A threat actor breached the Kansas City National Security Campus (KCNSC) in August, exploiting unpatched Microsoft SharePoint vulnerabilities, CSOonline reported.
The KCNSC, managed by Honeywell Federal Manufacturing & Technologies under contract with the National Nuclear Security Administration (NNSA), produces around 80% of the non-nuclear components used in US nuclear weapons. The facility is considered one of the most critical and sensitive in the federal weapons complex.
The attackers exploited two SharePoint (CVE-2025-53770 and CVE-2025-49704) patched by Microsoft on July 19. Just days later, on July 22, the Department of Energy (DOE) confirmed that NNSA systems had been impacted by a wave of attacks targeting SharePoint servers.
By early August, the National Security Agency (NSA) had deployed personnel to the Kansas City facility to assist in the incident response. Initially, the DOE said the impact was minimal due to its widespread use of Microsoft’s M365 cloud services.
It remains unclear whether Chinese or Russian actors were behind the intrusion. Microsoft has linked the broader SharePoint exploitation campaign to three Chinese groups, Linen Typhoon, Violet Typhoon, and Storm-2603, which it says were preparing to deploy Warlock ransomware. However, a source familiar with the Kansas City incident said a Russian actor was responsible.
Cybersecurity firm Resecurity, which has tracked the exploitation of the SharePoint flaws, said evidence points mainly to Chinese nation-state groups but does not rule out Russian involvement. Resecurity analysts noted that financially motivated Russian actors may have reverse-engineered the exploits after demonstrations at a Pwn2Own hacking competition in May.