COMMENTARY: Most people focus on the big, loud attacks, but often overlook the real nrisk - the stuff that happens quietly, long before a breach makes headlines. This shows how dangerous the hidden ones are. This article reminds security teams that protecting the perimeter isn’t enough anymore. You have to assume someone’s already inside and focus on seeing what’s really happening in your network.
It was discovered that at least two Chinese state-sponsored hacking groups and a third China-based actor exploited a Microsoft SharePoint zero-day vulnerability, compromising more than 400 organizations worldwide. Victims included government agencies, universities, and businesses across the United States, Europe, and Asia. Among those impacted were the National Institutes of Health (NIH) and the federal agency responsible for securing the U.S. nuclear stockpile.Attackers followed a familiar pattern - targeting a zero-day vulnerability within SharePoint for the initial breach, then creating backdoors to maintain access even after patches were applied. This reflects a broader trend: zero-day vulnerabilities being exploited for initial intrusion and threats dwelling undetected, waiting for the right time to strike - or operating just below the threshold of a full-scale incident while still draining critical cyber resources. The need is now urgent for highly targeted industries - critical infrastructure, government agencies, and financial institutions - to update their security posture to account for who or what may already be inside their networks.Once cybercriminals gain access, they can use native tools to quietly explore and move between systems until they find their target. Detecting this type of lateral movement requires deep inspection of internal traffic and skepticism toward even legitimate-looking activity. Training employees to spot unusual behavior or deviations from normal operations is key to identifying bad actors early.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].
Expose Dormant Threats: Detect Attackers Lying in Wait
In the SharePoint attack, nation-state groups used tactics that allow them to quietly conduct reconnaissance once they’ve gained deep access to networks. This contrasts sharply with traditional attack methods that encrypt files or demand ransom immediately after breaching a system.How does this happen? It comes down to security models that prioritize protecting the network edge. Perimeter defenses alone are not enough. Once an attacker is inside, traditional models lack the visibility to detect subtle movements across the network. Attackers exploit “below-the-threshold” activity to escalate privileges, move laterally, and exfiltrate data without detection. The longer they remain unseen, the greater the potential damage.Once perimeter defenses are bypassed, these models typically have little ability to prevent attackers from operating internally. This limitation stems from a lack of comprehensive visibility into internal network traffic, system logs, and user behavior - making it harder to spot the subtle signs of a persistent threat. It’s not that SOC teams fail to act; they simply don’t see anything out of the ordinary.The biggest mistake an IT team can make is assuming perimeter defenses are enough. This mindset allows bad actors to intercept and manipulate communications, steal credentials, inject malicious content, or eavesdrop on sensitive conversations. Edge-focused defenses alone cannot protect against stolen credentials or the backdoors that let attackers come and go undetected.The longer attackers stay hidden, the more time they have to move laterally, identify valuable assets, escalate privileges, exfiltrate sensitive data, deploy ransomware, or disrupt critical systems. Without full visibility and context, organizations lack the transparency needed to defend their networks.Defend Critical Industries: Silent Threats
Two sectors are especially at risk from these attack methods: critical infrastructure and government agencies. In the past, bad actors targeting critical infrastructure were often motivated by financial gain. Now, their focus has shifted to achieving deep, sustained access into what is effectively national security infrastructure.CISA defines more than 15 critical infrastructure sectors - such as chemicals, communications, and transportation - whose disruption could severely impact national security, the economy, public health, or safety. That makes them prime targets for nation-state groups seeking espionage opportunities or the ability to disrupt daily life. Geopolitical tensions have only amplified these risks, with the FBI highlighting China’s Volt Typhoon campaign and DHS warning of potential Iranian cyberattacks on U.S. infrastructure despite ongoing diplomacy.Government municipalities and agencies also face growing exposure. They store large amounts of sensitive data - addresses, Social Security numbers, banking, and insurance details - that can be used for targeted attacks or espionage campaigns. These institutions are often easy targets due to weak cyber hygiene caused by budget constraints, small security teams, and legacy systems.Fighting Back: Updating Security Posture
Ultimately, organizations must prioritize detecting post-compromise activity to stay secure. Privilege escalation, discovery, and lateral movement - all stages of the MITRE ATT&CK framework - require attackers to communicate on the network. To assess how well they can stop lateral movement, organizations should ask themselves:- What network controls do I have to discover and limit device activity?
- What percentage of my environment is covered by endpoint data?
- How do I track normal versus abnormal account activity?
