Foreign hackers breached a US nuclear weapons plant via SharePoint flaws
131 comments
·October 21, 2025crmd
unethical_ban
Companies that don't use Outlook? All five of them?
I've seen companies with varying levels of MS product integration but Outlook is pretty foundational.
Now, if a company says they use SharePoint or Teams to store their documentation, run to the hills. Wikis or bust.
nneonneo
God, Teams is absolutely miserable. Video calling on Teams makes you appreciate just how well Zoom works.
Teams macOS client? Crashes on startup, even after clearing all of my user data.
Teams iOS client? You can join a call by a link, but you can't see the call UI because it's behind the login window.
Teams on Firefox? No video support for years, and most recently just glitches out and shows an empty page when trying to join.
Teams on Chrome? Tried joining a meeting, and was told by the organizers that they couldn't admit me because the button wasn't doing anything.
I've had all four of these things happen within the last month, and it's made me want to tear my hair out. I get that none of these are "Microsoft Edge/native Windows client", but they could at least pretend to care about other platforms...
lenerdenator
> Now, if a company says they use SharePoint or Teams to store their documentation, run to the hills. Wikis or bust.
It's never just Teams or SharePoint or a wiki. It's almost always some abomination created by putting various bits of knowledge on all three. Also, corporate wikis suck because how your team classifies data is almost invariably different from how someone else wants to see it.
SharePoint, for all of its flaws, typically gets used by the major announcement-and-policy makers at a company, because they just want to use MS stuff (primarily out of ignorance of alternatives), so at least it's somewhat coherent for everyone in the company.
stackskipton
As usual with all these types of posts, people go "HA HA, MICRO$OFT SUCKS" without understanding business practices that keep them afloat.
Don't use Exchange? Cool, what should we use instead? Does it support 15 people all the way up to 150000 people? I used to run Exchange cluster for 70k people, is there other mail software out there complete with non-shared disk redundancy? Where the users connect to single endpoint and software figures it out from there?
Sharepoint with another 2 RCEs. Not shocked, the software is terrible. However, it's only software that will stand up under load and let us shard it easily. All open-source software is one of those, runs fine in Homelab, likely falls down under load. Few Open Source Developers want to work on this stuff which I get because it's tedious work interfacing with computer illiterate end users. I'd rather chug sewage then do this work for free.
Finally, it's somewhat backwards compatible. Most businesses are filled with ancient software that no one has worked on in 20 years. That Excel document with Macros from 1997. With some registry changes degrading security posture, still works. I doubt you will find Office software with level of backwards compatibility unless they are using Microsoft Office level of compatibility.
Microsoft has real gordian knot here and few solutions besides "Backwards compatibility is OVER. Upgrade to modern or GTFO". Meanwhile, I get hit up by $ThreeJobsAgo over some Exchange Web Services solution I slapped together for them in Python they wanted me to upgrade to GraphAPI since Microsoft turned off Exchange Web Services in Office365.
necovek
I see you build a case for traditional MS product in Exchange, yet this issue is about Sharepoint.
Just like with Windows, Microsoft has built a moat with Exchange, but the question is why do all the companies buy into their full ecosystem, especially for anything relating to web technologies (you even bring up Exchange Web Services), because this they do really badly, and Sharepoint seems to be the worst.
However, I am certain there are big Postfix/Dovecot installations scaling easily to 150k people, but we probably wouldn't know about them. Eg. here a couple of accounts of people doing that: https://www.reddit.com/r/linuxadmin/comments/32fq67/how_woul...
inopinatus
I was running millions of accounts using Postfix/Dovecot on shared-nothing storage with a single MUA-facing endpoint and complex policy options, and that was years ago.
Fastmail today would be much bigger again, and they’re on CMU Cyrus.
150k is rookie numbers. Perhaps that was meant ironically to satirise mediocre enterprise thinking?
stackskipton
Cool, you got a blog article detailing how that works with Postfix/Dovecot? All clustering articles I'm seeing for those involved shared storage. Fastmail is not very specific how that works.
In any case, Exchange is not just email, it has Calendaring/Contacts stuff going on as well.
