US Nuclear Agency among 400 organizations breached in massive Chinese cyber espionage campaign

The US National Nuclear Security Administration (NNSA) is among more than 400 organizations worldwide compromised in a massive cyber espionage campaign attributed to Chinese state-sponsored hackers.

The breach, first uncovered by Dutch cybersecurity firm Eye Security, involves exploitation of newly disclosed vulnerabilities in Microsoft SharePoint, a widely used enterprise platform for document sharing and collaboration.

The majority of the victims are based in the United States, and the number is expected to grow as investigations continue.

A coordinated campaign

In a blog post released Wednesday, Microsoft said it had observed three separate threat groups—Linen Typhoon, Violet Typhoon, and Storm-2603—using the vulnerabilities to attack on-premises SharePoint servers starting as early as July 7.

These attacks allow hackers to spoof authentication credentials, steal encryption keys, and execute malicious code remotely, providing a covert pathway into sensitive systems.

Eye Security first detected the attack on July 18 after spotting “unusual activity” on a customer’s SharePoint system. A follow-up scan of over 8,000 publicly accessible servers revealed “dozens of compromised systems,” indicating a coordinated mass exploitation effort.

High-value targets

Microsoft said the threat actors are known for targeting government, defense, and human rights organizations, as well as strategic planning, military, academic, and financial sectors across the US, Europe, and East Asia.

• Linen Typhoon has been active since 2012, focused on intellectual property theft related to defense and state infrastructure.

• Violet Typhoon, active since 2015, has conducted espionage targeting former military personnel, NGOs, media outlets, and think tanks.

• Storm-2603 is a newer group, and while Microsoft attributes it to China with “medium confidence,” its affiliations remain unconfirmed.

Microsoft warned that more threat actors are likely to target unpatched SharePoint systems unless urgent updates are applied.

Escalating Geopolitical Tech Tensions

The disclosure comes amid a broader tech decoupling between the US and China. This week, Amazon confirmed it is shutting down its AI lab in Shanghai, while McKinsey has halted China-related AI work. Microsoft and IBM have also scaled back their China-based R&D operations, citing rising geopolitical and security concerns.

Urgent response required

Microsoft has issued security patches and is urging all users of on-premises SharePoint servers, particularly those in critical infrastructure, government, and defense, to install them immediately.

“We assess with high confidence that these threat actors will continue their exploitation efforts against unpatched systems,” the company said.