Unknown threat actors have reportedly breached the National Nuclear Security Administration’s network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain.
NNSA is a semi-autonomous U.S. government agency part of the Energy Department that maintains the country’s nuclear weapons stockpile and is also tasked with responding to nuclear and radiological emergencies within the United States and abroad.
A Department of Energy spokesperson confirmed in a statement that hackers gained access to NNSA networks last week.
“On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy,” the spokesperson told Bleeomberg. “The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems.”
The agency added that only “a very small number of systems were impacted” and that “all impacted systems are being restored.”
An anonymous source with the agency also noted that no sensitive or classified information is believed to have been compromised in the breach.
The APT29 Russian state-sponsored threat group, the hacking division of the Russian Foreign Intelligence Service (SVR), also breached the U.S. nuclear weapons agency in 2019 using a trojanized SolarWinds Orion update.
An Energy Department spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.
Attacks linked to Chinese state hackers, over 400 servers breached
On Tuesday, Microsoft and Google linked the widespread attacks targeting a Microsoft SharePoint zero-day vulnerability chain (known as ToolShell) to Chinese state-sponsored hacking groups.
“Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers,” Microsoft said.
“In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing.”
Dutch cybersecurity firm Eye Security first detected the zero-day attacks on Friday, stating that at least 54 organizations had already been compromised, including national government entities and multinational companies.
Cybersecurity firm Check Point later revealed that it had spotted signs of exploitation going back to July 7th targeting dozens of government, telecommunications, and technology organizations in North America and Western Europe.
Since then, Eye Security CTO Piet Kerkhofs told BleepingComputer that the number of compromised entities, “most of them already compromised for some time already,” is much larger. According to the cybersecurity company’s statistics, the threat actors behind these attacks have already infected at least 400 servers with malware and breached 148 organizations worldwide.
CISA also added the CVE-2025-53770 remote code execution flaw, part of the ToolShell exploit chain, to its catalog of exploited vulnerabilities, ordering U.S. federal agencies to secure their systems within a day.
CISOs know that getting board buy-in starts with a clear, strategic view of how cloud security drives business value.
This free, editable board report deck helps security leaders present risk, impact, and priorities in clear business terms. Turn security updates into meaningful conversations and faster decision-making in the boardroom.