Unknown threat actors have breached the National Nuclear Security Administration's network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain.
NNSA is a semi-autonomous U.S. government agency part of the Energy Department that maintains the country's nuclear weapons stockpile and is also tasked with responding to nuclear and radiological emergencies within the United States and abroad.
A Department of Energy spokesperson confirmed in a statement that hackers gained access to NNSA networks last week.
"On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy, including the NNSA," Department of Energy Press Secretary Ben Dietderich told BleepingComputer. "The Department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems."
Dietderich added that only "a very small number of systems were impacted" and that "all impacted systems are being restored."
As first reported by Bloomberg, sources within the agency also noted that there's no evidence of sensitive or classified information compromised in the breach.
The APT29 Russian state-sponsored threat group, the hacking division of the Russian Foreign Intelligence Service (SVR), also breached the U.S. nuclear weapons agency in 2019 using a trojanized SolarWinds Orion update.
Attacks linked to Chinese state hackers, over 400 servers breached
On Tuesday, Microsoft and Google linked the widespread attacks targeting a Microsoft SharePoint zero-day vulnerability chain (known as ToolShell) to Chinese state-sponsored hacking groups.
"Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers," Microsoft said.
"In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing."
Dutch cybersecurity firm Eye Security first detected the zero-day attacks on Friday, stating that at least 54 organizations had already been compromised, including national government entities and multinational companies.
Cybersecurity firm Check Point later revealed that it had spotted signs of exploitation going back to July 7th targeting dozens of government, telecommunications, and technology organizations in North America and Western Europe.
Detailed blueprints of Russia’s modernized nuclear weapon sites, including missile silos, were found leaking in public procurement database.
Russia is modernizing its nuclear weapon sites, including underground missile silos and support infrastructure. Data, including building plans, diagrams, equipment, and other schematics, is accessible to anyone in the public procurement database.
Journalists from Danwatch and Der Spiegel scraped and analyzed over two million documents from the public procurement database, which exposed Russian nuclear facilities, including their layout, in great detail. The investigation unveils that European companies participate in modernizing them.
According to the exclusive Der Spiegel report, Russian procurement documents expose some of the world’s most secret construction sites.
“It even contains floor plans and infrastructure details for nuclear weapons silos,” the report reads.
German building materials and construction system giant Knauf and numerous other European companies were found to be indirectly supplying the modernization through small local companies and subsidiaries.
Knauf condemned the Russian invasion of Ukraine and announced its intention to withdraw from its Russian business in 2024. Knauf told Der Spiegel that it only trades with independent dealers and cannot control who ultimately uses its materials in Russia.
Danwatch jointly reports that “hundreds of detailed blueprints” of Russian nuclear facilities, exposed in procurement databases, make them vulnerable to attacks.
“An enormous Russian security breach has exposed the innermost parts of Russia’s nuclear modernization,” the article reads.
“It’s completely unprecedented.”
The journalists used proxy servers in Russia, Kazakhstan, and Belarus to circumvent network restrictions and access the documents. The rich multimedia in the report details the inner structure of bunkers and missile silos.
The French government said it would seek “a national solution” to protect Atos, a debt-burdened company that serves nuclear programs and the military.
In 2008, a Dutchman played a crucial role in the United States and Israeli-led operation to sabotage Iran’s nuclear program. The then 36-year-old Erik van Sabben infiltrated an Iranian nuclear complex and released the infamous Stuxnet virus, paralyzing the country’s nuclear program. The AIVD recruited the man, but Dutch politicians knew nothing about the operation, the Volkskrant reports after investigating the sabotage for two years.
Regime has trained cybercriminals to impersonate tech workers or employers, amid other schemes
