U.S. Nuclear Supply Chain Exposed in Cyberattack on Key Facility

A major cybersecurity incident involving the Kansas City National Security Campus (KCNSC), a facility responsible for producing most non-nuclear components of the U.S. nuclear arsenal, has exposed more vulnerabilities within federal IT infrastructure. Hackers infiltrated the site through two unpatched Microsoft SharePoint flaws in July 2025, raising alarms across defense and cybersecurity communities.

The breach is emblematic of a deeper challenge of how legacy IT weaknesses can jeopardize operational technology (OT) systems that directly support national defense operations.

While the attackers reportedly only accessed IT systems, the incident has brought criticism over how closely IT and OT systems are integrated and whether existing isolation protocols are sufficient to prevent wider compromise.

Why It Matters: The KCNSC breach reflects the fragile separation between administrative IT networks and industrial control systems. Although the breach did not compromise classified data, the possibility of lateral movement or access to unclassified yet strategically valuable information presents serious national security implications.

• Attackers Exploited Known SharePoint Vulnerabilities Shortly After Disclosure: The breach occurred after Microsoft SharePoint vulnerabilities CVE-2025-53770 (a spoofing issue) and CVE-2025-49704 (a remote code execution flaw) were disclosed and patched on July 19, 2025. Hackers began exploiting these flaws days later, targeting systems that had not yet applied the fixes. KCNSC was among the affected organizations, confirming an attack on July 22. The use of on-premises SharePoint servers, rather than cloud-based alternatives like Microsoft 365, left certain federal systems more exposed to rapid exploitation during the vulnerable window.

• Attribution Unclear Amid Signs of Both Chinese and Russian Involvement: Microsoft attributed the broader exploitation campaign to the Chinese nation-state groups Linen Typhoon, Violet Typhoon, and Storm-2603, indicating the attackers were laying groundwork for possible ransomware deployment. However, a source directly involved in the Kansas City incident claimed that independent Russian cybercriminals were the perpetrators. Researchers from Resecurity acknowledged both possibilities, noting that Russian actors could have reverse-engineered the flaws after they were demonstrated at the Pwn2Own Berlin event in May 2025, and that the technical information had likely spread through underground forums and scanning data.

• Operational Technology (OT) Was Not Directly Hit, But Risks Remain: While the attack focused on KCNSC’s IT infrastructure, cybersecurity experts warn that OT systems like programmable logic controllers and SCADA networks could be at risk if attackers gain footholds in IT and move laterally. The campus likely has air-gapped protections in place, but experts emphasize that physical separation is not always a guarantee of security, especially when IT-OT integrations support supply chain functions that could serve as bridge points for intrusions.

• Strategically Sensitive Data May Have Been Accessed Despite Classification Levels: Even though there is no evidence that classified data was stolen, the breach may have yielded valuable insights into U.S. nuclear weapons manufacturing processes. Experts warn that unclassified documents like technical specifications or operational blueprints can still reveal critical information. For example, knowledge of design tolerances or assembly procedures could help adversaries understand the reliability and precision of American weapons systems, or even exploit potential weaknesses in the supply chain.

• The Breach Amplifies the Need for Unified Zero Trust: The KCNSC incident reinforces the ongoing gap in cybersecurity maturity between traditional IT networks and operational environments. While federal agencies have advanced their implementation of zero-trust models for IT, similar protections for OT are still in development. Defense experts point to efforts by the Department of War to build a zero-trust framework for industrial systems, but the delay in full implementation leaves facilities like KCNSC vulnerable. Cybersecurity leaders stress that zero-trust strategies must encompass all interconnected systems as digital convergence increases to prevent attackers from exploiting soft entry points to reach essential operations.

Go Deeper -> Foreign hackers breached a US nuclear weapons plant via SharePoint flaws – CSO Online