China has accused US intelligence agencies of exploiting a Microsoft Exchange zero-day exploit to steal defense-related data and take over more than 50 devices belonging to a "major Chinese military enterprise" for nearly a year.

In a Thursday [1]alert , the National Computer Network Emergency Response Technical Team / Coordination Center of China (CNCERT/CC), a group which claims that it is [2]non-governmental , said American cyberattacks against Chinese high-tech, defense-related universities, research institutes, and enterprises "have become more targeted and their methods, more covert."

These data-stealing campaigns pose "a serious threat to the scientific research and production security of China's defense and defense industries, and even to national security," the alert continues.

[3]

The US National Security Agency did not immediately respond to The Register 's inquiries.

[4]

[5]

CNCERT/CC's claims about American spies infiltrating military and defense-related organizations follow several recent allegations from the US about Chinese snooping activity.

Last week, US-based security firms including Microsoft blamed recent SharePoint zero-day attacks on several Chinese groups, including at least [6]two Beijing-backed snooping and data stealing crews, and a [7]China-based ransomware gang .

[8]

And earlier this week, SentinelLabs' security researchers uncovered more than a dozen [9]patents for offensive cybersecurity tools filed by Chinese companies allegedly tied to Beijing's Silk Typhoon espionage crew.

Uncle Sam purloined emails, alert claims

The Thursday CNCERT/CCalert doesn't name any specific organizations American intelligence allegedly compromised, nor specific vulnerabilities that were abused.

It says one involved exploiting a Microsoft Exchange zero-day to break into an email server belonging to a "major Chinese military enterprise" from July 2022 to July 2023.

"Investigations revealed that the attackers gained control of the enterprise's domain controller server, using it as a springboard to gain control of over 50 critical devices within the intranet," according to the alert.

Microsoft declined The Register 's request for comment.

[10]Beijing summons Nvidia over alleged backdoors in China-bound AI chips

[11]Surprise, surprise: Chinese spies, IP stealers, other miscreants attacking Microsoft SharePoint servers

[12]Blame a leak for Microsoft SharePoint attacks, researcher insists

[13]Silk Typhoon spun a web of patents for offensive cyber tools, report says

CNCERT/CC said the intruders used WebSocket communication within an SSH tunnel to remotely access one of the company's external servers, and "established multiple covert channels" to steal data.

During this same time period, the organization claims, Americans used IP addresses from multiple countries including Germany, Finland, South Korea, and Singapore to launch more than 40 cyberattacks, stealing emails from 11 people including senior execs at the defense company.

[14]

These emails allegedly contained design plans and detailed system information related to Chinese military products.

In a second attack detailed in the Thursday security bulletin, CNCERT/CC said that the US exploited bugs in electronic file systems between July and November 2024 to compromise "a Chinese military-industrial enterprise in the communications and satellite internet sectors."

American spies allegedly used IP addresses from Romania and the Netherlands to exploit SQL injection vulnerabilities, backdoor the organization's file server and upload malware and compromise more than 300 devices.

"They then searched for keywords such as 'military network' and 'core network' to steal sensitive data from the compromised hosts," CNCERT/CC said. ®

Get our [15]Tech Resources



[1] https://mp.weixin.qq.com/s/MjIlXBYK0kK2ysU6a78BAg

[2] https://www.cert.org.cn/publish/english/index.html

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aI049T419fmMafz2_HMRLAAAAAQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aI049T419fmMafz2_HMRLAAAAAQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aI049T419fmMafz2_HMRLAAAAAQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2025/07/22/chinese_groups_attacking_microsoft_sharepoint/

[7] https://www.theregister.com/2025/07/24/microsoft_sharepoint_ransomware/

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aI049T419fmMafz2_HMRLAAAAAQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[9] https://www.theregister.com/2025/07/31/silk_typhoon_attack_patents/

[10] https://www.theregister.com/2025/07/31/beijing_nvidia_backdoors/

[11] https://www.theregister.com/2025/07/22/chinese_groups_attacking_microsoft_sharepoint/

[12] https://www.theregister.com/2025/07/26/microsoft_sharepoint_attacks_leak/

[13] https://www.theregister.com/2025/07/31/silk_typhoon_attack_patents/

[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aI049T419fmMafz2_HMRLAAAAAQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[15] https://whitepapers.theregister.com/