US Nuclear Security Administration Breached in SharePoint Hack, Linen & Violet Typhoon, Storm-2603 Suspected

• What happened: Sources say the U.S. NNSA was breached in the Microsoft SharePoint hack.
• Why it matters: The Energy Department arm is responsible for producing and dismantling nuclear arms.
• Broader impact: Other sectors of the department were allegedly compromised as well.

The U.S. National Nuclear Security Administration (NNSA) was reportedly among several entities impacted during an active exploitation campaign linked to Chinese hackers that is targeting on-premises SharePoint Servers.  

Bloomberg reported on this alleged breach of the Energy Department arm responsible for the nation’s nuclear arsenal, citing a source familiar with the matter, who also mentioned other arms of the Department were compromised.

Breach Details and Scope  

On-premises SharePoint servers, as spoofing vulnerability CVE-2025-49706 and remote code execution flaw CVE-2025-49704 were exploited in a chained ToolShell attack. These allowed hackers to bypass authentication protocols and execute malicious code remotely on vulnerable systems, impacting 100 organizations and dozens of servers. 

Although the NNSA breach has raised concerns due to the agency's critical mission, the source said that no sensitive or classified information was compromised. 

The anonymous spokesman told Bloomberg that the zero-day exploit of the SharePoint Servers had a minimal impact, as the NNSA relies more on SharePoint Online in Microsoft 365, which is not affected. The few impacted systems are reportedly being restored.

Who Is Behind the Attack

Microsoft reported that the attack is believed to be part of a larger campaign exploiting security gaps in the company’s document management software. 

The IT giant names Chinese nation-state actors Linen Typhoon and Violet Typhoon and China-based threat actor Storm-2603, which were seen exploiting these vulnerabilities in internet-facing SharePoint servers. The report mentions ongoing Investigations into other actors that are also using these exploits.

Observations suggest the state-sponsored groups’ aim to deploy sophisticated web shells and malicious scripts for broader operational access.  

First seen in 2012, Linen Typhoon’s focus was exfiltrating data from government, defense, strategic planning, and human rights entities via drive-by compromises and existing exploits. 

The Violet Typhoon espionage actor was first identified in 2015, targeting former government and military personnel, as well as non-governmental organizations (NGOs), by exploiting exposed web infrastructure flaws to install web shells.

Microsoft assessed with medium confidence that Storm-2603 is a China-based threat actor, and it is not believed to be linked to other known Chinese groups, but was associated with attempts to steal MachineKeys by exploiting the SharePoint flaws.

The Response  

Microsoft has released comprehensive security patches for all affected SharePoint versions, including 2016, 2019, and the Subscription Edition, and CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on July 20, 2025. 

This SharePoint exploit serves as a stark reminder for agencies and organizations managing critical systems to maintain rigorous patch management protocols. They should also implement data minimization strategies, robust lifecycle management, and continuous DSPM, as advised by Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer at AvePoint.