US Nuclear Weapons Agency Breached by Hackers Using SharePoint 0-Day Vulnerability

The National Nuclear Security Administration (NNSA) has fallen victim to a sophisticated cyber attack exploiting a previously unknown vulnerability in Microsoft SharePoint, marking one of the most significant security breaches targeting critical US defense infrastructure this year. 

Chinese government-affiliated hacking groups leveraged a zero-day exploit affecting on-premises SharePoint installations to infiltrate over 50 organizations, including the agency responsible for maintaining the Navy’s nuclear submarine reactors.

Key Takeaways
1. Chinese hackers breached US Nuclear Security Administration via SharePoint zero-day exploit.
2. No classified data stolen due to cloud-based systems usage.
3. Immediate SharePoint updates required.

NNSA SharePoint Attack

The NNSA, responsible for providing nuclear reactors to the US Navy’s submarine fleet and maintaining America’s nuclear weapons stockpile, became collateral damage in what security researchers describe as a sophisticated remote code execution (RCE) exploit. 

The vulnerability, affecting SharePoint Server versions 2019 and Subscription Edition, allows attackers to bypass authentication mechanisms and execute arbitrary code on target systems.

According to a Bloomberg news report, the attack vector exploited a deserialization vulnerability combined with an authentication bypass flaw, both of which were initially demonstrated at the Pwn2Own Vancouver hacking contest in May 2024. 

The exploit chain enables threat actors to gain unauthorized access to SharePoint servers, extract sensitive data, harvest user credentials, and potentially pivot to connected network infrastructure.

Fortunately, Department of Energy officials confirmed that no classified or sensitive nuclear information was compromised during the incident. 

The agency’s Microsoft 365 cloud migration strategy appears to have limited the attack’s impact, as the zero-day specifically targets on-premises SharePoint deployments rather than the cloud-based SharePoint Online service. 

“The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems,” stated a DOE spokesperson.

Microsoft’s Response 

Microsoft has released emergency security patches addressing the vulnerability across all affected SharePoint Server versions. 

The company’s Security Response Center (MSRC) issued critical security bulletins urging immediate patch deployment, emphasizing the CVSS 9.8 severity rating assigned to this exploit chain.

The incident highlights growing concerns about supply chain security and the risks posed by on-premises enterprise software installations. 

Cybersecurity experts warn that the sophisticated nature of this attack demonstrates the evolving capabilities of advanced persistent threat (APT) groups in exploiting zero-day vulnerabilities before vendors can develop patches.

Organizations running on-premises SharePoint environments are advised to immediately apply Microsoft’s security updates and conduct comprehensive incident response assessments to identify potential compromise indicators.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now