Foreign Hackers Breached a US Nuclear Weapons Plant Via SharePoint Flaws (csoonline.com) 62
Foreign hackers breached the National Nuclear Security Administration's Kansas City National Security Campus (KCNSC) by exploiting unpatched Microsoft SharePoint vulnerabilities. The intrusion happened in August and is possibly linked to either Chinese state actors or Russian cybercriminals. CSO Online notes that "roughly 80% of the non-nuclear parts in the nation's nuclear stockpile originate from KCNSC," making it "one of the most sensitive facilities in the federal weapons complex." From the report: The breach targeted a plant that produces the vast majority of critical non-nuclear components for US nuclear weapons under the NNSA, a semi-autonomous agency within the Department of Energy (DOE) that oversees the design, production, and maintenance of the nation's nuclear weapons. Honeywell Federal Manufacturing & Technologies (FM&T) manages the Kansas City campus under contract to the NNSA. [...] The attackers exploited two recently disclosed Microsoft SharePoint vulnerabilities -- CVE-2025-53770, a spoofing flaw, and CVE-2025-49704, a remote code execution (RCE) bug -- both affecting on-premises servers. Microsoft issued fixes for the vulnerabilities on July 19.
On July 22, the NNSA confirmed it was one of the organizations hit by attacks enabled by the SharePoint flaws. "On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy," a DOE spokesperson said. However, the DOE contended at the time, "The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. All impacted systems are being restored." By early August, federal responders, including personnel from the NSA, were on-site at the Kansas City facility, the source tells CSO.
On July 22, the NNSA confirmed it was one of the organizations hit by attacks enabled by the SharePoint flaws. "On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy," a DOE spokesperson said. However, the DOE contended at the time, "The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. All impacted systems are being restored." By early August, federal responders, including personnel from the NSA, were on-site at the Kansas City facility, the source tells CSO.
Microsoft and Flaws! (Score:1)
Re: Microsoft and Flaws! (Score:3)
I just assumed all the systems have already been breached (for years). Some more critically than others. After all we ban white hat hacking and the ability to report flaws as bad for business.
Image software where they forced updates and broken the share point instead of gave away free access to sensitive data.
WTF, you inglorious mutant bastards! (Score:4, Funny)
If our nukes are connected to SharePoint, we might as well just push the Armageddon button now and git it over with!
Goddammit! You! Fucking! Idiots! #SharepointIsNottaRealProduct!
Here I thot the orange clown would finish us off, but instead it's fucking Microsoft, shouldda figgered
Clippy: (Score:5, Funny)
It looks like you are trying to end civilization. Here, let me help you...
Re:WTF, you inglorious mutant bastards! (Score:4, Insightful)
FTFY.
Re: (Score:3)
Re: (Score:2)
They have to be always online, to get updates
They do not. This is so false in fact, I think you are either drunk, or intentionally lying.
Re: (Score:2)
You think the military doesn't have their own private networks, so they don't need to depend on the public Internet for mission critical communications? How naive.
NNSA is not military (Score:1, Insightful)
You think the military doesn't have their own private networks, so they don't need to depend on the public Internet for mission critical communications? How naive.
The National Nuclear Security Administration is not the military. The NNSA is in the Department of Energy, not the Department of Defense. There was a policy long ago to keep nuclear weapons under as much civilian control as possible. Since anyone lobbying big bombs is a military, pretty much as we define the word "military", there's nuclear warheads on Navy submarines, and Air Force bases.
I'll digress a bit and say that I believe the nuclear missiles should with the Army or Space Force. Army knows artil
Re: (Score:2)
Which is why we need to rely on things other than just patching, which they (mostly) did.
Re: (Score:2)
That hasn't ever been true. With that UID it's a certainty you updated software well before you had 24x7 online connectivity.
Re: (Score:2)
>If our nukes are connected to the public Internet, we might as well just push the Armageddon button now and git it over with!
FTFY.
Git is not the best choice for this application, I would suggest using Subversion instead.
Re: (Score:1)
I guess I slept thru that end, who knew?
"Flaws"? Seriously? (Score:4, Insightful)
Why are we trivialize Microsoft fuckups? This should be called gross negligence and total incompetence. They insecure crap has no place in any professionally managed IT.
Re: (Score:2)
Re: (Score:2)
That's mostly because the installed base is so enormous that it makes MS software the most valuable target. If Peter Norton had been able to turn off his quest for perfection long enough to shove a product out the door early and win the OS wars we might be cursing Commander today instead of Windows. I just thank the gods that Adobe was never an OS company, the same insider contacts that made PDF the official document format for the government would have ensured the installation of their product nationwide
Re: (Score:2)
That's mostly because the installed base is so enormous that it makes MS software the most valuable target.
