Chinese hackers breach U.S. nuclear weapons agency and DHS in massive SharePoint cyberattack

The breach is confirmed. The fallout is expanding. Microsoft’s SharePoint vulnerability has now reached the core of U.S. national defense infrastructure. The National Nuclear Security Administration, which oversees the design and maintenance of America’s nuclear arsenal, was among the federal entities compromised. The Department of Homeland Security was also hit. CISA flagged the intrusion to more than a dozen agencies. At least five have confirmed impact. The exploit targeted on-premises SharePoint servers. Not cloud. Not hybrid. Just legacy setups still running inside government walls.

The vulnerability was zero-day. No warning. No patch. Microsoft named three China-linked groups: Linen Typhoon, Violet Typhoon, and Storm-2603. Exploitation began July 7. Emergency patches were released July 21 and 22. That gave attackers a two-week head start. Eye Security confirmed over 400 compromised SharePoint systems. More than 3,000 vulnerable IPs are based in the U.S. Qatar’s government systems were also targeted. Europe and the Middle East saw hits. The blast radius is global.

See also Trump locks Japan into $550 billion investment and 15% tariffs, but U.S. households expected to carry the cost through surging import prices

Inside DHS, the breach touched multiple components. TSA. FEMA. Customs and Border Protection. CISA itself. One government analyst said, “Need a form? Go to SharePoint. Need to send an update? SharePoint. Notes from meetings? SharePoint.” That’s how deep the dependency runs. SharePoint isn’t just a file server. It’s the nervous system of federal workflow.

Microsoft’s attribution points to China. But the company stopped short of naming the Chinese government directly. The Chinese foreign ministry denied involvement. Said it opposes hacking. Said accusations are political. But the fingerprints match past campaigns. Linen Typhoon has targeted defense and government networks since 2012. Violet Typhoon has hit NGOs, media, and military personnel since 2015. Storm-2603 has deployed ransomware before. Now it’s inside federal systems.

See also Coal is more consistent than wind, but nuclear is far better.

The breach is still unfolding. Microsoft warned that more actors will adopt the exploit. The vulnerability is public. The patch is out. But the window was open long enough. The damage is done. The question now is how deep it goes.

Sources:

https://www.defenseone.com/threats/2025/07/dhs-affected-chinese-hack-microsoft-products-sources/406942/

https://dailysecurityreview.com/security-spotlight/chinese-espionage-groups-target-sharepoint-servers-in-large-scale-exploitation-campaigns/

https://www.moneycontrol.com/technology/chinese-state-backed-hackers-exploiting-new-sharepoint-flaws-says-microsoft-article-13310797.html

https://www.nextgov.com/cybersecurity/2025/07/dhs-impacted-hack-microsoft-sharepoint-products-people-familiar-say/406941/

https://thehackernews.com/2025/07/microsoft-links-ongoing-sharepoint.html

Source link