A sophisticated Chinese state-sponsored hacking campaign has infiltrated the US National Nuclear Security Administration and over 100 organizations worldwide by exploiting critical vulnerabilities in Microsoft SharePoint servers, cybersecurity officials revealed Wednesday.
The cyberattack, attributed to Chinese hacking groups known as Linen Typhoon, Violet Typhoon, and Storm-2603, targeted on-premises SharePoint installations used by government agencies, energy companies, universities, and consulting firms across the United States, Brazil, Canada, Indonesia, and Spain. The breach of the NNSA, which oversees America’s nuclear weapons program, has raised alarm bells throughout the federal government.
According to Microsoft and cybersecurity experts, the hackers exploited zero-day vulnerabilities, including CVE-2025-53770, to gain remote access to victim networks and steal credentials such as usernames, passwords, and authentication tokens. The attack bypassed initial security patches, allowing the Chinese operatives to maintain persistent access to compromised systems for espionage purposes.
While officials stress that no classified information appears to have been compromised at the nuclear agency, the breach demonstrates the ongoing threat posed by Beijing-backed cyber espionage operations targeting critical US infrastructure. The attack focused exclusively on self-hosted SharePoint servers, with cloud-based installations remaining unaffected.
The Cybersecurity and Infrastructure Security Agency has responded by adding the exploited SharePoint vulnerabilities to its Known Exploited Vulnerabilities catalog, signaling an urgent need for immediate patching. CISA is coordinating with Microsoft, the Department of Defense, and international partners to share threat intelligence and technical guidance for detecting and mitigating the ongoing campaign.
Comparative Table: Recent CISA Actions on Major Cybersecurity Incidents
| Incident | Emergency Directive Issued? | Key CISA Response | Victims |
|---|---|---|---|
| SolarWinds (2020) | Yes: Mandated immediate patching & network isolation | Led federal response, issued technical guidance, and worked with FBI/NSA | US federal agencies, Fortune 500 |
| Microsoft Exchange (2021) | No (urgent advisory & guidance) | Issued hardening guidance, shared IoCs | Gov, business, academia globally |
| Microsoft SharePoint (2025) | No (as of July 23, 2025) | Added to KEV catalog, technical guidance | US NNSA, global organizations |
“Organizations running on-premises SharePoint servers must patch these vulnerabilities immediately and implement additional monitoring for suspicious activity,” a CISA spokesperson said. The agency has not issued a formal emergency directive but continues to provide technical guidance and indicators of compromise to help victims identify potential breaches.
Microsoft confirmed it is working closely with federal agencies and international partners in response to the attack. The company has released security updates addressing the exploited vulnerabilities and urged all customers to apply patches without delay.
The breach represents the latest in a series of high-profile cyberattacks attributed to Chinese state actors, who have increasingly targeted US government agencies and critical infrastructure in recent years. Security experts warn that the sophistication and persistence of these campaigns pose an ongoing national security challenge.
Federal investigators are continuing to assess the full scope of the breach and potential data exposure across affected organizations. The incident underscores the critical importance of timely security updates and robust cybersecurity measures for protecting sensitive government and corporate networks from advanced persistent threats.
