Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
A US nuclear weapons agency has become caught up in the wave of cyber attacks exploiting the recently discovered Microsoft SharePoint vulnerability.
The National Nuclear Security Administration (NNSA), a semi-autonomous part of the US Energy Department responsible for maintaining the US nuclear weapons stockpile and responding to nuclear emergencies, was one of the at least 100 victims of the cyber crime wave.
Speaking with BleepingComputer, Department of Energy Press Secretary Ben Dietderich confirmed that the NNSA network was breached after threat actors exploited the Microsoft SharePoint vulnerability.
“On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy, including the NNSA,” he said.
“The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems.”
Dietderich added that the impact of the incident was limited, with only a small number of systems affected, all of which are being restored.
Agency sources also highlighted that there is no evidence that any classified information or sensitive data was exfiltrated in the breach, according to a report by Bloomberg.
There are now two active vulnerabilities being exploited by threat actors, and the finger is being pointed at Chinese state hackers.
Microsoft and a raft of security agencies around the world first began raising the alarm regarding CVE-2025-53770 – an RCE bug related to the previously disclosed CVE-2025-49706 – late last week, but since then, matters have gotten worse. Microsoft has now disclosed a second SharePoint vulnerability, CVE-2025-53771, which is also being actively exploited.
“As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities targeting internet-facing SharePoint servers,” Microsoft said in a 22 July blog post.
“In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing.”
The threat actors have been observed deploying web shells in order to retrieve MachineKey data and gain full access to SharePoint content and execute code remotely. Microsoft believes the exploitation of unpatched, on-prem SharePoint systems will only continue.
According to Microsoft, Linen Typhoon has been active since at least 2012 and is largely focused on acquiring intellectual property linked to government and defence sectors, particularly in relation to human rights and strategic planning.
Violet Typhoon, on the other hand, has been active since 2015 and is more focused on espionage, targeting former military and government employees, NGOs, higher education, media, and the healthcare sector.
Storm-2603 is, Microsoft believes, most likely linked to the People’s Republic of China, but investigations into who the group is exactly, and who they are close to, are ongoing.
“Although Microsoft has observed this threat actor deploying Warlock and LockBit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives,” Microsoft said.
Be the first to hear the latest developments in the cyber industry.
