The Department of Homeland Security was affected by a broad intrusion into on-premises versions of Microsoft SharePoint, according to multiple people familiar with the matter.
The Cybersecurity and Infrastructure Security Agency notified more than a dozen federal entities of the possible compromise, one person said. Another pegged the total to at least five agencies.
The people spoke on the condition of anonymity because the matter is sensitive. Politico reported an estimate of four to five agencies on Tuesday.
DHS has multiple component agencies, including CISA, the Transportation Security Administration, Customs and Border Protection and the Federal Emergency Management Agency.
Microsoft has already attributed some of the hacking activity to Chinese state-aligned groups, but it’s not known whether China-linked entities themselves were responsible for the hit to DHS. Security patches have been made available for all affected versions of SharePoint, Microsoft said in a blog post.
The National Nuclear Security Administration and the Department of Education were also accessed, Bloomberg News reported, while the Washington Post reported that the Department of Health and Human Services had been hit.
U.S. government SharePoint environments often contain sensitive information on how agencies and their offices operate, making them prime targets for nation-state hackers and cybercriminals, said one government cybersecurity analyst.
“Need a form? Go to SharePoint. Need to send an update on a task? Go to SharePoint. Need to get notes from meetings, or presentation slides? SharePoint,” said the analyst, who was granted anonymity because they were not authorized to speak publicly.
Spokespeople for DHS and CISA did not immediately return requests for comment.
Hackers are leveraging unpatched systems to access organizations across the world. Qatari government systems are believed to have been targeted, according to two people familiar with the matter. Nextgov/FCW has reached out to Qatar’s embassy in Washington, D.C. and Microsoft’s Middle East communications team for comment.
The bug is a “zero-day” — which gets its name because developers had not discovered it before and had zero days to fix it — that’s being actively exploited. Hackers can leverage the vulnerability by sending specially crafted data to a SharePoint server, which improperly processes that input and allows them to execute malign code remotely without needing a password.
Thousands of state and local governments rely heavily on Microsoft products. The Multi-State Information Sharing and Analysis Center, which provides cybersecurity resources for U.S. state, local, territorial and tribal governments, has detected hundreds of vulnerable groups, an official with the organization previously said.
“CISA is aware of federal agencies and [state, local, tribal and territorial] partners that may be affected by this activity and we are working with them to assess the scope and mitigate the risks associated with this vulnerability,” a senior CISA official previously told Nextgov/FCW.
Microsoft systems have been the target of past U.S. government hacking attempts, including one linked to China where the hackers pilfered thousands of emails in 2023 from State Department and Commerce Department email inboxes.