MisterTea
> but the question is why do all the companies buy into their full ecosystem,
Old manager I had one told me: "I wish Microsoft made all the software in the world because it works so well together!" He was the guy who bought our company a one-way ticket to O365. He was also woefully tech ignorant and could barley drive software outside of office programs.
stackskipton
I used Exchange because it was what I most familiar with. SharePoint operates in similar matter with all sharding (though backend is still MSSQL with it's sharding last I checked)
Sure, PostFix/DoveCot will scale if you are doing just email. Once you add GroupWare requirements, PostFix/Dovecot are no longer in same boat.
elevation
Not sure the total number, but a university near me serves 50K active students and hundreds of thousands of alums with Postfix/Dovecot.
BeetleB
How oh how did these nuclear weapons facilities manage to function in the days before Exchange and Sharepoint?
stackskipton
Just like everyone else before invention of Email and Document sharing? However, like every other business, no one is willing to slow down velocity for security reasons so now we are here. Unless you have a fix for "Line must go up", market pressures will always cause this.
awesome_dude
Um, email was invented, like in the last millenium, well before Microsoft was a thing (only slightly sarky)
elevation
How many organizations on the planet require their Exchange server to support 150k users? I doubt most manufacturing plants fall into this category.
stackskipton
They don't but whole point is massive Enterprises use the software, people get accustomed to it and want it in their smaller business. So, Microsoft Small Business Server is developed until O365 came along.
vlovich123
You can use hosted versions of Google Workplace or Office365 if you can’t figure out how to secure software (places like this typically can’t clearly). Additionally it enforces a separation of concerns where a compromise of your email server doesn’t lead to a compromise of the plant itself (again - clearly IT didn’t know how to partition the network into different parts).
stackskipton
Sure, this business should have converted to either of those and let someone else take over administration since they were clearly negligent. This is stuff that FedRAMP or it's replacement was supposed to fix but didn't.
vlovich123
FedRAMP is only for hosted software for the federal government afaik, not on-prem and not private companies (nuclear reactors afaik are operated by grids/private operators and the federal gov is responsible for auditing and regulating)
null
bad_haircut72
I mean this is nuclear wepons were talking about, who cares about features vs security? They could run the department on snail mail if they tried
nerdponx
> Few Open Source Developers want to work on this stuff which I get because it's tedious work interfacing with computer illiterate end users. I'd rather chug sewage then do this work for free.
Or the government could pay people to work on said open source software, providing a benefit to the public along the way. The US government started something like this called "18F" under the Obama administration. It was so effective at making software that was useful to the American public that Trump promptly shut it down 2 months into his second term, in no small part because they had the temerity to develop free-to-use tax filing software.
See
https://handbook.tts.gsa.gov/18f/history-and-values/ https://web.archive.org/web/20250000000000*/https://handbook... https://archive.is/CIXG1
and
https://www.lawfaremedia.org/article/learning-from-the-legac... https://web.archive.org/web/20250000000000*/https://www.lawf... https://archive.is/fmaf6
dudeinjapan
Sharepoint is enterprisey and all but how about "less software/surface area is more" when it comes to nuclear silos?
alexpotato
So I once brought down an alerting system using Excel
(btw, this story is more about unintended consequences instead of MSFT)
- I own an alerting system
- For log based alerts, it looks for a keyword e.g. "alert_log"
- I make a spreadsheet to track data about alerts and call one of the sheets "alert_log"
- Alert system starts going crazy: using tons of CPU, number of alerts processed goes through the roof but not a lot of alerts generated
- Turns out that I was using the cloud version of Excel so any text entered transited the firewall
- Firewall logs store the text "alert_log"
- Alert system thinks it's an alert BUT it's not a real alert so triggers an alert processing alert
- That second alert contains the text from the firewall log and so cycle begins
In other words, systems can operate in weird ways and then cause things to happen you didn't anticipate. It's why things like audits, red teaming and defense in depth all matter.
unethical_ban
As a firewall engineer I have to tell people to make sure to disable traffic logs for syslogs from the firewall for this reason.
zelphirkalt
Hahaha, how stupid must anyone be to deploy SharePoint anywhere near anything of national security relevance! How can it still be a thing, that anyone entrusted with such sensitive matter dates to even touch MS products of the kind of SharePoint? That includes the complete MS Office 365 disaster suite, MS Teams and Edge.
