Nuclear Safety NNSA hacked article

“I’ve heard these rumors. They’re like seeing our nuclear secrets. None of that is true at all,”

“I know exactly who they are,” the secretary said. “They run through, checked by our security, and they have access to look around, talk to people and give us some good feedback on how things are going.”

He was granted access to basic IT systems such as email and Microsoft 365, one of the people told CNN.

Wright told CNBC that the staffers “don’t have anybody’s proprietary information.”

A DOGE staff member, Marko Elez, resigned Thursday after The Wall Street Journal connected the 25-year-old to a social media account that made racist posts. Elez had received approval from a federal judge earlier in the day to access the Treasury Department’s payment system, but the judge restricted his ability to share data from that system.

Microsoft confirmed in a blog post Tuesday that three Chinese hacking gangs — known as Violet Typhoon, Linen Typhoon and Storm-2603 — are involved in the hacking effort

The first U.S. official said government investigators currently suspect at least “four to five” federal agencies were breached, while more agencies are yet to be fully investigated. The second added they were briefed Monday that “more than one” federal agency was impacted.

23-year-old former SpaceX intern, who does not have the appropriate security clearances needed to access DOE’s IT system, received access over the objections of members of its general counsel and chief information officers.

and potentially wreaking havoc with vital information systems.”

Have any DOGE staffers been given access to NNSA classified nuclear weapons information, specifically Restricted Data, Formerly Restricted Data, or Critical Nuclear Weapon Design Information?

Have any DOGE staffers with access to classified information had significant outside financial interests, foreign contacts, or other affiliations that could pose security concerns?

if senior NNSA employees leave the organization, how do you plan to maintain security and secrecy of nuclear weapons and related information?

Riedel has yet to announce a reason for his departure from the DOE.

Cybersecurity Assessment: DOGE Insider Threat and Lateral Movement Analysis

These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint Online in Microsoft 365.

As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers

Microsoft observed multiple threat actors conducting reconnaissance and attempting exploitation of on-premises SharePoint servers through a POST request to the ToolPane endpoint.

In observed attacks, threat actors send a crafted POST request to the SharePoint server, uploading a malicious script named spinstall0.aspx. Actors have also modified the file name in a variety of ways, such as spinstall.aspx, spinstall1.aspx, spinstall2.aspx, etc. The spinstall0.aspx script contains commands to retrieve MachineKey data and return the results to the user through a GET request, enabling the theft of the key material by threat actors

Since 2012, Linen Typhoon has focused on stealing intellectual property, primarily targeting organizations related to government, defense, strategic planning, and human rights.

Since 2015, the Violet Typhoon activity group has been dedicated to espionage, primarily targeting former government and military personnel, non-governmental organizations (NGOs), think tank

using Mimikatz, specifically targeting the Local Security Authority Subsystem Service (LSASS) memory to extract plaintext credentials. The actor moves laterally using PsExec and the Impacket toolkit, executing commands using Windows Management Instrumentation (WMI). Storm-2603 is then observed modifying Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments.

Fast reverse proxy tool used to connect to C2 IP 65.38.121[.]198

131.226.2[.]6 IP Post exploitation C2 134.199.202[.]205 IP IP address exploiting SharePoint vulnerabilities 104.238.159[.]149 IP IP address exploiting SharePoint vulnerabilities 188.130.206[.]168 IP IP address exploiting SharePoint vulnerabilities 65.38.121[.]198 IP Post-exploitation C2 for Storm-2603

Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.

Threat actors may have accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure. This provided the threat actors with unauthorized access to Commvault’s customers’ M365 environments that have application secrets stored by Commvault.

For certain Commvault customers, rotate their application secrets, rotate those credentials on Commvault Metallic applications and service principles available between February and May 2025.[2] Note: This mitigation only applies to a limited number of customers who themselves have control over Commvault’s application secrets.

For certain Commvault customers, rotate their application secrets, rotate those credentials on Commvault Metallic applications and service principles available between February and May 2025.[2] Note: This mitigation only applies to a limited number of customers who themselves have control over Commvault’s application secrets

They then found the method in Commvault's code used to decrypt passwords, and used it against the retrieved admin password to log in as that admin. Notably, during watchTowr's version of the disclosure timeline, Commvault originally pushed back on this bug, saying it couldn't be feasibly exploited in real-world scenarios.

The vendor argued the flaw was impractical, which may explain why the make-me-admin bug carries the lowest severity score (5.3) of all four vulnerabilities, namely because of the conditions that highly limit the exploitability.

U.S. nuclear weapons agency affected by cyber attack National Nuclear Security Administration (NNSA) - Washington, D.C., USA

U.S. research institution affected by cyber attack Fermi National Accelerator Laboratory (Fermilab) - Batavia, Illinois, USA (Kane County, DuPage County) Affected via MS Sharepoint.