Chinese hackers gained access to the U.S. government agency that oversees nuclear weapons in a widespread Microsoft hack.
Microsoft issued an alert Tuesday warning that hackers affiliated with the Chinese government have been exploiting cybersecurity vulnerabilities in the company’s SharePoint software.
Tens of thousands of servers hosting the software, which is used for sharing and managing documents, were said to be at risk as a result.
The National Nuclear Security Administration, a semi-autonomous agency within the U.S. Department of Energy responsible for maintaining the nation’s stockpile of nuclear weapons, was breached in the attacks on July 18, Bloomberg first reported.
The agency is responsible for providing the Navy with nuclear reactors for submarines and responds to nuclear and radiological emergencies in the U.S. and overseas. No sensitive or classified information has leaked in the cyber attack, according to Bloomberg.
“On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy,” an agency spokesman said in a statement to the outlet. “The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. All impacted systems are being restored.”
Security firm Eye Security said that 400 organizations and agencies globally were impacted, including national governments in Europe and the Middle East.
Microsoft linked the attack to two main groups, Linen Typhoon and Violet Typhoon, and flagged that another China-based group, Storm-2603, had also targeted its systems.
The Education Department, Florida’s Department of Revenue and the Rhode Island General Assembly were also breached in the attack, according to Bloomberg.
Eye Security warned that the breaches could allow hackers to impersonate users or services by stealing cryptographic keys — alphabetical codes or sequences of characters — even after software updates. Users should take further steps to protect their information, the firm said.
Microsoft said in a message to customers that it has since released “new comprehensive security updates” to deal with the incident.
But security researchers warned that the full extent of the breach and its consequences are yet to be fully revealed.
“This is a critical vulnerability with wide reaching implications,” Carlos Perez, director of security intelligence at TrustedSec, who previously trained U.S. military cyber protection teams, told The Independent.
“It enables unauthenticated remote code execution on SharePoint servers, which are a core part of enterprise infrastructure. It is already being actively exploited at scale, and it only took 72 hours from the time a proof of concept was demonstrated for attackers to begin mass exploitation campaigns.
“What makes it even more severe is the way it exposes cryptographic secrets, effectively allowing attackers to convert any authenticated SharePoint request into remote code execution. That is a dangerous capability to put into the hands of threat actors.”
Microsoft said it had “high confidence” that firms who do not install the new security updates could be targeted by the groups.
The tech firm said the attackers had been uploading malicious scripts which are then “enabling the theft of the key material” by hackers.
In a statement, the company added: “Investigations into other actors also using these exploits are still ongoing.”
Additional reporting from agencies.
