U.S. Nuclear Weapons Agency Breached in Microsoft SharePoint Hack

A cyberattack that started as a breach of Microsoft SharePoint servers has now spilled over into more than 10,000 on-premise installations, including systems run by the U.S. National Nuclear Security Administration (NNSA), the agency tasked with managing the country’s nuclear weapons program.

According to a Bloomberg report, the NNSA—part of the U.S. Department of Energy—was breached as part of a broader exploit targeting a zero-day vulnerability in Microsoft’s SharePoint software. The bug, which affects only on-premise deployments, gave hackers remote access to servers and allowed them to steal data and login credentials.

“The US agency responsible for maintaining and designing the nation’s cache of nuclear weapons was among those breached by a hack of Microsoft Corp.’s SharePoint document management software, Bloomberg reported, citing a person with knowledge of the matter.

So far, officials say no classified information was compromised. But the incident adds to growing anxiety over how fragile critical infrastructure has become, especially when built on widely used commercial software. A source familiar with the matter confirmed that attackers didn’t gain access to any sensitive or classified data.

Bloomberg added, “No sensitive or classified information is known to have been compromised in the attack on the National Nuclear Security Administration, said the person, who wasn’t authorized to speak publicly and asked not to be identified. The semiautonomous arm of the Energy Department is responsible for producing and dismantling nuclear arms. Other parts of the department were also compromised.”

What Happened

The breach began on July 18 and hit a “very small number of systems,” according to a DOE spokesperson. Those systems are now being restored. The department added that the overall damage was limited because most of its infrastructure relies on Microsoft’s M365 cloud platform rather than vulnerable on-prem servers.

Still, the NNSA wasn’t the only one hit. The exploit was part of a broader global campaign targeting more than 50 organizations, including federal and state agencies, energy firms, universities, and a telecom company in Asia.

The vulnerability was first demonstrated publicly at the Pwn2Own hacking contest in May 2024. Hackers combined a deserialization bug with an authentication bypass flaw to gain unauthorized access and even steal cryptographic keys—making it possible for them to come back later, even after patches are applied.

China-Linked Groups Blamed

Microsoft has attributed the attacks to Chinese state-backed hacking crews, including “Linen Typhoon,” “Violet Typhoon,” and another group known as “Storm-2603.” The exploit chain gave them a foothold in on-premises SharePoint installations and, in some cases, allowed long-term access via stolen keys.

The news has reignited criticism of Microsoft’s security track record. A 2024 government report had already flagged concerns, calling for sweeping reforms. And with memories still fresh from the 2020 SolarWinds breach—which also impacted the NNSA—the spotlight is back on Microsoft and its handling of vulnerabilities in widely deployed products.

No Classified Systems Breached

Officials have been quick to emphasize that classified networks used by the NNSA remain secure and air-gapped. Edwin Lyman of the Union of Concerned Scientists said those networks are isolated from the internet, making a breach unlikely. Still, the possibility that unclassified but sensitive data was accessed raises alarms about what attackers might do with that information.

The situation reinforces the growing shift toward cloud infrastructure. Since the exploit affected only on-prem SharePoint instances, agencies running Microsoft’s cloud-based services were largely unaffected. That distinction could accelerate the move away from legacy software systems.

Microsoft Patch Stumbles

Microsoft initially released a fix earlier in July, but it didn’t fully resolve the issue. After researchers spotted ongoing attacks, the company rushed out more comprehensive patches by July 21. It urged all customers still running on-prem SharePoint to update immediately and check for any signs of compromise.

But the concern isn’t just about those already hit. Security experts say tens of thousands of SharePoint servers are still at risk. With the exploit now widely known and able to extract keys that grant lasting access, some organizations could be dealing with the fallout for months.

Why This Breach Matters

This attack shines a harsh light on the security challenges of maintaining aging infrastructure across high-stakes government operations. Even though no classified material was accessed, the idea that foreign hackers could get into the systems of a nuclear agency is unsettling—and it’s not the first time.

It also speaks to a deeper issue: how much trust organizations place in software that was never designed with today’s threat landscape in mind. Microsoft, already under fire, now faces even more pressure to step up its security practices.

For now, the Department of Energy and other affected agencies are working to clean up the mess and lock down their networks. But the broader implications—about state-sponsored threats, software vulnerabilities, and digital national security—aren’t going away anytime soon.