Sounds like they need to seriously redesign their security policies.
count
I have some reaallllly bad news for you on that front.
jahewson
What would you recommend instead?
baobun
For security-critical or sensitive situations, auditability should be a requirement. That requires access to source code and capabilty to build it.
belter
Wait until you hear about the guy storing Top Secret Nuclear documents in the public toilet of his resort....
belter
Down voting like it never happened... https://upload.wikimedia.org/wikipedia/commons/5/52/Classifi...
timeon
Or the one that invites journalist to Signal group during combat mission.
givemeethekeys
But, look at everything we get for free! /s
synapsomorphy
Sharepoint is one of the worst, most bug-ridden softwares I've worked with.
It has a bug with Solidworks (3D design suite) that sporadically makes files completely un-openable unless you go in and change some metadata. They are aware of this, doesn't seem to be any limitation preventing them from fixing it, and it has sat unfixed for years.
Microsoft's cloud storage as a whole is an insane tangle where you never know where you'll find something you're looking for or whether it will work. Some things work only in browser, some only in the app, zero enumeration of these things anywhere.
Completely unsurprised and I'm sure there are many more vulnerabilities ripe for the picking.
VladVladikoff
Every time I need to touch anything made my Microsoft lately I am met with multiple levels of glitchyness, straight up bugs, most frustratingly it’s so excruciatingly slow.
Recently I tried to configure a new subdomain to handle mail on 365 and even finding their DKIM configuration section was a mission. Once finding it, I learned that their DNS check fails to properly handle subdomains for email, so you have to put their DKIM keys against your root domain. Genius!
curvaturearth
But wait! 35% of Microsoft's code is now written by AI so surely it will get better
throwforfeds
I'm working on a gov contract right now and they're forcing everyone to migrate off of Slack and into Teams. I somehow have managed to avoid MS corporate products for the better part of two decades. People's tolerance to UX pain seems to be boundless in corporate/fed worlds.
null
aidos
We sync content to MS hosted Sharepoint using rsync. When the file arrives, they change the internal metadata inside the file, which changes the checksum, which causes rsync to think the content is different and need syncing again.
bArray
Microsoft Word online deletes text in Firefox Linux (maybe others too) for at least two years now [1]. The one thing you want a text editor to do is be able to write text into a document, and somehow this bug goes unfixed. You would think it would be priority #1 for paying customers of Business Office 365 - and yet nothing.
It ended up being easier just to switch to paid Overleaf and teach our non-tech members how to write LaTeX and/or use the built-in editor. The documents are beautiful, Overleaf doesn't miss a beat and we are very happy with their solution.
Microsoft should be ashamed - I don't know how anybody would ever consider using them for any serious production work.
[1] https://learn.microsoft.com/en-us/answers/questions/5216132/...
rs186
Not defending Microsoft in any way but my guess of what's happening:
* Too few people use Firefox to access Office online, they don't care
* Your organization is too small for them to care
bee_rider
Firefox is the only browser other than Chrome (and derivatives) on their OS. The web is supposed to be multi-platform. I guess it isn’t that surprising that modern MS is happy to just live in Google’s ecosystem though.
luckylion
if they will lose data when you're on a rarely used browser, can you really trust them not to lose data in general?
"yes, your car exploded, but you were driving on a dirt drive way. it works just fine on the highway"
jmm5
I am a social worker and SharePoint is unfortunately widely used by nonprofit agencies for storing client records. It's a real shame, but they can't afford anything better.
nairboon
That bug has been around for years. I always wondered if that was deliberate. I guess that Microsoft support answer settles the question...
>Sorry for that we may have no enough resources about the Linux environment.
eterm
They've managed to mess up sharepoint even worse lately.
I went there to try to find where company meetings got recorded to.
I went to my sharepoint bookmark, which weirdly is www.office.com after some previous nightmare rebrand.
