{"id":14983,"date":"2025-10-20T07:01:01","date_gmt":"2025-10-20T07:01:01","guid":{"rendered":"https:\/\/newestek.com\/?p=14983"},"modified":"2025-10-20T07:01:01","modified_gmt":"2025-10-20T07:01:01","slug":"foreign-hackers-breached-a-us-nuclear-weapons-plant-via-sharepoint-flaws","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14983","title":{"rendered":"Foreign hackers breached a US nuclear weapons plant via SharePoint flaws"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

A foreign threat actor infiltrated the Kansas City National Security Campus (KCNSC)<\/a>, a key manufacturing site within the National Nuclear Security Administration (NNSA), exploiting unpatched Microsoft SharePoint vulnerabilities, according to a source involved in an August incident response at the facility.<\/p>\n

The breach targeted a plant that produces the vast majority of critical non-nuclear components for US nuclear weapons under the NNSA, a semi-autonomous agency within the Department of Energy (DOE) that oversees the design, production, and maintenance of the nation\u2019s nuclear weapons. Honeywell Federal Manufacturing & Technologies (FM&T) manages the Kansas City campus under contract to the NNSA.<\/p>\n

The Kansas City campus, Honeywell FM&T, and the Department of Energy did not respond to repeated requests for comment throughout September, well before the current government shutdown. NSA public affairs officer Eddie Bennett did respond, saying, \u201cWe have nothing to contribute,\u201d and referred CSO back to the DOE.<\/p>\n

Although it is unclear whether the attackers were a Chinese nation-state actor or Russian cybercriminals \u2014 the two most likely culprits \u2014 experts say the incident drives home the importance of securing systems that protect operational technology from exploits that primarily affect IT systems.<\/p>\n

How the breach unfolded<\/h2>\n

The attackers exploited two recently disclosed Microsoft SharePoint vulnerabilities<\/a> \u2014 CVE-2025-53770, a spoofing flaw, and CVE-2025-49704, a remote code execution (RCE) bug \u2014 both affecting on-premises servers. Microsoft issued fixes<\/a> for the vulnerabilities on July 19.<\/p>\n

On July 22, the NNSA confirmed<\/a> it was one of the organizations hit by attacks enabled by the SharePoint flaws. \u201cOn Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy,\u201d a DOE spokesperson said.<\/p>\n

However, the DOE contended at the time, \u201cThe department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. All impacted systems are being restored.\u201d<\/p>\n

By early August, federal responders, including personnel from the NSA, were on-site at the Kansas City facility, the source tells CSO.<\/p>\n

Located in Missouri, the KCNSC manufactures<\/a> non-nuclear mechanical, electronic, and engineered material components used in US nuclear defense systems. It also provides specialized technical services, including metallurgical analysis, analytical chemistry, environmental testing, and simulation modeling.<\/p>\n

Roughly 80% of the non-nuclear parts in the nation\u2019s nuclear stockpile originate from KCNSC<\/a>. While most design and programmatic details remain classified, the plant\u2019s production role makes it one of the most sensitive facilities in the federal weapons complex.<\/p>\n

China or Russia? Conflicting attribution<\/h2>\n

Microsoft attributed the broader wave of SharePoint exploitations<\/a> to three Chinese-linked groups: Linen Typhoon, Violet Typhoon, and a third actor it tracks as Storm-2603. The company said the attackers were preparing to deploy Warlock ransomware across affected systems.<\/p>\n

However, the source familiar with the Kansas City incident tells CSO that a Russian threat actor, not a Chinese one, was responsible for the intrusion. Cybersecurity company Resecurity, which was monitoring the SharePoint exploitations, tells CSO that its own data pointed primarily to Chinese nation-state groups, but it does not rule out Russian involvement.<\/p>\n

Resecurity\u2019s researchers say that while Chinese groups appeared to have developed and deployed the initial zero-day, financially motivated Russian actors may have independently reproduced the exploit before technical details began circulating in late June.<\/p>\n

In May, researchers at Viettel Cyber Security demonstrated an attack chaining two SharePoint flaws<\/a>, CVE-2025-49706 and CVE-2025-49704, at Pwn2Own Berlin. Resecurity researchers tell CSO that those demonstrations likely accelerated the reverse-engineering of the vulnerabilities by multiple threat actors.<\/p>\n

Resecurity\u2019s analysts observed early-stage scanning and exploitation activity from infrastructure located in Taiwan, Vietnam, South Korea, and Hong Kong, a distribution pattern consistent with tactics used by Chinese advanced persistent threat (APT) groups to disguise attribution.<\/p>\n

