Chinese state-sponsored hackers exploited a Microsoft SharePoint zero-day vulnerability to infiltrate the U.S. National Nuclear Security Administration (NNSA) network.
The U.S. National Nuclear Security Administration (NNSA) – responsible for maintaining the country’s nuclear arsenal – was hit by a cyberattack exploiting a SharePoint zero-day vulnerability. In mid-July 2025, unknown attackers leveraged an unpatched Microsoft SharePoint flaw to breach NNSA’s systems. A DOE spokesperson confirmed the intrusion began around July 18 and affected Department of Energy (DOE) networks, including the NNSA. Fortunately, DOE reported that its extensive use of cloud-based Microsoft 365 services and robust security controls limited the impact; only a “very small number of systems were impacted,” and all affected systems are being restored. Initial reports suggest no sensitive or classified nuclear weapons data was compromised.
SharePoint Zero-Day Breach at NNSA
The NNSA is a semi-autonomous DOE agency charged with securing the U.S. nuclear weapons stockpile and responding to nuclear emergencies. In this incident, attackers exploited a recently disclosed Microsoft SharePoint zero-day remote code execution vulnerability (part of the so-called “ToolShell” chain) to gain access to on-premises servers. The flaw was reported after security researchers demonstrated a SharePoint chain exploit at Pwn2Own 2025, and Microsoft had issued patches just days earlier – but attackers had already weaponized a new bypass to those fixes.
Upon detection of unusual activity on July 18, DOE quickly acted. According to DOE Press Secretary Ben Dietderich, the breach was contained: the affected systems were isolated, and immediate restoration efforts were launched. Bloomberg sources within the agency noted that, to date, investigators have found no evidence of any secret or classified information being stolen during the intrusion. This rapid response and the use of cloud services helped prevent a worst-case scenario.
Chinese State-Sponsored Attackers Identified
Security firms quickly connected the NNSA breach to a broader campaign of SharePoint server attacks and attributed it to Chinese state-sponsored groups. Microsoft and Google have publicly linked the SharePoint zero-day exploit chain to Chinese intelligence-linked hacking teams. In particular, Microsoft named two advanced persistent threat groups – “Linen Typhoon” (APT31) and “Violet Typhoon” – and a third actor tracked as “Storm-2603,” all based in China, as the likely culprits. These groups have been observed attacking internet-facing SharePoint servers around the same timeframe.
Dutch cybersecurity firm Eye Security first detected the zero-day attacks on July 18, noting that dozens of organizations had already been compromised. Eye Security’s CTO later reported that the campaign had infected at least 400 SharePoint servers worldwide and breached 148 organizations. Meanwhile, Check Point Research identified signs of exploitation as early as July 7 targeting dozens of government, telecom, and tech companies in North America and Europe. This suggests a coordinated espionage effort rather than a simple ransomware or profit-driven attack. The use of SharePoint servers (particularly on-premises installations) as the entry point indicates that these attackers are exploiting collaboration platforms commonly used by large organizations.
Global Impact and Response
The NNSA was not the only U.S. victim. The same hacker groups breached several other public-sector entities in this campaign. Confirmed targets include the U.S. Department of Education, Florida’s Department of Revenue, and the Rhode Island General Assembly, as well as various national government networks in Europe and the Middle East. Key facts about this breach include:
- Compromised systems: Over 400 on-premises SharePoint servers were infected across the globe, affecting 148 organizations.
- Key targets: U.S. Energy Department networks (including NNSA), Department of Education, Florida Department of Revenue, Rhode Island legislature, plus several foreign government agencies.
- Attack vector: A previously unknown SharePoint server RCE chain (“ToolShell”) was used to execute unauthorized code on vulnerable servers. Notably, Microsoft clarified that only on-premises SharePoint servers are affected by these flaws – SharePoint Online (Microsoft 365) customers are not vulnerable.
- Attribution: Chinese state-sponsored APTs (“Linen Typhoon”, “Violet Typhoon”, “Storm-2603”) have been identified as the likely threat actors. This aligns with a recent trend of Chinese intelligence targeting cloud infrastructure and collaboration tools for espionage.
In response to the unfolding crisis, U.S. authorities and vendors acted swiftly. The Cybersecurity and Infrastructure Security Agency (CISA) added the main exploited flaw (CVE-2025-53770) to its Known Exploited Vulnerabilities list on July 23, 2025, ordering all federal agencies to install patches within 24 hours. Microsoft issued out-of-band emergency updates on July 21 to fix the SharePoint vulnerabilities. For example, KB5002754 (SharePoint Server 2019) and related updates were released to address the RCE bugs. Organizations running affected servers were urged to apply these fixes immediately or to disconnect vulnerable SharePoint servers from the internet until patched.
