ashington D.C. – Suspected China-backed cybercriminals have reportedly exploited vulnerabilities in Microsoft’s SharePoint software, leading to a breach of systems belonging to the US National Nuclear Security Administration (NNSA), the agency trusted with maintaining and modernizing the nation’s nuclear weapons stockpile. The incident, which came to light through a Microsoft warning and subsequent reports, underscores ongoing concerns about cybersecurity threats targeting critical government infrastructure.
According to Bloomberg News, the NNSA, a semi-autonomous agency operating under the Department of Energy, was among numerous targets impacted by the alleged hack. While a source familiar with the situation indicated on Tuesday that no sensitive or classified information was known to have been stolen, the breach was made possible by exploiting a flaw in Microsoft’s SharePoint document management software.
“On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy,” an agency spokesman told The Post. “The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. All impacted systems are being restored.”
The breaches are believed to have been ongoing since at least July 7, according to Adam Meyers, senior vice president at CrowdStrike, a cybersecurity firm collaborating with Microsoft on cyber threat mitigation. Meyers noted to Bloomberg News that “The early exploitation resembled government-sponsored activity, and then spread more widely to include hacking that ‘looks like China’.” CrowdStrike’s investigation into the campaign is still underway.
Widespread Impact Reported Across Multiple Nations
A Dutch cybersecurity firm, Eye Security, initially estimated around 60 entities were impacted but has since revised its assessment, now suggesting that approximately 400 government agencies worldwide have been affected. These include organizations in the US, Mauritius, Jordan, South Africa, and the Netherlands.
Vaisha Bernard of Eye Security confirmed in an email that their firm has identified 400 confirmed compromised SharePoint servers globally, with the majority located in the US, Netherlands, Germany, France, Vietnam, Australia, Canada, and the UAE. While Eye Security cannot definitively confirm an NNSA breach, Bernard stated they have identified compromised US government servers. “We estimate that the real number might be much higher as there can be many more hidden ways to compromise servers that do not leave traces,” Bernard told The Post via email, further adding in an email to Bloomberg News, “This is still developing, and other opportunistic adversaries continue to exploit vulnerable servers.”
Microsoft, in a blog post, identified two purported cyber-criminal organizations – Linen Typhoon and Violet Typhoon – as being involved in exploiting flaws in Microsoft’s software utilized by customers on their own networks rather than in the more secure cloud environment. The tech giant also pointed to a third Chinese-based organization, Storm-2603, as engaging in similar activities, warning that customers using these on-premise solutions are at risk of data compromise.
Beyond Nuclear Security – A Broad Attack Surface
Microsoft SharePoint, a platform vital for storing, organizing, sharing, and managing internal web content, proved to be a critical entry point for the attackers. The NNSA was not the sole target in this extensive cyberattack. Other victims reportedly include the US Department of Education, Florida’s Department of Revenue, and the Rhode Island General Assembly. Internationally, governments across Europe and the Middle East have also faced similar targeting. Cybersecurity researchers have detected breaches on over 100 servers, affecting at least 60 victims across various sectors, including energy, consulting, and academia.
Microsoft has released patches for these vulnerabilities in recent days, but the company expressed concern that threat actors will likely continue to exploit these flaws in future attacks. “We have high confidence that threat actors will continue to integrate them into their attacks,” Microsoft stated in its blog post.
The Chinese embassy has denied involvement, with a spokesperson stating, “China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues.”
Grave Concerns Among Cybersecurity Experts
Cybersecurity experts are voicing grave concerns about the severity of the threat. Michael Sikorski, chief technology officer and head of threat intelligence for Unit 42 at Palo Alto Networks Inc., described the situation as a “high-severity, high-urgency threat.” He particularly highlighted the risks associated with SharePoint’s deep integration with the broader Microsoft ecosystem, which encompasses services such as Office, Teams, OneDrive, and Outlook – all of which contain valuable data for attackers.
Eye Security’s analysis revealed that the exploited flaws allowed hackers to gain access to SharePoint servers and steal authentication keys, which could enable them to impersonate users or services even after security patches are applied.
Despite Microsoft’s ongoing efforts to enhance its security measures, including hiring executives from government agencies and holding weekly security meetings, these recent breaches have drawn renewed scrutiny. This comes after the US government issued a report last year that was critical of Microsoft’s security culture.
