U.S. Nuclear and Health Agencies Hit in Microsoft Sharepoint Breach

The Washington Post

13:01 JST, July 24, 2025

The National Institutes of Health and the federal agency responsible for securing the nation’s nuclear weapons were among the victims in a global breach of Microsoft server software over the weekend, according to officials at the agencies.

The incident at NIH, which has not been previously reported, involved at least one Microsoft SharePoint server system, said Andrew Nixon, a spokesman for the Department of Health and Human Services, and its scope and severity are being investigated.

The compromise at the National Nuclear Security Administration, an arm of the Energy Department, did not affect any classified information, said a person familiar with the matter who, like others, spoke on the condition of anonymity to discuss nonpublic matters. It was first reported by Bloomberg News. The NNSA helps keep 5,000 nuclear warheads secure and ready, guards against radiation leaks, and ensures that weapons do not mistakenly detonate.

An NNSA spokesperson said attacks using a “zero-day vulnerability” had begun affecting the Energy Department, including the NNSA, on Friday. “The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems,” the spokesperson said. Only versions of SharePoint that are hosted by the customer, not those in the cloud, are vulnerable.

The spokesperson said only “a very small number of systems” were affected, adding: “NNSA is taking the appropriate action to mitigate risk and transition to other offerings as appropriate.”

An internal email written by an NIH information technology official and viewed by The Washington Post said the agency’s cybersecurity team was working to remediate the SharePoint attack, which was part of a global campaign that targeted government agencies, businesses, universities and other organizations in the United States, Europe and Asia.

Hackers connected to the Chinese government were behind at least some of the attacks in the past few days, defenders working on the intrusions said in interviews. Security firms helping affected customers said that many hacking groups are now trying to exploit the SharePoint flaw and that blueprints for attack methods have been circulating, including on public sites.

The operator of most of California’s electric grid was also targeted, according to a person familiar with the matter. That nonprofit, the California Independent System Operator, did not confirm nor deny a breach, but said it “took immediate and decisive actions to assess and contain the threat.”

“There has been no impact to market operations or grid reliability due to this incident,” it said. “All systems remain stable and fully operational.”

The NIH email said eight servers were disconnected from the internet and isolated. One was compromised, and two showed evidence of attempted breaches that were blocked. The servers taken offline were used to host NIH websites, including websites for the National Institute of Diabetes and Digestive and Kidney Diseases and the Fogarty International Center, which supports global health research and trains scientists.

The National Institutes of Health is the country’s biggest funder of biomedical research, supporting studies that delve into a wide range of basic research and human health conditions.

“We are actively investigating the scope and severity of the incident, while taking all necessary steps to protect sensitive information and strengthen system security with our partners moving forward,” DHS spokesman Nixon said. He added that while one server was impacted, others were isolated as a precaution. “We have no indication that any information was exfiltrated as a result of this SharePoint vulnerability,” he added.

The FBI and other agencies are investigating the compromise of Microsoft’s SharePoint collaboration software. The company issued the last of three patches for affected versions of its software on Monday.

A spokeswoman for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which was alerted to the issue on Friday by a cybersecurity firm, warned Sunday that hackers were exploiting a software flaw that could allow them full access to information being exchanged on the SharePoint systems. That information could include file systems and login and password data.

Because SharePoint is often used in tandem with other Microsoft programs and databases. Another major concern is that hackers left back doors in some targets that will allow them to return.

The Chinese Embassy did not address the country’s alleged role in the hacking wave, but it questioned the strength of the evidence in past accusations. “Cyberspace is characterized by strong virtuality, difficulty in tracing origins, and diverse actors, making the tracing of cyberattacks a complex technical issue,” embassy spokesman Liu Pengyu said in an email.

Treasury Secretary Scott Bessent told Bloomberg Television on Wednesday that the SharePoint hacks would be discussed during trade talks with Chinese officials in Stockholm next week.

Alex Stamos, chief information security officer at SentinelOne, said that SharePoint systems hosted on a customer’s premises were a natural weak spot and that transitioning to the cloud would be much safer. “Nobody should be running Microsoft on-premise products anymore,” he said.

The wave of attacks comes at a difficult time for both Microsoft and CISA, the lead U.S. agency for helping to protect civilian entities from cyberattacks. Microsoft had been alerted to a security weakness in SharePoint recently and issued a fix. But hackers discovered that the fix was inadequate and figured out a way around it.

The company has been widely criticized over the past few years for other security mistakes in its core products and internal architecture, including one that allowed Chinese hackers to obtain a digital key that allowed them to validate customers, leading to email breaches at the departments of State and Commerce.

At the same time, Microsoft’s add-on security products have become an increasingly important source of its revenue as it spends more on artificial intelligence.

“Government agencies have become dependent on a company that not only doesn’t care about security, but is making billions of dollars selling premium cybersecurity services to address the flaws in its products,” said Sen. Ron Wyden (D-Oregon).

Microsoft did not respond to a request for comment.

CISA, meanwhile, is reeling from budget cuts and high turnover. In March, DHS cut $10 million in funding to the nonprofit Center for Internet Security for routing warnings of cyberattacks to 18,000 state and local entities. The subsequent job cuts slowed the notifications of about 1,000 members exposed to the weekend hacking campaign, the center said.

The center’s chief executive, John Gilligan, said the administration’s budget request for the coming year had no money for CIS, leaving it scrambling to get states to pay membership fees instead.