Once again, high-level cybersecurity has been put to the test. This time, malicious actors—still unidentified—managed to infiltrate the network of the National Nuclear Security Administration (NNSA), exploiting a chain of zero-day vulnerabilities in Microsoft SharePoint, which, incidentally, has recently been patched.
For those unfamiliar with it, the NNSA is a semi-autonomous agency under the wing of the U.S. Department of Energy. Its mission is no small task: safeguarding the country’s nuclear arsenal and responding to nuclear and radiological emergencies both domestically and abroad.
A spokesperson for the Department of Energy confirmed the incident. According to the statement, the attackers gained access to NNSA networks over the past week.
"On Friday, July 18, we began to see activity related to the exploitation of a zero-day vulnerability in Microsoft SharePoint, which impacted the Department of Energy, including the NNSA," explained Ben Dietderich, press secretary for the Department.
The good news is that the impact was limited. According to Dietderich, the widespread use of Microsoft M365 cloud services and internal cybersecurity systems helped contain the attack. He stated that only “a very small number of systems” were compromised, and that “all affected systems are being restored.”
Moreover, according to internal sources cited by Bloomberg, there is no indication that classified or highly sensitive information was leaked—at least for now.
This isn’t the first scare for the NNSA. In 2019, the infamous group APT29 (linked to Russia’s Foreign Intelligence Service, SVR) managed to breach the same agency through a compromised update of the SolarWinds Orion software.
This week, both Microsoft and Google confirmed what many in the cybersecurity world had already suspected: several hacker groups backed by the Chinese government are behind a wave of massive attacks exploiting zero-day vulnerabilities in Microsoft SharePoint. This set of flaws, known as ToolShell, has enabled the compromise of hundreds of servers worldwide.
According to Microsoft, the groups Linen Typhoon and Violet Typhoon, both with ties to the Chinese state, were detected exploiting these vulnerabilities on internet-exposed SharePoint servers. Joining them is another China-based group, Storm-2603, reportedly using the same method. And the concerning part is that the investigation is still ongoing—more actors may be involved.
The Netherlands-based cybersecurity company Eye Security was among the first to raise the alarm. They detected the first signs last Friday and estimated that at least 54 organizations had already been compromised, including government agencies and major multinational corporations.
But the situation is even more alarming. According to recent statements from Eye Security’s CTO, Piet Kerkhofs, the actual number of affected entities far exceeds that initial estimate. In fact, their data shows that at least 400 servers have already been infected with malware, and 148 organizations worldwide are compromised—many of them unknowingly for weeks.
Security firm Check Point also joined in the findings, revealing that the attacks may have started as early as July 7, primarily targeting government, telecommunications, and technology entities across North America and Western Europe.
In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added vulnerability CVE-2025-53770—a key link in the ToolShell exploit chain—to its catalog of actively exploited flaws. The agency acted decisively: federal agencies were given just 24 hours to patch their systems.
These attacks make one thing clear: vulnerabilities in widely used platforms like SharePoint are fertile ground for global threats. If you haven’t audited your systems yet, now is the time to do it. Because if ToolShell teaches us anything, it’s that the next compromised organization could be yours.