Not even that is true.
Re: (Score:2)
How do you figure that the most-installed OS on the planet isn't a tempting target?
Re: (Score:3)
Because it is not the most installed OS on the planet.
Re: (Score:2)
OK, most installed non-phone OS.
Re: (Score:2)
Calling for 100% security or claiming somebody else is doing it is manipulative, dishonest and essentially a lie by misdirection. That crappy pseudo-argument has been around and debunked forever, but ist still used by some assholes.
The reality is this: Nobody competent asks for 100% security. What competent people ask for is redundancy, generally high security levels and if there are flaws at least have them be ones that are hard to exploit. In particular, zero-days (what happened with SharePoint) need to b
Re: (Score:2)
Or are you implying that ANY use of Microsoft products is gross negligence?
Are you new here? ;) The thumbnail for Microsoft posts on slashdot used to be a picture of bill gates with borg implants. Maybe not always gross negligence, some people using Microsoft products are very aware of their insidiousness. If you want someone to use NSA backdoored spyware, what better OS to put people on?
Re: (Score:2)
Yeah, we get it. You don't like Microsoft. But how could this be called gross negligence if nobody knew about the bugs before they were found?
The negligence will be the result of Microsoft not using proper security procedures (they don't), or not spending enough time looking for bugs when they know they are there (they do know it).
If you believe ANY software can be made 100% secure
This is your fault. You are using a fuzzy definition of "secure." Once "secure" is well enough defined, then you can make the software 100% secure, it's just a matter of money. For example, you can be 100% sure that your code has no SQL injection bugs. You can be 100% sure that your code has no memory errors of certain
Re: (Score:2)
If you believe ANY software can be made 100% secure
This is your fault. You are using a fuzzy definition of "secure." Once "secure" is well enough defined, then you can make the software 100% secure, it's just a matter of money. For example, you can be 100% sure that your code has no SQL injection bugs. You can be 100% sure that your code has no memory errors of certain classes (by using Rust). Using Rust is definitely not my preferred solution, but it IS a solution if you want to go that way.
This is just hiding the difficulty. The real definition of "secure" is inherently fuzzy because it means doing what people expect to happen and not doing what people don't expect to happen. In your case the insecurity is in the fact that you will have given some formal definition of what you expect the system to do but that other people won't understand that definition and will expect and need something to be done which the system definition misses.
Re: (Score:2)
This whole thing about "100% secure" is just a lie by misdirection. Nobody competent is asking for 100% secure.
But maybe make it secure enough that zero-days are really rare, cloud compromised (MS not has had several) do not happen and the usual vulnerability is hard or impossible to practically exploit? You know, like a solid engineering product would? If you compare that standard to what MS delivers, MS looks like a bunch of blithering idiots that cannot do.
Re: (Score:2)
To be fair to Microsoft, Sharepoint was probably never pitched as secure for use in nuclear weapon facilities.
I'm not saying Microsoft's security isn't bad, but you need to take it to another level when you are dealing with state level hackers. Air gaps and machines with immutable software, that kind of thing.
Re: (Score:2)
Sure, formally, MS is in the clear with their insecure crap. They do not assure fitness for anything. But why are people using their stuff for everything then, when it is fit for nothing? And that is the problem right here: The appearance they are projecting vs. the actual reality of their products. And that has to stop.
Re: (Score:2)
What is the alternative to SharePoint that isn't just as bad?
Re: (Score:2)
Basically anything run by people that are actually trying to do more than just earn money and have a real interest in not getting hacked. One core problem with MS is that they are successful and stopped all efforts to do good engineering. Not saying they could have done better engineering, but if they had to compete, they would either have a better product or be long gone form the market.
As to what, that depends. Can be a wiki, a file server service or anything up to any of the managed solutions advertised
homer simpson on patch duty! (Score:2)
homer simpson on patch duty!
Nuclear power plants make excellent targets (Score:2)
Nuclear power plants make excellent targets in wartime — that really helps all the other countries in the coming global climate wars. Just spread them out nicely and show them off proudly, please.
Re: (Score:2)
Re: (Score:1)
You would think so, but apparently not, since the Ukraine power plant is still standing.
It's standing because Russia hopes to use it someday. At the point at which it becomes clear that Russia cannot win, I wouldn't want to be near it.
Re: (Score:2)
Also because
a) nuclear fallout from Ukraine has a tendency to go East because that's the direction of the prevailing winds.
b) at the point that there were some guts around, it was made clear to Russia that any fallout that does come into Western Europe would count for triggering NATO article 5.