\u201cThe root cause of the SharePoint exploitation is closely related to misuse of the Microsoft Active Protections Program (MAPP) by China,\u201d Resecurity researchers tell CSO. \u201cThe most probable perpetrators are Chinese nation-state actors such as Linen Typhoon and Violet Typhoon.\u201d<\/p>\n

Still, they say that yet another way that Russia-based threat actors could have acquired knowledge of the vulnerability early on was through underground exchanges or by analyzing network scanning data once the exploit became known. The transition from zero-day to N-day status<\/a>, they say, opened a window for secondary actors to exploit systems that had not yet applied the patches.<\/p>\n

Could the attack have reached operational systems?<\/h2>\n

The breach targeted the IT side of the Kansas City campus, but the intrusion raises the question of whether attackers could have moved laterally into the facility\u2019s operational technology (OT) systems, the manufacturing and process control environments that directly support weapons component production.<\/p>\n

OT cybersecurity specialists interviewed by CSO say that KCNSC\u2019s production systems are likely air-gapped or otherwise isolated from corporate IT networks, significantly reducing the risk of direct crossover. Nevertheless, they caution against assuming such isolation guarantees safety.<\/p>\n

\u201cWe have to really consider and think through how state actors potentially exploit IT vulnerabilities to gain access to that operational technology,\u201d Jen Sovada<\/a>, general manager of public sector operations at Claroty, speaking generally and not about the specific incident, tells CSO.<\/p>\n

\u201cWhen you have a facility like the KCNSC where they do nuclear weapons lifecycle management \u2014 design, manufacturing, emergency response, decommissioning, supply chain management \u2014 there are multiple interconnected functions,\u201d Sovada says. \u201cIf an actor can move laterally, they could impact programmable logic controllers that run robotics or precision assembly equipment for non-nuclear weapon components.\u201d<\/p>\n

Such access, Sovada adds, could also affect distribution control systems that oversee quality assurance, or supervisory control and data acquisition (SCADA) systems that manage utilities, power, and environmental controls. \u201cIt\u2019s broader than just an IT vulnerability,\u201d she says.<\/p>\n

IT\/OT convergence and the zero-trust gap<\/h2>\n

The Kansas City incident highlights a systemic problem across the federal enterprise: the disconnect between IT and OT security practices. While the federal government has advanced its zero-trust roadmap for traditional IT networks, similar frameworks for operational environments have lagged, although recent developments point to progress on that front.<\/p>\n

\u201cThere\u2019s an IT fan chart<\/a> that maps all of the controls for zero trust, segmentation, authentication, and identity management,\u201d Sovada says. \u201cBut there\u2019s also an OT fan chart<\/a> being developed by the Department of Defense that will define comparable controls for zero trust in operational technology. The goal is to marry the two, so that zero trust becomes comprehensive across all network types.\u201d<\/p>\n

That alignment, she says, is essential to preventing intrusions like the one that struck KCNSC from cascading into physical operations.<\/p>\n

Even non-classified data theft holds strategic value<\/h2>\n

If the source\u2019s claim of Russian involvement is accurate, the attackers may have been financially motivated ransomware operators rather than state intelligence services. But even in that scenario, the data they accessed could still carry strategic value.<\/p>\n

\u201cIt would make sense that if it were a ransomware actor and they got this kind of data about nuclear weapons manufacturing, they might pause and hand it off to the appropriate Russian government officials or experts,\u201d Sovada tells CSO.<\/p>\n

Although there is no evidence that classified information was compromised, even unclassified technical data can have significant implications. \u201cIt could be something as simple as requirements documents that may not be classified but reveal the level of precision required for components,\u201d Sovada says. \u201cIn weapons manufacturing, a millimeter difference can change a device\u2019s trajectory or the reliability of its arming mechanism.\u201d<\/p>\n

Such information could aid adversaries in understanding US weapons tolerances, supply chain dependencies, or manufacturing processes, all of which are sensitive even if not formally secret.<\/p>\n

Whether the intruders were Chinese state actors or Russian cybercriminals, the Kansas City breach exposes the fragile intersection of IT and operational security across critical defense infrastructure. As Sovada stresses, \u201cWe can\u2019t just think of zero trust as an IT concept anymore. It has to extend into the physical systems that underpin national defense.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

A foreign threat actor infiltrated the Kansas City National Security Campus (KCNSC), a key manufacturing site within the National Nuclear Security Administration (NNSA), exploiting unpatched Microsoft SharePoint vulnerabilities, according to a source involved in an August incident response at the facility. The breach targeted a plant that produces the vast majority of critical non-nuclear components for US nuclear weapons under the NNSA, a semi-autonomous agency… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14983","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14983","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14983"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14983\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14983"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14983"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}