Chinese Hackers Breach US Nuclear Security Agency via SharePoint

The incident involves Chinese state-sponsored hacking groups exploiting critical vulnerabilities in on-premises Microsoft SharePoint Server to breach the U.S. National Nuclear Security Administration (NNSA), part of the Department of Energy (DOE). Confirmed by Microsoft and independent researchers, the attacks began as early as July 7, 2025, and targeted global organizations for espionage, with some escalating to ransomware. No classified data was compromised at NNSA, as sensitive systems are isolated in cloud environments with additional protections like hardware security modules (HSMs). However, the broader campaign has impacted over 400 organizations worldwide, including government, defense, energy, and financial sectors. The primary actors are Linen Typhoon (APT27) and Violet Typhoon (APT31), both Chinese state-backed, alongside the China-based Storm-2603. Microsoft has released patches and remediation guidance, while international efforts (e.g., via CISA and Europol) urge immediate action to mitigate ongoing exploits.Key facts from reports:

• Actors Involved: Linen Typhoon (focused on IP theft from government/defense since 2012), Violet Typhoon (espionage on ex-officials/NGOs since 2015), and Storm-2603 (ransomware deployment, medium confidence China-linked). Microsoft stated, "Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems."
• Vulnerabilities Exploited: CVE-2025-53770 (deserialization RCE, CVSS 9.8) and CVE-2025-53771 (spoofing/path traversal, CVSS 6.5), bypassing earlier fixes (CVE-2025-49704/49706). Attacks use POST requests to ToolPane for auth bypass, leading to webshell deployment (e.g., spinstall0.aspx) and MachineKey theft for persistence.
• Breach Details at NNSA: Hackers gained access to on-premises systems, but "No sensitive or classified information is known to have been compromised." NNSA's cloud-hosted sensitive workloads remained secure. DOE confirmed the breach but noted no classified exfiltration.
• Global Impact: Over 400 organizations breached, per Eye Security's scans of 8,000+ exposed servers, with potential for more as "We expect it may continue to rise as investigations progress." Sectors: Government (e.g., US, EU), defense, human rights. Some attacks escalated to Warlock/LockBit ransomware via GPOs.
• Responses and Mitigations: Microsoft issued out-of-band patches and guidance: Apply updates, rotate MachineKeys, enable AMSI/Defender in Full Mode, restart IIS. "It's critical to understand that multiple actors are now actively exploiting this vulnerability." CISA added to KEV catalog; authorities (e.g., Dutch) disrupted activity. China denied involvement: "We hope that relevant parties will adopt a professional and responsible attitude."