Unknown threat actors recently gained access to a network segment of the National Nuclear Security Administration, a semi-autonomous agency within the U.S. Department of Energy. The breach involved exploiting a SharePoint vulnerability, known in active attacks as ToolShell. The Department reported that the breach had minimal impact, largely crediting its extensive use of the Microsoft 365 cloud and strong internal cybersecurity systems for limiting the damage. Officials said the breach began around July 18, but only a few systems were affected, and no classified or sensitive data has been confirmed as lost.
The same campaign also hit networks at the Department of Education, Florida’s tax authority, Rhode Island’s legislature, and multiple state bodies across Europe and the Middle East.
In 2019, the Russian group APT29 was able to gain access to the same U.S. nuclear agency by exploiting a compromised SolarWinds Orion update. Microsoft and Google linked the activity to several China-based groups: Linen Typhoon, Violet Typhoon, and Storm 2603. All targeted internet-facing SharePoint servers. A key flaw used in the attacks, tagged CVE-2025-53770, has been added to CISA’s known exploited list, triggering emergency patch orders for US federal systems.
Dutch firm Eye Security first noticed the pattern, counting 54 affected organizations at the start. Research from Check Point showed signs of attack as early as July 7, mainly in telecom and tech firms across North America and Western Europe. The scale has since expanded, with over 400 compromised servers and at least 148 organizations breached, many experiencing prolonged undetected infections.
Ultimately, the NNSA episode underscores a crucial truth for every organization managing critical assets. Vigilance must be constant, with layered defenses, rapid patching, and persistent monitoring forming the backbone of any effective security posture. When trusted platforms become a pathway for intrusion, the only real safeguard is relentless attention to detail and a proactive approach to tackling new threats as soon as they emerge.
