U.S. Nuclear Agency Breached by Chinese Hackers via a Microsoft Court Decision

U.S. Nuclear Agency Breached by Chinese Hackers via a Microsoft Court Decision

In an increasingly interconnected world, digital defense has become a country's first line of protection, and the recent state-sponsored Chinese cyberattack on the U.S. nuclear agency is a stark reminder of this reality.

The attack, which exploited critical vulnerabilities in Microsoft SharePoint, has raised alarm among national defense experts. No classified information was compromised, but the breach has highlighted the evolving tactics of international cyberespionage.

The Chinese embassy in Washington has denied any involvement in the attack, reiterating that the country "opposes and combats hacking activities in accordance with the law". However, experts suggest that the ability to penetrate an agency like the National Nuclear Security Administration (NNSA) reflects a qualitative change in the offensive capabilities of international cyberespionage.

The attack is reminiscent of previous breaches in Microsoft Exchange servers in 2021 and 2023, also attributed to Chinese groups. This latest attack exploited two critical flaws in Microsoft SharePoint: CVE-2025-53770 and CVE-2025-53771. These vulnerabilities allow threat actors to upload malicious files, extract cryptographic keys, and forge authentication tokens to maintain persistent, undetectable access.

At least the U.S. nuclear agency has been targeted, alongside multiple on-premises Microsoft SharePoint environments worldwide. The attack is known to affect SharePoint users with on-premise versions such as SharePoint Subscription Edition, 2019, and soon 2016 (pending patch). Given SharePoint’s deep integration with Microsoft platforms like Office, Teams, OneDrive, and Outlook, compromised networks can span multiple organizational systems.

The attack is attributed to Chinese threat actors exploiting these SharePoint vulnerabilities in active, ongoing campaigns targeting sensitive U.S. government entities, notably the nuclear agency. This aligns with classified reporting and public alerts issued by agencies such as the Cybersecurity and Infrastructure Security Agency (CISA), which track the evolving tactics of these adversaries.

To mitigate the threat, CISA recommends immediate application of Microsoft’s security patches, enhanced endpoint detection and response solutions, antivirus updates, and monitoring for deployment of web shells and suspicious activity around SharePoint endpoints. Network administrators should audit and block unauthorized POST requests targeting /_layouts/15/ToolPane.aspx and monitor for the presence of malicious files like spinstall0.aspx. Rotating validation and decryption keys, if possible, can also help invalidate stolen cryptographic secrets. Implementing strict network segmentation and limiting SharePoint server exposure to untrusted networks can reduce the attack surface.

Microsoft has identified three Chinese-linked hacking groups - Linen Typhoon, Violet Typhoon, and Storm-2603 - as the main culprits. At least 148 organizations across various sectors have been affected, including the U.S. Department of Education, the Florida Department of Revenue, the National Institutes of Health, and government entities in Europe and the Middle East. The threat remains active, with more than 10,700 SharePoint instances still exposed globally.

In a world where nuclear infrastructures, hospitals, and educational systems depend on business suites like SharePoint, a flaw in a corporate platform can become a black hole of national security. Security in the digital age is not just about weapons or borders, but about lines of code, patches applied in time, and invisible redundant systems that separate a minor intrusion from an irreversible disaster.

[1] Microsoft Security Advisory: ASPX Web Application Request Handler Remote Code Execution Vulnerabilities in SharePoint (CVE-2025-53770 and CVE-2025-53771) [2] Microsoft SharePoint Server On-Premises Support Lifecycle [3] CISA Alert: Chinese State-Sponsored Cyber Actors Targeting Microsoft SharePoint Servers [4] CISA Known Exploited Vulnerabilities Catalog [5] Microsoft Releases Security Updates for SharePoint Vulnerabilities Exploited in Active Attacks [6] The New York Times: China Is Behind a Cyberattack on the U.S. Nuclear Agency, American Officials Say [7] The Washington Post: Chinese Hackers Breach U.S. Nuclear Agency, Officials Say, in Latest Intrusion [8] CNN: Chinese Hackers Breach U.S. Nuclear Agency, Officials Say, in Latest Intrusion [9] Reuters: Chinese Hackers Breach U.S. Nuclear Agency, Officials Say, in Latest Intrusion

1. Cybersecurity and technology play a significant role in finance and politics, as the recent state-sponsored Chinese cyberattack on the U.S. nuclear agency demonstrates.
2. In the digital age, general-news outlets such as The New York Times, The Washington Post, and CNN have reported on the ongoing threats posed by Chinese threat actors like Linen Typhoon, Violet Typhoon, and Storm-2603, which have exploited vulnerabilities in Microsoft SharePoint.
3. To ensure the security of critical infrastructures like hospitals, educational systems, and nuclear facilities in this interconnected world, it's essential to prioritize cybersecurity measures and communicate cyber threats promptly, following guidelines from agencies like the Cybersecurity and Infrastructure Security Agency (CISA).

Read also: