3 min read

Chinese hackers breach US Nuclear Agency in Microsoft SharePoint cyberattack

Chinese hackers breach US Nuclear Agency in Microsoft SharePoint cyberattack

The U.S. National Nuclear Security Administration (NNSA) and other federal agencies have been breached in a widespread cyberattack exploiting a zero-day vulnerability in Microsoft SharePoint. Attributed to Chinese state-linked hackers, the intrusion compromised hundreds of systems and sparked urgent security responses across government networks.

 

What happened 

A major cyber‑espionage campaign exploited a critical zero‑day vulnerability, ToolShell, in on‑premises Microsoft SharePoint servers. Attackers gained unauthorized access by chaining two flaws, allowing them to execute remote code and steal cryptographic keys.

Among the victims was the U.S. National Nuclear Security Administration (NNSA), the agency responsible for maintaining the nation's nuclear arsenal, as well as the National Institutes of Health and other federal and international organizations. 

 

Going deeper

The SharePoint cyberattack campaign began around July 7, 2025, exploiting a zero-day vulnerability now tracked as CVE-2025-53770. According to Bleeping Computer, researchers from Eye Security and Check Point estimate that more than 400 servers across over 100 organizations were compromised. Among those affected were high-profile U.S. government agencies, including the National Institutes of Health (NIH) and the National Nuclear Security Administration (NNSA), which oversees the U.S. nuclear weapons stockpile. 

The attackers uploaded a malicious web shell namedspinstall0.aspxto vulnerable on-premises SharePoint servers. This allowed them to steal cryptographic keys used to validate and decrypt data, enabling them to remotely execute arbitrary code on the servers and establish persistent access. Microsoft attributed the attacks to China-affiliated threat groups, specifically Linen Typhoon, Violet Typhoon, and Storm-2603, suggesting this was a coordinated cyber-espionage operation. The vulnerability leveraged by the attackers had been publicly demonstrated at the Pwn2Own Berlin security event earlier this year, raising concerns that Microsoft had not adequately patched the issue before it was weaponized. While the Department of Energy confirmed that the NNSA was among the targets, it emphasized that the number of affected systems was small and that cloud-based services helped buffer more serious impacts. No classified data was reportedly accessed.

 

What was said 

Ben Dietderich, Press Secretary for the U.S. Department of Energy (DOE), confirmed the breach and emphasized its limited scope.On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy, including the NNSA,he stated.A very small number of systems were impacted. All impacted systems are being restored.Microsoft also acknowledged the incident and attributed the attack to Chinese state-linked hacking groups. In its official communication, the company urged customers to take immediate action:We strongly recommend that all on-premises SharePoint customers apply the latest updates and follow Microsoft’s security best practices.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded swiftly, adding the SharePoint vulnerability (CVE-2025-53770) to its Known Exploited Vulnerabilities Catalog and requiring federal agencies to apply the necessary patches by a set deadline. In a statement, quoted in another Bleeping Computer article, CISA emphasized the seriousness of the threat, warning thatunpatched systems are at immediate risk of compromise.”

Meanwhile, the Chinese Embassy in Washington dismissed the accusations, calling themgroundless.A spokesperson responded,Identifying the source of cyberattacks is technically complex and should be based on verifiable facts. We firmly oppose any form of cyberattack and urge all parties to avoid politicizing cybersecurity issues.”

Despite the denial, U.S. officials and cybersecurity researchers maintained that the tactics, techniques, and procedures (TTPs) used in the operation closely resemble those seen in previous China-linked cyber-espionage campaigns.

 

In the know 

A zero-day vulnerability is a security flaw in software that is unknown to the software vendor, and therefore has no patch or fix available at the time it is discovered or exploited. "Zero-day" refers to the fact that developers have zero days to respond before attackers can take advantage of it.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

 

FAQS

What isToolShell”?

“ToolShellrefers to the exploit chain used in this campaign. It combines multiple vulnerabilities to allow attackers to execute code and maintain persistent access without being detected.

 

Was any classified information stolen?

According to the Department of Energy, no classified or sensitive nuclear weapons information was accessed. The number of impacted systems was described asvery small.”

 

Has Microsoft issued a fix?

Yes. Microsoft has released updated patches and strongly urges all on-premises SharePoint users to apply them immediately.

 

What role does CISA play in this situation?

The Cybersecurity and Infrastructure Security Agency (CISA) coordinates federal responses to cyber threats. It mandated that government agencies urgently patch the flaw and added it to the Known Exploited Vulnerabilities Catalog.