National Nuclear Security Administration Systems Breached in SharePoint Cyberattack
A recent global cyberattack campaign, exploiting critical vulnerabilities in Microsoft’s on-premise SharePoint software, has impacted several US government agencies, including the National Institutes of Health (NIH) and the National Nuclear Security Administration (NNSA).
The breaches, which began around Friday, July 18, have prompted immediate action from affected organizations and a strong response from Microsoft, which attributes the attacks to groups linked to the Chinese government.
The NNSA, a division of the Department of Energy responsible for the nation’s nuclear weapons stockpile, confirmed it was affected, but stated that only a “very small number of systems” were impacted. Notably, no classified information was compromised due to NNSA’s widespread use of Microsoft M365 cloud services and strong cybersecurity systems, as reported by Bloomberg News.
“A very small number of systems were impacted. All impacted systems are being restored,” the agency stated.
Similarly, The Washington Post reported that the NIH, a major biomedical research funder, confirmed that at least one SharePoint server system was involved, with eight servers disconnected as a precaution. While one server was compromised, there is no indication that any sensitive information was stolen.
The Washington Post also noted that the California Independent System Operator, which manages most of California’s electric grid, was also targeted. The non-profit “did not confirm nor deny” the breach but confirmed taking immediate actions to contain the threat with no impact on grid reliability.
For your information, these attacks capitalize on a zero-day vulnerability in Microsoft SharePoint. Hackread.com has extensively covered this issue, Microsoft’s investigation and subsequent patches in its recent reports.
So far, what we know is that the vulnerabilities, identified as CVE-2025-49706, CVE-2025-49704, and a variant CVE-2025-53770, allow for network spoofing and remote code execution, giving unauthorized actors full access to SharePoint content, including file systems and internal configurations. These particular flaws affect SharePoint deployments hosted directly by customers, rather than Microsoft’s cloud-based SharePoint Online.
Microsoft has identified three distinct hacking groups, “Linen Typhoon,” “Violet Typhoon,” and “Storm-2603,” all linked to the Chinese government, as being behind these exploitations. These groups are known for targeting government, business, and educational institutions worldwide. The FBI and other relevant agencies are currently investigating the full extent of the compromise.
A Chinese Foreign Ministry spokesperson, when asked about the accusations, stated that China “opposes and fights hacking activities in accordance with the law” and “oppose smears and attacks against China under the excuse of cybersecurity issues.”
Nevertheless, this incident intensifies scrutiny on Microsoft’s security protocols, especially given past criticisms regarding its core products’ vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA)is also facing criticism.
The agency is reportedly facing budget cuts and high staff turnover, which has possibly hampered the timely dissemination of threat warnings to state and local entities, leaving them more susceptible to such pervasive cyber campaigns.