Except what used to be the way into your sharepoint files, is now just a full page copilot screen with no hint of where the fuck your files are.
Even though you've been visiting this bookmark for years, to get to your sharepoint files.
Ok, so you search bing sign into sharepoint.
Top result is office.com . You ignore it.
Next result is:
https://support.microsoft.com/en-gb/office/sign-in-to-sharep...
This links you to https://m365.cloud.microsoft/
Ok great. Nope! Redirects you back to copilot.
I do NOT want to ask copilot to dig out my files every time you want a file. I want to get back to the directory listing so I can find the directory listing to find the company meeting recording.
How does MS not understand that replacing all UX with copilot is not an improvement, and is not helping sell copilot.
soupfordummies
It's such a critical backbone to so many of their services but they treat it like a forgotten stepchild for the most part
ThinkBeat
How large are the files?
synapsomorphy
Kilobytes or single digit megabytes. It happens because Sharepoint sporadically alters created/edited metadata for any (?) file it stores. Most programs don't care about that but Solidworks does.
downrightmike
Developed and maintained in China by Chinese nationals, with untechnical escorts overseeing their work.
MikeNotThePope
Reminds me of https://howfuckedismydatabase.com/mssql/.
bhewes
As a company that supports OT systems we hate seeing level 5 in the Purdue model with direct write access to level 1 and 0.
cj
Link describing the acronyms in the above comment:
https://www.paloaltonetworks.com/cyberpedia/what-is-the-purd...
bhewes
Thanks CJ, I live with that chart, but forget maybe most don't. And to add 4 to level 2-0 can also be an attack vector, but seeing straight 5 to 1-0 happens more then people want to admit even with the "firewalls"
lenerdenator
Side gripe:
I'm sitting here with a very performant computer running its native web browser.
It's ridiculous that I kept losing my place in that article because the page kept getting shifted to fit yet another damn ad (there were at least three in-view at all times as I was looking at it) onto the screen.
Either make the ads fast and don't load the page until they're all there, or better yet, admit that online content isn't a way to make your private equity group even more obscenely rich, and cut back on the monetization that you put on it.
OutOfHere
Whoever puts a nuclear fission facility on the internet should be put behind bars.
null
photochemsyn
The timeline here is interesting. Microsoft releases info and instructions for mitigation on July 19, and a more complete report on July 22nd, here's a copy of that:
Then according to this report, 'sometime in August' the exploit is used against the Honeywell-managed nuclear facility, since it wasn't patched, if I read correctly? So it really could have been anyone, and it's hardly just Russia and China who have a record of conducting nuclear espionage in the USA using their nation-state cybercapabilities (Israel?). As the article notes:
> "The transition from zero-day to N-day status, they say, opened a window for secondary actors to exploit systems that had not yet applied the patches."
Also this sounds like basically everything that goes into modern nuclear weapons, including the design blueprints. Incredible levels of incompetence here.
> "Located in Missouri, the KCNSC manufactures non-nuclear mechanical, electronic, and engineered material components used in US nuclear defense systems."
gnabgib
.. still 3 months ago CVE-2025-53770
(809 points, 447 comments) https://news.ycombinator.com/item?id=44629710
US Nuclear Weapons Agency Breached in Microsoft SharePoint Hack (18 points) https://news.ycombinator.com/item?id=44654869
darepublic
That guy who jumped the office chair will be the end of us all
zkmon
The jump was amazing though! At his age.
One of the first things I do after getting an inquiry from a recruiter or friend referral is lookup the MX record for the company’s email domain. It is an anonymous one-command check to see if they’re a Microsoft shop.
If they are, it’s enormous personal red flag. MSFT is very popular so I’m only speaking about my own experience, but I have learned over the course of 20 years that an MSFT IT stack is highly correlated with me hating the engineering culture of an organization.
I know I am excluding a lot of companies with great engineering culture where I would thrive and who just happen to use Outlook/Sharepoint/Teams, etc. but it has had such better predictive power of rotten tech culture than any line of questioning I have come up with during interviews that I still use it.
I don’t mean any disrespect to MSFT-centric engineers out there - it’s not you it’s me.