SharePoint attack also affects the US Nuclear Agency.

The National Nuclear Security Administration (NNSA), the agency that manages the US nuclear arsenal, is also among the targets of the SharePoint attack. Initial investigations indicate that no military secrets were stolen, but the incident highlights how fragile the digital supply chain can be, even in the most sensitive departments of the US government.

Microsoft attributes the attacks to three Beijing-backed groups : Linen Typhoon, Violet Typhoon, and Storm-2603. The first two are known for spying on government agencies, while the third has a history of ransomware. All targeted servers exposed to the internet before companies could install fixes. There was time to fix the bugs in SharePoint (a platform where millions of employees share documents): a Viettel researcher had identified them on May 17, and Microsoft released the first patches on July 8.

The first wave of mass attacks erupted between July 18 and 19, affecting over 100 major companies; yesterday, Bloomberg and Reuters revealed that the NNSA was also implicated.

Why SharePoint

SharePoint is often managed in-house, on company machines. The vulnerability allowed access without a password, installation of a small hidden program (web shell), and the theft of internal encryption keys. With those keys, intruders could tamper with permissions and remain invisible. The cloud version of SharePoint (the one within Microsoft 365) was not tampered with.

The NNSA uses separate networks: a "business" network for administrative documents and a "classified" network for nuclear data. The attack only touched the first network; there's no evidence of a leak, but the alarm is serious because it demonstrates that even the tightest security measures have vulnerabilities.

Microsoft released a second set of "emergency" patches on July 19-21, urging people to "install them immediately" and rotate security keys to prevent intruders from accessing them. CISA, the federal cybersecurity agency, has ordered all US civilian organizations to secure or disconnect their servers by July 23. Similar warnings have been issued by the UK's NHS, the European Cybersecurity Agency, and numerous US CERTs.