Re: (Score:1)
That's mostly because Russia has ringed it with air defense, Ukraine still shells it several times a week.
Re: (Score:1)
How are nuclear power plants related to the fine article?
wait... weren't government entities supposed to ge (Score:2)
1- wait... weren't government entities supposed to get first crack at patches?
2- And how in the fuck do you go unpatching a security vulnerability for so long? ... you're an idiot that needs to go back to school... the moment a patch is released, it gets reverse engineered to find out what was being patched... then that gets targeted... this usually happens in under 36 hours... where you go from patch bein
(if you say "ohh there aren't any proof of concept out in the wild, so we don't need to worry about it"
Re: (Score:2)
But patching ASAP is also a bad idea. What you really need to do is
AVOID putting dangerous stuff on the web!!
Then you can take time to be sure that the "patch" isn't a real screw-up.
Re: (Score:2)
Re: (Score:2)
That's not right either. Advertising and reference manuals should be on the internet. Probably some other stuff that I haven't thought of too. But nothing that needs to be private. If you MUST have it remotely available, give it its own phone line, and put protections on that. Dial-up access has its place.
Re: (Score:2)
If you believe ANY software can be made 100% secure, YOU should be fired for total incompetence. You find vendors with a proven track record, do thorough risk assessments, patch discovered vulnerabilities, and cross your fingers.
Sounds relevant. If they find a bug, is it like an ant that for every one you see, there's a hundred you don't? By patching the instant a patch is released, you've patched that hole. But security is whack-a-mole, next bug pops up soon (by your own admissions). Vulnerabilities everywhere, in every software from every vendor. Kind of seems like the issue is keeping the system online despite it being an insecure idea. Back in the days of the Apollo program, programs were well audite
Re: (Score:2)
"Back in the days of the Apollo program, programs were well audited to make sure no bugs existed. "
Yes, but back in the days of the Apollo program, programs were much, much smaller and easier to check.
Re: (Score:1)
Yes, but back in the days of the Apollo program, programs were much, much smaller and easier to check.
Even then there were three astronauts that died during testing of their systems.
Re: (Score:2)
it's up to your risk matrix.... but i don't see how any risk calculus would allow security patches to sit for this long. And pretty sure it's in violation of the actual rules when it comes to maintain these systems... fed systems have rules they need to abide by.
I've usually advised deferring major updates by a few weeks so kinks can be worked out, but critical security were rolled out ASAP (after a backup was done WITH A TESTED BACKUP/RESTORE procedure) in a gradual roll out. we didn't spends months waiti
Re: (Score:2)
1- wait... weren't government entities supposed to get first crack at patches? 2- And how in the fuck do you go unpatching a security vulnerability for so long?
Assumably the people who chose Microsoft don't a firm grasp on how to manage a secure system, and their leaky skillset obviously include keeping patches up to date (and apparently managing a firewall is hard for them, too).
pphht fake news (Score:4, Funny)
Next you're going to tell me that Teams and OneDrive are shit too.
WTF (Score:4, Interesting)
A nuclear weapons facility running SHAREPOINT???!!!??
Hey, Pete Hegseth: This is your responsibility.
What a clown show...
Re: (Score:3, Insightful)
You'll have that with DUI hires.
Re: (Score:3)
It was probably installed long before he rocked up. The fact that people running a weapons facility think its appropriate to use ANY kind of web based collaboration system or even have the facility connected to the internet AT ALL says a lot about the kind of mouth breathing morons they've put in place to run the IT systems there.
Re: (Score:2)
Don't tell him we have nuclear weapons facilities. Now he'll want to make sure they have the Warrior Ethos and as well....he'll have the employees doing pushups and going out to shoot woodland creatures for lunch. Anyone with bone spurs need not apply. And they'll need to be careful the personnel are not eaten by Haitian pets, I've heard that can happen.
Chinese or Russian, but of course! Who else? (Score:3, Insightful)
The guys in Romania, Pakistan, India, Israel, Ohio can waltz right in, using Chinese/Russian IP addresses.
Sad to see even the "tech" press swallow up this garbage. I guess they're under lots of pressure to conform these days.
The stupidity of using commodity hardware and software on anything nuclear has no limit. But hey, it's cheap
Re: Chinese or Russian, but of course! Who else? (Score:2)
"possibly" is doing all the lifting here...more likely the CIA with the recent anti-China drive in the media.
Oh well (Score:3, Funny)
Thoughts and prayers.
Ditch Microsoft when security is necessary (Score:2)
Built to be "just good enough" to release.
Gartner was right. A flawed development philosophy leads to flawed software and all that entails,.
So, why does anyone still trust a shitty dev house's software on a critical system? Seems like courting a disaster to me.