US Nuclear Weapons Agency Breached in Microsoft SharePoint Cyberattack

Key Takeaways

  • Hackers exploited a zero-day vulnerability in on-premises SharePoint software to breach over 50 organizations, including the U.S. National Nuclear Security Administration (NNSA)
  • Microsoft attributes the attacks to Chinese state-sponsored groups: Linen Typhoon, Violet Typhoon, and Storm-2603
  • No classified data appears to have been stolen; the breach was limited to a few legacy on-premises systems, not Microsoft 365 cloud users
  • A rushed initial patch failed to fully resolve the vulnerability, exposing approximately 9,000 servers worldwide
  • Microsoft released stronger follow-up patches, and affected systems—mainly legacy on-site deployments—are being restored

On July 22, Microsoft disclosed that multiple Chinese-linked hacking groups had exploited a critical zero-day vulnerability in on-premises versions of Microsoft SharePoint. One of the compromised organizations was the U.S. National Nuclear Security Administration (NNSA), which oversees the design and maintenance of the country’s nuclear arsenal. This incident highlights ongoing threats to critical infrastructure through cyber intrusion.

In related news from our reporting – Chinese Threat Actor Targeted Microsoft SharePoint in ToolShell Malware Campaign, Chinese Hackers Breached US National Guard Networks, Stay Hidden for Months, Ukrainian Hackers Claimed Devastating Cyberattack on Russian Drone Manufacturer Gaskar Group and the Trump Administration Allocated $1 Billion for Offensive Cyber Operations.

Microsoft traced the breach to three state-aligned hacking teams—Linen Typhoon, Violet Typhoon, and Storm-2603—operating under the Chinese government’s tacit guidance. These groups reportedly leveraged a recently discovered bug in the SharePoint server software identified during the Pwn2Own hacking contest in May. Despite a patch issued on July 8, multiple security firms observed continued exploitation, suggesting the fix was incomplete.

The vulnerability, reportedly named “ToolShell,” allowed attackers to remotely access affected servers, move laterally within networks, and extract data like credentials and potentially internal documents. Microsoft’s initial patch had gaps, allowing the hackers continued access until a subsequent update fully addressed the flaw. Security analysts estimate around 9,000 on-premises servers were vulnerable worldwide, spanning various sectors including government agencies, industries, healthcare, finance, and auditing firms.

According to Reuters, the NNSA’s compromised systems were limited to a small segment of legacy, on-site SharePoint deployments—Microsoft 365’s cloud-based alternative was unaffected. A Department of Energy spokesperson described the impact as “minimal,” stating only a few standalone servers were affected and are currently being restored. No evidence suggests that any classified or mission-critical nuclear weapons data was accessed or exfiltrated.

U.S. agencies and cybersecurity bodies, including the Cybersecurity and Infrastructure Security Agency (CISA), confirmed that attackers did not appear to compromise Microsoft’s cloud services. Nevertheless, the incident raises broader concerns about how legacy systems are maintained and secured amid relentless state-backed cyber threats.

Pakistan linked the attack to a history of Chinese cyber-espionage targeting U.S. government infrastructure. Microsoft and other U.S. tech firms have increasingly identified China-linked groups in cyberattacks aimed at national defense and nuclear oversight agencies. While Beijing denies any involvement, the persistent targeting of critical systems like SharePoint underscores the geopolitical importance of supply chain vulnerabilities.

As organizations race to secure SharePoint infrastructure, Microsoft’s experience serves as a cautionary tale: initial patches may not fully mitigate high-severity threats. Agencies and enterprises are urged to prioritize reboots, multi-factor authentication, network segmentation, and threat hunting within on-premises environments—and accelerate migration to cloud-based, regularly updated platforms.

Learn how AI Agents can supercharge your company’s profits and productivity at TMC’s AI Agent Event, Sept 29-30, 2025 in DC.

If you liked this post, you’ll love one of the the leading global business communications and technology events since 1999, the ITEXPO #TECHSUPERSHOW, Feb 10-12, 2026 Fort Lauderdale, Florida.

Don’t forget the collocated MSP Expo – just for managed service providers!

Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.

The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.

Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing

Related Articles

Loader..

 

Share via
Facebook
X (Twitter)
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap