When Chinese Hackers Pwned America’s Nuclear Agency Through a SharePoint Bug

On July 18, 2025, Chinese state-sponsored hackers successfully breached the National Nuclear Security Administration (NNSA)—the agency responsible for maintaining America’s 5,000+ nuclear warheads—through a sophisticated SharePoint zero-day exploit chain dubbed “ToolShell.” While no classified nuclear secrets were stolen, the attack exposed critical vulnerabilities in government infrastructure and marked a significant escalation in cyber operations targeting nuclear facilities worldwide. Fox News +8

The attack that shook nuclear security

The breach began with what security researchers now recognize as one of the most elegant exploit chains of 2025. Chinese threat actors weaponized vulnerabilities that had ironically been demonstrated at the Pwn2Own Berlin hacking competition just two months earlier, earning researcher Dinh Ho Anh Khoa a cool $100,000 prize. Cybersecurity Dive +5 But this wasn’t about prize money anymore—this was about penetrating the digital defenses of America’s nuclear arsenal managers.

CVE-2025-53770 and CVE-2025-53771 formed the deadly duo at the heart of ToolShell. The first vulnerability allowed attackers to execute code remotely without any authentication—essentially giving them the keys to the kingdom. nist The second let them spoof authentication headers, bypassing security checks by pretending to be logging out while actually breaking in. CISA +6 Together, they created what one security expert called “a perfect storm of vulnerabilities.”

The attack’s sophistication lay in its simplicity. By sending a specially crafted POST request to /_layouts/15/ToolPane.aspx with a spoofed Referer header set to /_layouts/SignOut.aspx, attackers could trick SharePoint into thinking they were authorized users. GitHub From there, they exploited unsafe deserialization in the ViewState data to execute arbitrary code on the server. CISA +5 The entire attack required zero user interaction and could be launched from anywhere on the internet. CensysOntinue

The nuclear agency in the crosshairs

The National Nuclear Security Administration isn’t just any government agency—it’s the semi-autonomous organization within the Department of Energy tasked with maintaining America’s nuclear deterrent. Their responsibilities include ensuring nuclear weapons work when needed, preventing accidental detonations, responding to nuclear emergencies, and managing the nation’s nuclear stockpile. The Washington Post +4 In other words, they hold some of the most sensitive defense information in existence.

When news broke that NNSA had been breached, alarm bells rang across Washington. However, Department of Energy Press Secretary Ben Dietderich quickly moved to calm fears: “The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable 網路安全 systems. A very small number of systems were impacted.” Fox News +5

The key word here was “minimally.” Unlike the catastrophic SolarWinds breach of 2020, where Russian hackers gained deep access to NNSA networks, this attack hit only legacy on-premises SharePoint servers. Time The agency’s critical classified networks remained air-gapped and untouched. No nuclear secrets were stolen, no weapons systems compromised. Yahoo Finance +3 But the fact that Chinese hackers had breached any NNSA systems sent shockwaves through the cybersecurity community.

Technical anatomy of the ToolShell exploit

For the technically inclined, ToolShell represents a masterclass in chaining vulnerabilities. The attack flow worked like this: Wiz

Step 1: Authentication Bypass – Attackers sent requests to SharePoint’s ToolPane.aspx endpoint with a spoofed Referer header. This simple header manipulation tricked SharePoint into believing the request came from an authenticated session. Wiz +2

Step 2: Code Execution – Using the access gained in Step 1, attackers exploited unsafe deserialization in SharePoint’s ViewState handling. They crafted malicious serialized objects that, when processed by the server, executed arbitrary commands. Palo Alto Networks +2

Step 3: Web Shell Deployment – The attackers dropped a file called spinstall0.aspx (with variants like spinstall1.aspx and spinstall2.aspx) in SharePoint’s LAYOUTS directory. This wasn’t just any web shell—it was specifically designed to extract SharePoint’s cryptographic keys. Censys +4

Step 4: Key Theft – The web shell used .NET reflection to access private methods and steal the ValidationKey and DecryptionKey from SharePoint’s configuration. These keys are the crown jewels—they allow attackers to forge legitimate-looking requests that pass all security checks. Censys +2

Step 5: Persistence – With the stolen keys, attackers could maintain access even after patches were applied. They used ysoserial.net to craft signed ViewState payloads that SharePoint would accept as legitimate, ensuring long-term access to compromised systems. CensysEye Research

Security researcher Michael Sikorski from Palo Alto Networks didn’t mince words: “If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point.” NewsweekPalo Alto Networks

Timeline of digital disaster

The ToolShell saga unfolded with alarming speed:

May 17, 2025: Viettel Cyber Security demonstrates the vulnerabilities at Pwn2Own Berlin, winning $100,000. Censys +3

July 7, 2025: Microsoft’s telemetry detects the first exploitation attempts by Chinese actors—11 days before the mass campaign begins. Startup News +2

July 8, 2025: Microsoft releases patches for the original ToolShell vulnerabilities (CVE-2025-49704 and CVE-2025-49706) as part of Patch Tuesday. These patches prove insufficient. Wiz +2

July 14, 2025: Security researchers from Code White GmbH publicly reproduce the ToolShell exploit, inadvertently providing a roadmap for attackers. Palo Alto Networks +2

July 18, 2025: All hell breaks loose. Mass exploitation begins, with NNSA among the first victims. Dutch security firm Eye Security detects the attacks through CrowdStrike alerts. Wiz +5

July 19-20, 2025: Microsoft scrambles to understand the bypass variants. CISA adds the vulnerabilities to its Known Exploited Vulnerabilities catalog. SOCRadar +2

July 21, 2025: Emergency patches released. Federal agencies given 72-hour deadline to apply them. CISA +3

July 22, 2025: Microsoft attributes the attacks to Chinese state-sponsored groups. Microsoft +3

The rapid escalation from proof-of-concept to nation-state weapon took just two months—a stark reminder of how quickly vulnerabilities can be weaponized in the modern threat landscape.

Microsoft’s response and the incomplete patch fiasco

Microsoft’s handling of ToolShell became a case study in the challenges of patching complex vulnerabilities. The company initially patched the original ToolShell bugs on July 8, believing the threat was contained. However, the patches only addressed the specific exploit demonstrated at Pwn2Own, not the underlying vulnerability class. Wiz +2

Chinese hackers quickly developed bypass techniques, creating new variants (CVE-2025-53770 and CVE-2025-53771) that sailed past Microsoft’s fixes. Wiz +2 Benjamin Harris, CEO of watchTowr, criticized the response: “The attacks escalated because Microsoft released incomplete patches, allowing threat actors to develop bypass variants.” Cybersecurity Dive

When the mass exploitation began, Microsoft went into crisis mode. Emergency out-of-band patches were rushed out on July 21, just three days after the attacks started. Help Net SecurityBleeping Computer The company also provided detailed mitigation guidance: Cyber Security News

• Immediate patching of all SharePoint servers
• Mandatory rotation of ASP.NET machine keys (twice—before and after patching)
• Enabling Antimalware Scan Interface (AMSI) integration
• Deploying Microsoft Defender on all SharePoint servers
• Network isolation for unpatched systems Microsoft +4

The patches addressed the immediate threat, but the damage was done. Over 400 organizations worldwide had already been compromised. Semiconductorsinsight +4

The Chinese connection: Attribution and actors

Microsoft attributed the attacks to three distinct Chinese state-sponsored groups, each with their own specialties and target sets: Startup News +3

Linen Typhoon (APT27) has operated since 2012, focusing on intellectual property theft from government and defense organizations. They’re known for patient, methodical operations that prioritize stealth over speed. Microsoftmicrosoft

Violet Typhoon (APT31) emerged in 2015 with a focus on espionage against former government officials, NGOs, and think tanks. They cast a wide net, often targeting thousands of organizations to find vulnerable entry points. Microsoft +2

Storm-2603, the newest player, showed medium-confidence attribution to China. Unlike the others, Storm-2603 has been observed deploying ransomware—specifically Warlock and LockBit variants—suggesting either a profit motive or destructive intent. Microsoft +3

Microsoft assessed “with high confidence that threat actors will continue to integrate these exploits into their attacks.” Microsoft The speed at which these groups weaponized ToolShell—beginning attempts on July 7, just one day before Microsoft’s patches—suggests either prior knowledge or extremely efficient exploit development capabilities. Microsoftmicrosoft

China’s foreign ministry offered its standard denial: “China opposes and fights hacking activities in accordance with the law. We oppose smears and attacks against China under the excuse of cybersecurity issues.” Fox News +3

Beyond NNSA: The global impact

While NNSA grabbed headlines, the ToolShell attacks hit far broader than one agency. Eye Security identified 148 breached organizations across multiple sectors: Bleeping Computer +4

• Government: US Department of Education, Florida Department of Revenue, Rhode Island General Assembly BankInfoSecurity
• Healthcare: Multiple hospital systems running legacy SharePoint
• Energy: California Independent System Operator (CAISO) and various utilities The Washington Post
• Education: Universities with research partnerships to defense agencies
• Telecommunications: ISPs and network providers Yahoo Finance +2

The common thread? All victims ran on-premises SharePoint servers exposed to the internet. Microsoft 365 cloud customers remained unaffected, highlighting the security advantages of cloud infrastructure. Microsoft +5

Censys internet scans revealed 9,762 vulnerable SharePoint servers still online days after patches were released, creating a target-rich environment for opportunistic attackers. Cybersecurity Dive +3 Security experts warned that the publicly available proof-of-concept code meant any script kiddie could now launch ToolShell attacks. SOCRadar

Security implications for nuclear infrastructure

The NNSA breach sent shockwaves through the nuclear security community. While no classified systems were compromised, experts warned about the broader implications.

