nuclear-news

Foreign hackers breached a US nuclear weapons plant via SharePoint flaws

CSO News Analysis, Oct 20, 2025

A foreign actor infiltrated the National Nuclear Security Administration’s Kansas City National Security Campus through vulnerabilities in Microsoft’s SharePoint browser-based app, raising questions about the need to solidify further federal IT/OT security protections.

A foreign threat actor infiltrated the Kansas City National Security Campus (KCNSC), a key manufacturing site within the National Nuclear Security Administration (NNSA), exploiting unpatched Microsoft SharePoint vulnerabilities, according to a source involved in an August incident response at the facility.

The breach targeted a plant that produces the vast majority of critical non-nuclear components for US nuclear weapons under the NNSA, a semi-autonomous agency within the Department of Energy (DOE) that oversees the design, production, and maintenance of the nation’s nuclear weapons. Honeywell Federal Manufacturing & Technologies (FM&T) manages the Kansas City campus under contract to the NNSA.

The Kansas City campus, Honeywell FM&T, and the Department of Energy did not respond to repeated requests for comment throughout September, well before the current government shutdown. NSA public affairs officer Eddie Bennett did respond, saying, “We have nothing to contribute,” and referred CSO back to the DOE.

Although it is unclear whether the attackers were a Chinese nation-state actor or Russian cybercriminals — the two most likely culprits — experts say the incident drives home the importance of securing systems that protect operational technology from exploits that primarily affect IT systems.

How the breach unfolded

The attackers exploited two recently disclosed Microsoft SharePoint vulnerabilities — CVE-2025-53770, a spoofing flaw, and CVE-2025-49704, a remote code execution (RCE) bug — both affecting on-premises servers. Microsoft issued fixes for the vulnerabilities on July 19.

On July 22, the NNSA confirmed it was one of the organizations hit by attacks enabled by the SharePoint flaws. “On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy,” a DOE spokesperson said……………………………………………………………………………………………………………………………….

China or Russia? Conflicting attribution

Microsoft attributed the broader wave of SharePoint exploitations to three Chinese-linked groups: Linen Typhoon, Violet Typhoon, and a third actor it tracks as Storm-2603. The company said the attackers were preparing to deploy Warlock ransomware across affected systems.

However, the source familiar with the Kansas City incident tells CSO that a Russian threat actor, not a Chinese one, was responsible for the intrusion. Cybersecurity company Resecurity, which was monitoring the SharePoint exploitations, tells CSO that its own data pointed primarily to Chinese nation-state groups, but it does not rule out Russian involvement………………………………………………………………………………………………………………….

Could the attack have reached operational systems?

The breach targeted the IT side of the Kansas City campus, but the intrusion raises the question of whether attackers could have moved laterally into the facility’s operational technology (OT) systems, the manufacturing and process control environments that directly support weapons component production.

OT cybersecurity specialists interviewed by CSO say that KCNSC’s production systems are likely air-gapped or otherwise isolated from corporate IT networks, significantly reducing the risk of direct crossover. Nevertheless, they caution against assuming such isolation guarantees safety………………………………………………………………………………………………………

IT/OT convergence and the zero-trust gap

The Kansas City incident highlights a systemic problem across the federal enterprise: the disconnect between IT and OT security practices. While the federal government has advanced its zero-trust roadmap for traditional IT networks, similar frameworks for operational environments have lagged, although recent developments point to progress on that front………………………………………………………………………………………………………..

Even non-classified data theft holds strategic value

If the source’s claim of Russian involvement is accurate, the attackers may have been financially motivated ransomware operators rather than state intelligence services. But even in that scenario, the data they accessed could still carry strategic value……………………………………………………………….. https://www.csoonline.com/article/4074962/foreign-hackers-breached-a-us-nuclear-weapons-plant-via-sharepoint-flaws.html

October 21, 2025 - Posted by Christina Macpherson | incidents