Canada’s House of Commons suffered a cyber attack exploiting a zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770, CVSS 9.8). Hackers, suspected to be the China-linked APT group Salt Typhoon, breached a database containing employee information, including names, job titles, office locations, email addresses, and details of House-managed computers and mobile devices. While no group has claimed responsibility, the attack aligns with a broader pattern of Chinese state-sponsored cyber intrusions targeting Canadian government networks over the past four years. The stolen data poses risks of tailored phishing and impersonation attacks against officials. Investigations are ongoing, but the breach exposes internal configurations and heightens concerns over follow-on social engineering campaigns. The incident underscores vulnerabilities in critical Microsoft platforms, with similar exploits recently affecting organizations like Google and the US Department of Health and Human Services.
TPRM report: https://www.rankiteo.com/company/houseofcommons-
"id": "hou1043082025",
"linkid": "houseofcommons-",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Legislative Branch',
'location': 'Ottawa, Canada',
'name': 'House of Commons of Canada',
'type': 'Government Institution'}],
'attack_vector': ['Exploitation of Zero-Day Vulnerability (CVE-2025-53770)',
'Remote Code Execution (RCE)'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Database records'],
'personally_identifiable_information': True,
'sensitivity_of_data': ['Moderate to High (PII + internal IT '
'asset details)'],
'type_of_data_compromised': ['Employee names',
'Job titles',
'Office locations',
'Email addresses',
'House-managed computer/mobile '
'device details']},
'date_detected': '2024-06-21T00:00:00Z',
'date_publicly_disclosed': '2024-06-24T00:00:00Z',
'description': "Canada's House of Commons was targeted in a cyber attack, "
'believed to be linked to a recently-exploited Microsoft '
'SharePoint zero-day vulnerability (CVE-2025-53770). Hackers '
'accessed a database containing employee information (names, '
'job titles, office locations, email addresses) and details '
'about House-managed computers and mobile devices. The attack '
'is suspected to be the work of Salt Typhoon, a Chinese '
'state-linked APT group. No ransomware or financial demands '
'were reported, but the stolen data poses risks for phishing '
'and impersonation attacks. At least 20 Canadian government '
'networks have been compromised by China-linked actors over '
'the past four years.',
'impact': {'brand_reputation_impact': ['Potential erosion of trust in '
'government cybersecurity',
'Media scrutiny'],
'data_compromised': True,
'identity_theft_risk': ['High (employee names, job titles, email '
'addresses, device details exposed)'],
'operational_impact': ['Risk of phishing/impersonation attacks '
'using stolen employee data',
'Ongoing investigation'],
'systems_affected': ['House of Commons database managing computers '
'and mobile devices']},
'initial_access_broker': {'entry_point': ['Exploited Microsoft SharePoint '
'zero-day (CVE-2025-53770)'],
'high_value_targets': ['House of Commons IT asset '
'management database']},
'investigation_status': 'Ongoing (House of Commons leading internal '
'investigation)',
'lessons_learned': ['Zero-day vulnerabilities in widely used platforms (e.g., '
'Microsoft SharePoint) pose significant risks to '
'government institutions.',
'APT groups like Salt Typhoon continue to target '
'government entities for espionage and data collection.',
'Stolen employee data can be weaponized for highly '
'targeted phishing campaigns, necessitating robust '
'security awareness training.',
'Proactive monitoring and patch management are critical '
'to mitigating exploits of newly disclosed '
'vulnerabilities.'],
'motivation': ['Espionage',
'Data Exfiltration',
'Potential Future Phishing Campaigns'],
'post_incident_analysis': {'root_causes': ['Failure to patch CVE-2025-53770 '
'in a timely manner (exploit '
'existed in the wild prior to '
'breach).',
'Likely insufficient network '
'segmentation or zero-trust '
'controls to limit lateral '
'movement post-exploitation.',
'Targeted by a sophisticated APT '
'group with state-backed '
'resources.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Immediate patching of CVE-2025-53770 across all '
'SharePoint instances.',
'Enhanced email and endpoint security to detect phishing '
'attempts leveraging stolen data.',
'Implementation of multi-factor authentication (MFA) for '
'all critical systems.',
'Regular security audits and red team exercises to '
'identify and remediate vulnerabilities.',
'Public-private threat intelligence sharing to track APT '
'group activities.',
'Clear communication protocols for staff to report '
'suspicious activities post-breach.'],
'references': [{'date_accessed': '2024-06-24', 'source': 'CBC News'},
{'source': 'Canadian Centre for Cyber Security (National Cyber '
'Threat Assessment)'},
{'source': 'Microsoft Security Advisory (CVE-2025-53770)'},
{'date_accessed': '2024-06-24',
'source': 'ITPro (Analysis by Andrew Costis, AttackIQ; Javvad '
'Malik, KnowBe4)',
'url': 'https://www.itpro.com'}],
'response': {'communication_strategy': ['Internal email to staff warning '
'about phishing attempts',
'Public disclosure via media (CBC '
'News)'],
'containment_measures': ['Investigation ongoing',
'Staff warned about phishing risks'],
'enhanced_monitoring': ['Likely implemented (implied by phishing '
'warnings)'],
'incident_response_plan_activated': True},
'stakeholder_advisories': ['Internal email to House of Commons staff'],
'threat_actor': ['Salt Typhoon (Chinese state-linked APT group)'],
'title': "Cyber Attack on Canada's House of Commons via Microsoft SharePoint "
'Zero-Day Exploit',
'type': ['Data Breach', 'Unauthorized Access', 'APT Attack'],
'vulnerability_exploited': 'CVE-2025-53770 (Microsoft SharePoint, CVSS 9.8)'}