Hackers exploited critical flaws in Microsoft SharePoint software to breach sensitive systems at the National Nuclear Security Administration (NNSA) and the National Institutes of Health (NIH), U.S. officials confirmed this week. Although no classified data was stolen, the attack underscores growing concerns about foreign cyber campaigns targeting American infrastructure and research institutions.
The breaches were part of a widespread and ongoing cyber campaign exploiting vulnerabilities in on-premise SharePoint systems. At least 60 organizations worldwide — spanning government, health, education, and finance — have been impacted.
Inside the NIH and Nuclear Security Breaches
According to internal emails reviewed by The Washington Post, one NIH server was successfully compromised, while two others faced intrusion attempts. In response, NIH officials took the precaution of disconnecting eight servers from the internet. Among the affected systems were websites related to the National Institute of Diabetes and Digestive and Kidney Diseases and the Fogarty International Center, both central to global health research and funding.
Meanwhile, the NNSA, a key agency responsible for overseeing the U.S. nuclear weapons stockpile, confirmed it was also targeted. However, officials stressed that no classified or sensitive data was compromised. The Department of Energy stated that its reliance on Microsoft’s cloud infrastructure helped minimize the attack's impact.
Microsoft and Cyber Experts Point to China
Cybersecurity researchers and Microsoft attributed the attacks to China-linked hacker groups, including Violet Typhoon, Linen Typhoon, and Storm-2603. Microsoft expressed “high confidence” that these groups will continue exploiting SharePoint vulnerabilities in future campaigns.
Beijing, through its U.S. embassy, denied involvement, calling the accusations baseless and warning against “politicizing cybersecurity without evidence.”
A High-Severity, Global Threat
Security experts have labeled the exploited flaw as “high-severity”, noting SharePoint’s integration with tools like OneDrive and Outlook. Palo Alto Networks and Eye Security reported that attackers were able to bypass patches, steal login credentials, and persist on systems even after rebooting.
“This isn’t just a backdoor — it’s a full garage door left open,” said Elena Park, a cybersecurity analyst at Eye Security. “Once inside, the attackers have enormous access.”
So far, at least 100 servers worldwide have been compromised. Among the reported U.S. targets were:
The U.S. Department of Education
The Florida Department of Revenue
The Rhode Island General Assembly
Several of these agencies declined to comment or have not yet confirmed the extent of the impact.
Microsoft Responds and Reforms Continue
Microsoft released emergency patches in early July and is continuing to monitor the attacks. The company has faced scrutiny over previous breaches, including the SolarWinds and Exchange hacks, and has committed to strengthening its security posture through internal reforms and increased collaboration with federal agencies.
“We are working closely with our partners to protect critical systems and ensure customers are fully patched and secure,” said a Microsoft spokesperson.
What’s Next?
Federal cybersecurity officials say the incident highlights the need to phase out legacy on-premise systems and move toward more secure cloud-based solutions. Agencies are urged to install the latest patches, audit access logs, and review authentication procedures.
While no classified material was stolen this time, officials acknowledge that the line between espionage and sabotage is thinning.
“This wasn’t just a shot across the bow,” said one senior federal cybersecurity advisor. “It was a reminder that adversaries are already inside the gate, probing for weaknesses.”
Bottom Line:
0 Comments