiang University and the Harbin Institute of Technology are known recruiting grounds for Chinese hackers. Xidian University provides its students with hands-on experience at a provincial MSS bureau and previously had a relationship with the Third Department of the PLA General Staff before its reorganization into the Department of Network Systems in 2015; its graduate program is jointly administered with the Guangdong Bureau of the China Information Technology Security and Evaluation Center (or Guangdong ITSEC), an MSS bureau that runs a prolific contract team heavily involved in hacking activities.

Southeast University maintains a long-standing, unsettling relationship with security services and jointly operates the Purple Mountain Lab with the PLA Strategic Support Force, where researchers collaborate on "important strategic requirements," computer operating systems, and interdisciplinary cybersecurity research. The university also shamelessly receives funding from the PLA and MSS to support the development of China's aggressive cyber capabilities. Shanghai Jiaotong University's (SJTU) cybersecurity degree program is taught at a PLA information engineering base; its Cyberspace Security Science and Technology Research Institute, which houses the Network Confrontation and Information System Security Testing program, conducts research that directly enables illicit cyber operations. MSS partner universities in recruiting talent include China University of Science and Technology, Xi'an Jiaotong University, Beijing Institute of Technology, Nanjing University, and Harbin Institute of Technology. Some Chinese cybersecurity companies, such as Beijing TopSec, openly cooperate with the PLA in intelligence, hacking campaigns, operator training, and the education of future hackers.

The global impact of Chinese cyber espionage and the crippling costs for the West

Such cyber intrusions therefore pose a fundamental, existential threat to the economic competitiveness and national security of the affected sovereign states. In June 2024, the Dutch Military Intelligence Agency (MIVD) starkly stated that Chinese cyber espionage is far more extensive than initially thought and is systematically targeting Western governments and defense companies. MIVD specifically declared that a Chinese state-backed hacker group responsible for a cyberattack on the Dutch Ministry of Defense in 2023 inflicted at least 20,000 victims worldwide in just a few months, and potentially many more. In 2018, the Czech National Cyber and Information Security Agency (NUKIB) issued a stark public warning about cybersecurity risks related to China. Since then, the country has developed one of the most stringent FDI screening mechanisms and significant cybersecurity capabilities specifically designed to counter Beijing's aggression.

According to U.S. prosecutors, dozens of European parliamentarians have been targeted by insidious Chinese cyberattacks in recent years. In March 2024, the U.S. Department of Justice issued a damning indictment alleging that Chinese hackers with ties to the nation's spy agency, the Ministry of State Security (MSS), targeted "every European Union member" of the Inter-Parliamentary Alliance on China (IPAC), a coalition of lawmakers critical of Beijing. According to the indictment, in 2021, these hackers sent "more than 1,000 emails to more than 400 unique accounts of individuals associated with IPAC" in a brazen attempt to collect data on members' internet activity and digital devices.

The fragility of "on-premise" and Microsoft's response

The vulnerabilities in question catastrophically affected on-premises SharePoint servers, meaning installations managed directly by companies and agencies, not Microsoft's cloud service. Affected versions include Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server 2016. Many large organizations, including government entities and strategic sectors, stubbornly continue to use on-premises SharePoint for document storage and collaboration, often due to perceived compliance requirements, internal data control, or simply technological inertia. However, this outdated choice shockingly exposes them to significant risks when "zero-day" vulnerabilities like these brazenly emerge, which can be exploited before patches are even available or installed.

In response to the sheer severity of the situation, Microsoft belatedly released security updates and meekly urged all users of on-premises SharePoint systems to install them urgently. The company also recommended changing the cryptographic keys used by their servers, a crucial measure to neutralize the "backdoors" wickedly created by the attackers. Microsoft warned, with "high confidence," that hacker groups would relentlessly continue to target unpatched on-premises SharePoint systems, grimly underscoring the persistence of the threat and the desperate need for immediate action by victims.

Despite relentless criticisms and repeated, embarrassing breaches (such as the 2021 Exchange email system attack and the 2023 theft of government officials' emails), Microsoft has weakly reiterated its commitment to security. CEO Satya Nadella launched the "Secure Future Initiative" to superficially make security a top priority, and Ann Johnson, Microsoft's corporate vice president for cybersecurity, stated that the company is committed to "constantly improving its response and security measures" as part of this initiative. However, the pervasive public and political perception, especially in the U.S., is that the company is shamefully not doing enough, focusing excessively on expanding its cloud and artificial intelligence businesses at the egregious expense of its core product security.

Italy in the crosshairs: the ACN's urgent recommendations

In Italy, the National Cybersecurity Agency (ACN) promptly and commendably reacted, issuing a detailed alert on July 25 to urgently warn organizations and provide specific, actionable guidance. ACN's critical recommendations align with those of Microsoft and other international agencies but also offer essential additional tools and procedures for comprehensive mitigation and robust detection.

Geopolitical outlook and future implications of cyberwarfare

In conclusion, the unprovoked attack on SharePoint by China-linked state actors is a powerful, undeniable reminder that cyberwarfare is not a distant, futuristic threat, but a grim, present, and rapidly escalating reality that directly and catastrophically affects national security, the global economy, and international relations. The egregious vulnerability of widely used software like SharePoint serves as a stark warning of the desperate need for constant vigilance, massive, immediate investments in cybersecurity, and robust international cooperation, even as trust among global superpowers plummets to unprecedented lows. ACN's detailed and urgent guidance for Italian organizations underscores the acute urgency and profound seriousness of the threat at the national level, unequivocally positioning Italy as an active and critical participant in the defense of the Western cyber front. China's chilling ability to seamlessly integrate state, military, and civilian efforts in cyberspace represents a systemic, existential challenge for Western democracies, which must drastically strengthen their defenses and urgently adapt their strategies to a relentlessly evolving and increasingly hostile threat landscape.