Chinese APTs Breach US Nuclear Agency via SharePoint Zero-Day Chain

A sophisticated Chinese state-sponsored hacking campaign exploited unpatched Microsoft SharePoint servers to infiltrate networks at the U.S. National Nuclear Security Administration (NNSA), the agency managing America's nuclear arsenal. The breach marks one of the most sensitive government compromises since the SolarWinds incident.

Critical Infrastructure Under Fire

Attackers leveraged the ToolShell vulnerability chain (CVE-2025-53770)—a remote code execution flaw in SharePoint—to gain initial access last week. While the Department of Energy confirmed "minimal impact" due to cloud migration and robust defenses, the NNSA's involvement raises alarms. Energy Department Press Secretary Ben Dietderich stated:

"Only a very small number of systems were impacted... all impacted systems are being restored. There's no evidence of sensitive or classified information compromise."

Attribution and Scale Revealed

Microsoft and Google Threat Analysis Groups attributed the attacks to Chinese APTs Linen Typhoon and Violet Typhoon, with additional activity from group Storm-2603. Dutch firm Eye Security first detected the campaign, confirming at least 54 organizations breached initially. Check Point Research later traced infections back to July 7th, with Eye Security CTO Piet Kerkhofs revealing the operation ultimately compromised over 400 servers across 148 entities, primarily government, telecom, and tech organizations in North America and Europe.

The Federal Response

Within hours of confirmation, CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, mandating federal agencies patch systems within 24 hours. This rapid directive underscores the severity of the flaw, which enables attackers to execute arbitrary code on vulnerable SharePoint instances.

Echoes of SolarWinds, New Tactics

The NNSA was previously breached by Russia's APT29 during the 2020 SolarWinds campaign. This latest incident demonstrates China's evolving focus on software supply chain weaknesses—exploiting trust in foundational enterprise platforms rather than third-party vendors. As federal agencies accelerate cloud adoption (noted as a mitigating factor here), attackers pivot to compromise the connective tissue of hybrid environments.

The silent proliferation of this exploit chain—weeks before detection—reveals a sobering truth: Nation-state actors now weaponize zero-days faster than defenders can map their infrastructure exposure. While nuclear secrets remain secure this time, the breach serves as a kinetic reminder that collaboration platforms are the new frontline in cyber warfare.

Source: BleepingComputer