Croatian research institute Ruđer Bošković hit by ransomware through Microsoft SharePoint vulnerabilities

The Ruđer Bošković Institute (RBI), Croatia's largest science and technology research institute, has confirmed it was targeted in a ransomware campaign exploiting critical Microsoft SharePoint vulnerabilities known as "ToolShell." 

The attack occurred on Thursday, July 31, 2025. The ransomware attack affected part of the network related to the business processes of the Institute's administrative and professional services. All those documents and databases were encrypted by the attackers.

The incident caused significant operational disruption. The institute's email system was offline from July 31 to August 8, 2025. 

These vulnerabilities of ToolShell enable attackers to achieve remote code execution without authentication. Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting vulnerabilities targeting internet-facing SharePoint servers. 

The compromised data and the number of affected individuals has not been disclosed. 

The institute is closely with Croatian cybersecurity authorities to investigate the breach and restore operations. The incident was reported to the Ministry of the Interior, the national CERT (Computer Emergency Response Team), and other relevant authorities. 

The institute's data protection officer has notified employees about the potential exposure of their personal information and warned them to be careful of phishing emails that might impersonate the institute or authorities. 

The institute is building an entirely new IT infrastructure and restore from backups. The network system remains partially disconnected as a precaution.