Edwin Lyman from the Union of Concerned Scientists explained the risk: “While classified nuclear networks are air-gapped, breaches of unclassified systems can expose sensitive information about nuclear materials, personnel data, and operational insights useful for social engineering attacks.” Yahoo Finance

The incident highlighted a troubling pattern in nuclear facility cybersecurity. A Chatham House analysis noted that the nuclear industry was “a comparatively late starter in considering cybersecurity,” with many facilities still running decades-old systems never designed for internet connectivity. Chatham House

This wasn’t the first time nuclear facilities faced cyber threats:

• 2009-2011: Stuxnet destroyed 1,000 Iranian centrifuges through industrial control system attacks
• 2020: Russian hackers breached NNSA through the SolarWinds supply chain attack Bleeping Computer
• 2022: Cold River operations targeted US nuclear research laboratories
• 2024: Iranian hackers compromised Israeli nuclear facility IT networks Wikipedia +7

The ToolShell incident fits into an escalating pattern of state-sponsored groups targeting nuclear infrastructure—not necessarily to cause immediate damage, but to gather intelligence and establish persistent access for future operations.

The broader infrastructure nightmare

ToolShell exposed fundamental weaknesses in government IT infrastructure. Despite decades of warnings, many agencies still run legacy on-premises systems that can’t receive modern security updates. The reasons are depressingly familiar:

• Budget constraints: Migrations cost millions and often lack funding
• Regulatory paralysis: Agencies wait for explicit guidance before making changes
• Technical debt: Legacy systems integrate with countless other applications
• Risk aversion: “If it ain’t broke, don’t fix it” mentality

Mark Rorabaugh from InfraShield summarized the challenge: “Nuclear facilities face unique cybersecurity challenges due to resource constraints, regulatory paralysis, and the high costs of security implementations.” GovInfoSecurity

The incident also highlighted the dangerous window between vulnerability discovery and patching. Despite Microsoft’s relatively quick response, attackers had already weaponized the exploits and compromised hundreds of organizations. In the age of automated exploitation, even 72 hours is too long.

Expert analysis and future implications

Cybersecurity experts unanimously agreed: ToolShell represents a watershed moment for critical infrastructure security. The combination of factors—targeting nuclear agencies, Chinese attribution, incomplete patches, and rapid weaponization—created a perfect storm.

The attack’s sophistication lay not in novel techniques but in exploiting systemic weaknesses:

• Assuming on-premises equals secure
• Incomplete patch development and testing
• Slow patch deployment in government agencies
• Lack of proactive security measures

Looking forward, experts predict several trends:

1. Accelerated cloud migration: On-premises SharePoint is now considered unacceptably risky
2. Zero-trust architecture: Traditional perimeter security has definitively failed
3. Supply chain focus: Attacks on widely-used platforms offer maximum impact
4. AI-enhanced attacks: Automated vulnerability discovery and exploitation

The geopolitical implications are equally significant. As US-China technology competition intensifies, cyber operations become preferred tools for intelligence gathering below the threshold of war. Treasury Secretary Scott Bessent indicated the SharePoint attacks would be discussed during trade talks with Chinese officials, signaling potential economic consequences. The Washington Post

Lessons learned and the path forward

The ToolShell incident offers critical lessons for defenders:

Technical measures that work:

• Cloud-first architecture with modern security controls
• Automated patching with minimal testing windows
• Cryptographic key rotation as standard practice
• Network segmentation and zero-trust principles
• Continuous monitoring and threat hunting

Organizational improvements needed:

• Faster information sharing between agencies and private sector
• Streamlined decision-making for emergency responses
• Regular tabletop exercises for zero-day scenarios
• Investment in security talent and tools
• Culture shift from compliance to security

Policy changes required:

• Mandatory security standards for government software
• Liability frameworks for software vendors
• Enhanced international cooperation on attribution
• Deterrence strategies for state-sponsored attacks
• Funding prioritization for critical infrastructure security

The most sobering lesson? This won’t be the last such incident. As one expert noted, “We’re in an era where any widely-used software platform is a national security risk. The question isn’t if the next ToolShell will happen, but when.”

The aftermath and ongoing response

As of late July 2025, the immediate crisis has passed, but the long tail of ToolShell continues. Organizations worldwide are still discovering compromises, rotating keys, and rebuilding systems. The true cost—in remediation hours, lost productivity, and damaged trust—won’t be known for months.

For NNSA and other nuclear agencies, the breach serves as a wake-up call. While no nuclear secrets were stolen this time, the next attack might not be so limited. The agency has accelerated its cloud migration and implemented new security protocols, but questions remain about the security of America’s nuclear infrastructure in an age of persistent cyber threats.