Nuclear Threat: Hackers Breach US Weapons Component Maker via SharePoint Zero-Days

by ddos · October 28, 2025

Government-backed hackers infiltrated a U.S. nuclear weapons component manufacturer by exploiting vulnerabilities in Microsoft SharePoint. The incident affected the Kansas City National Security Campus (KCNSC), part of the National Nuclear Security Administration (NNSA) under the U.S. Department of Energy. According to sources, the attack occurred in August, leveraging the unpatched flaws CVE-2025-53770 and CVE-2025-49704, which allow remote code execution on SharePoint servers.

The facility, managed by Honeywell Federal Manufacturing & Technologies, produces the majority of non-nuclear mechanical and electronic components used in the U.S. nuclear arsenal. It houses divisions specializing in metallography, analytical chemistry, environmental testing, and simulation. Roughly 80% of all parts for U.S. nuclear weapons are manufactured there, making the site one of the most sensitive nodes in the nation’s defense infrastructure.

Microsoft released its security updates on July 19, yet attackers began exploiting the flaws as early as the 18th. The Department of Energy confirmed the attacks but stated that damage was limited, crediting the organization’s migration of most systems to Microsoft 365’s cloud platform. Restoration efforts were carried out with assistance from NSA specialists, who arrived in early August.

Experts remain divided on the origins of the attackers. Microsoft attributes the SharePoint exploitation wave to Chinese state-linked groups such as Linen Typhoon, Violet Typhoon, and Storm-2603, which were allegedly preparing to deploy a program known as Warlock. Meanwhile, cybersecurity firm Resecurity, which monitored the campaign, also points to likely Chinese involvement, though it does not rule out participation by other actors who may have obtained the exploits via darknet exchanges. Analysts suggest the vulnerabilities may have been replicated after being demonstrated at Pwn2Own Berlin by Viettel Cyber Security researchers, accelerating the spread of the exploits online.

Initial scans and attacks originated from servers in Taiwan, Vietnam, South Korea, and Hong Kong — a typical geographic pattern for Chinese APT operations designed to obscure attribution. Resecurity noted that the campaign appeared to exploit Microsoft’s Active Protections Program (MAPP), which grants trusted partners early access to vulnerability data. However, once the technical details became public, the exploits were soon adopted by other threat actors.

Though the attack primarily targeted the enterprise IT network, industrial cybersecurity experts have warned of potential lateral movement into operational technology (OT) systems — those managing robotic assembly lines, programmable logic controllers (PLCs), and SCADA systems responsible for power and environmental controls. Even with physical network segmentation, the risk of cross-domain compromise cannot be entirely dismissed.

The incident underscores how cybersecurity shortcomings in operational environments can endanger strategic assets. While federal agencies have begun implementing zero-trust architectures across their IT infrastructures, equivalent frameworks for OT networks remain under development. The Department of Defense is currently drafting a dedicated control standard for OT environments, intended to integrate with broader federal security policies.

Even if the attackers accessed only non-classified data, such information remains of high intelligence value. Technical specifications, tolerances, and assembly parameters can reveal insights into the precision of U.S. weaponry, supply chain structures, and quality control methodologies, enabling adversaries to indirectly assess the reliability and sophistication of American defense programs.

The Department of Energy later confirmed that the SharePoint vulnerability was indeed exploited against the NNSA but reiterated that the impact was minimal and no classified information had been compromised. Nevertheless, the case starkly highlights the fragility of the defense industrial base, even in the face of cyberattacks confined to corporate IT systems.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal