In early 2025, a cybersecurity breach affected Commvault, a major data management and backup solutions provider. The incident was linked to Salt Typhoon, a Chinese government-backed hacking group known for its cyberespionage campaigns against U.S. infrastructure and cloud service providers.
What happened
According to a report published by Information Security Media Group (ISMG) on May 27, 2025, Commvault detected unauthorized access to its cloud environment, particularly involving applications hosted on Microsoft Azure.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory noting that the breach allowed attackers to access sensitive application secrets stored within Commvault’s Microsoft 365 backup-as-a-service platform. These application credentials enable authentication into clients' Microsoft 365 environments.
The breach, therefore, raised alarms about the potential compromise of customer accounts and services. Although CISA stopped short of directly naming the hackers, a source familiar with the investigation confirmed to ISMG that the U.S. government believes Salt Typhoon was responsible.
The backstory
The incident traces back to February 20, 2025, when Microsoft first notified Commvault of unusual activity suggesting unauthorized access by a nation-state actor. Commvault publicly acknowledged the alert in a blog post, stating that a subset of customer application credentials may have been accessed.
The company emphasized that no actual customer backup data was compromised and that there was no material impact on its business operations or service delivery. Commvault also noted that it had not independently attributed the breach to any specific threat actor, even as government sources pointed to Salt Typhoon.
This event follows a troubling pattern associated with Salt Typhoon, which has been active since August 2019. The group had previously carried out a notorious attack on American telecommunications infrastructure, some of which was reportedly aimed at President-elect Donald Trump at the time.
What was said
According to the CISA advisory, “CISA believes the threat activity may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions.”
According to a blog post by CommVault, “Based on industry experts, this threat actor uses sophisticated techniques to try to gain access to customer M365 environments. Our investigation to date indicates this threat actor may have accessed a subset of app credentials that certain Commvault customers use to authenticate their M365 environments. In response, Commvault has taken several remedial actions detailed below, including rotating credentials. Commvault continues to update indicators of compromise (IOCs) to enable customer investigations within their M365 environments.”
Why it matters
The breach of Commvault has reignited widespread concerns over cloud security vulnerabilities, especially those caused by default configurations and overly permissive access controls in enterprise environments. In response to the breach, CISA recommended several defensive measures, including monitoring Microsoft Entra audit logs, reviewing service principal activity, conducting internal threat hunting, implementing conditional access policies, and rotating credentials used between February and May 2025.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Kirsten Peremore
