Ethical Hacking News
In a shocking turn of events, the National Nuclear Security Administration (NNSA) has been breached by unknown threat actors who exploited a recently patched Microsoft SharePoint zero-day vulnerability chain known as ToolShell. This breach highlights the ongoing cat-and-mouse game between security professionals and malicious hackers, emphasizing the need for continuous vigilance and proactive security strategies to prevent such breaches from occurring in the first place.
The National Nuclear Security Administration (NNSA) was breached by unknown threat actors who exploited a recently patched Microsoft SharePoint zero-day vulnerability chain. The breach occurred in mid-July 2025 and affected only a small number of systems, with most being restored as part of recovery efforts. The attackers were linked to Chinese nation-state hackers, specifically Linen Typhoon and Violet Typhoon, who targeted internet-facing SharePoint servers. At least 54 organizations were compromised, including national government entities and multinational companies, with many having been breached before. The number of affected organizations is believed to be much larger, with cybersecurity firms spotting signs of exploitation going back to July 7th. A total of 400 servers were infected with malware, and 148 organizations worldwide were breached by the threat actors.
In a shocking turn of events, the National Nuclear Security Administration (NNSA), a semi-autonomous U.S. government agency responsible for maintaining the country's nuclear weapons stockpile, has been breached by unknown threat actors who exploited a recently patched Microsoft SharePoint zero-day vulnerability chain known as ToolShell. This breach, which occurred in mid-July 2025, highlights the ongoing cat-and-mouse game between security professionals and malicious hackers.
The Department of Energy (DoE), to which NNSA is affiliated, confirmed that hackers gained access to NNSA networks on Friday, July 18th, as a result of the exploitation of the zero-day vulnerability chain. According to Ben Dietderich, Press Secretary for the DoE, "the Department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems." Despite this, only a small number of systems were affected by the breach, and all of them are being restored as part of the recovery efforts.
The APT29 Russian state-sponsored threat group, which is known for breaching sensitive U.S. government agencies in 2019 using a trojanized SolarWinds Orion update, was also linked to the Microsoft SharePoint zero-day vulnerability chain. In June 2020, it was discovered that hackers had exploited the same vulnerability to breach multiple government and corporate networks.
However, in this case, the attackers were not Russian state-sponsored actors but rather Chinese nation-state hackers tracked as Linen Typhoon and Violet Typhoon. According to a statement from Microsoft, these actors exploited the vulnerabilities targeting internet-facing SharePoint servers.
The extent of the damage caused by the attack is still unclear. However, cybersecurity firm Eye Security reported that at least 54 organizations had been compromised, including national government entities and multinational companies, with most of them having already been breached for some time. The number of affected organizations is believed to be much larger, with cybersecurity company Check Point spotting signs of exploitation going back to July 7th targeting dozens of government, telecommunications, and technology organizations in North America and Western Europe.
Furthermore, Eye Security CTO Piet Kerkhofs revealed that the threat actors behind these attacks have already infected at least 400 servers with malware and breached 148 organizations worldwide. This is a stark reminder of the global reach of cyber threats and the importance of robust cybersecurity measures to prevent such breaches.
In response to this attack, Microsoft has linked it to Chinese nation-state hacking groups, including Linen Typhoon, Violet Typhoon, and Storm-2603. The U.S. Department of Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2025-53770 remote code execution flaw to its catalog of exploited vulnerabilities, ordering U.S. federal agencies to secure their systems within a day.
This attack serves as a stark reminder that no organization is immune to cyber threats, regardless of how robust its cybersecurity measures may seem. It highlights the need for continuous vigilance and proactive security strategies to prevent such breaches from occurring in the first place.
In conclusion, this breach of NNSA's network by unknown threat actors who exploited a recently patched Microsoft SharePoint zero-day vulnerability chain is a sobering reminder of the ongoing threat landscape in today's digital world. It underscores the importance of staying vigilant and taking proactive steps to protect against cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Unholy-Union-of-Security-Breach-and-Government-Intrigue-A-Microsoft-SharePoint-Nightmare-ehn.shtml
https://www.bleepingcomputer.com/news/security/us-nuclear-weapons-agency-hacked-in-microsoft-sharepoint-attacks/
Published: Wed Jul 23 22:39:52 2025 by llama3.2 3B Q4_K_M
