Foreign Hackers Breached a Us Nuclear Weapons Plant via Sharepoint Flaws
Posted3 months agoActive3 months ago
csoonline.comTechstoryHigh profile
heatednegative
Debate
80/100
CybersecurityMicrosoft SharepointNuclear Security
Key topics
Cybersecurity
Microsoft Sharepoint
Nuclear Security
Foreign hackers breached a US nuclear weapons plant via SharePoint flaws, sparking debate about Microsoft's security and the practice of connecting sensitive facilities to the internet.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
7m
Peak period
117
0-6h
Avg / period
22.9
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Oct 21, 2025 at 11:51 AM EDT
3 months ago
Step 01 - 02First comment
Oct 21, 2025 at 11:58 AM EDT
7m after posting
Step 02 - 03Peak activity
117 comments in 0-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 24, 2025 at 8:05 AM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45657287Type: storyLast synced: 11/20/2025, 8:14:16 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Remember, the industry told us we're in a 'zero trust' world now. The network perimeter is an anachronism.
OTOH you know damn well they keep the important stuff airgapped, in which case the title (and your predictable reaction) is just fanning the flames. It could very well be they 'breached' the receptionist's PC she uses to browse Facebook to pass the time.
> receptionist's PC she uses to browse Facebook to pass the time.
Why does 'her' PC have access to the internet?
It starts with military officers using the hallway photocopiers for secure documents, and ends with TS docs stored in a Florida hotel's restroom.
The decentralized internet is less of a reality today than it was years ago.
The web though I agree isn't very decentralized.
An attacker (read: nation-state actor) wouldn't even need to take down US-East-1, it could just take advantage of the outage.
I assume (hope?) there's some kind of backup comms plan or infra in place for critical events, but I don't actually know.
I'm not sure if Oracle would be better.
Why the special treatment for nuclear? Do you really think redlining a dam or storm-levee system would be less damaging?
Also, turning off internet connections means less-capable remote shut shut-off. Less-responsive power plants. Fewer eyes on telemetry.
We should be mindful of what is and isn't connected to the internet, and how it's firewalled and--if necessary--air gapped. That doesn't mean sprinting straight for the end zone.
Why does it have to be remote what's wrong with it being in-house? Besides a shut-off should never be able to be triggered remotely.
The same goes for digital emergency shut off buttons; all should be physical.
> Less-responsive power plants.
What? How is remote any more responsive than physical workers being in-house?
If power-plants operated efficiently back in the 50's without internet, they should be able to now without internet.
Nothing wrong with it being in house. But having a back-up is never bad.
> How is remote any more responsive than physical workers being in-house?
If the on-site workers are incapacitated. It's a remote (hehe) risk. But so is foreign hackers doing anything with our nukes.
> If power-plants operated efficiently back in the 50's without internet, they should be able to now without internet
If you're fine paying 50s power prices again, sure, I'm sure a power company would happily run their plants retro style.
https://spectrum.ieee.org/electricity-its-wonderfully-afford...
$0.32 is $0.41 accoreit BLS, which is less than I'm paying today (I live somewhere with expensive electricity), so I'd enjoy the discount if they did!
https://data.bls.gov/cgi-bin/cpicalc.pl?cost1=0.32&year1=201...
Out of curiosity, what was the real power price where you live in the 60s?
It is always an increase in risk, in a security sense.
But that is very geography dependant.
BTW, quite a few of these port scanners are companies that offer to scan your ports for vulnerabilities. Temu pen testing, so to speak.
> What happens if you connect Windows XP to the Internet in 2024?
https://youtu.be/6uSVVCmOH5w
https://ieeexplore.ieee.org/document/5432117
You want to make everything about a nuclear facility bespoke and subject to air-gapped drift? What about the guard booth that verifies peoples access, the receptionist who schedules meetings, and the janitor who wants to watch YouTube on his break? It seems unrealistic to lump everything that goes on at a nuclear facility under this umbrella.
Also, the Kansas City Plant is like a watchmaker's factory, not a power plant. They make widgets and gewgaws, not literally split atoms.
For hiring and retaining people, yes. It's understood that the "guts" of what's happening at these facilities needs to be locked down to the max. But, for supporting roles you need to be able to bring people in off the street without 1) a bunch of specialized training on your bespoke way of doing things, and 2) making your employees less attractive on the job market.
Just my opinion, though. Maybe I'm completely off base but it doesn't seem like a good idea to me long-term.
https://en.wikipedia.org/wiki/Operation_Olympic_Games#Histor...
> Dutch engineer Erik van Sabben allegedly infiltrated the Natanz nuclear facility on behalf of Dutch intelligence and installed equipment infected with Stuxnet. He died two weeks after the Stuxnet attack at age 36 in an apparent single-vehicle motorcycle accident in Dubai.
https://en.wikipedia.org/wiki/Erik_van_Sabben
https://en.wikipedia.org/wiki/Operation_Olympic_Games#Histor...
> A programming error later caused the worm to spread to computers outside of Natanz. When an engineer "left Natanz and connected [his] computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed." The code replicated on the Internet and was subsequently exposed for public dissemination. IT security firms Symantec and Kaspersky Lab have since examined Stuxnet. It is unclear whether the United States or Israel introduced the programming error.
Also bearing mention is Flame, which is often left out when Stuxnet comes up, but which was allegedly part of the wider operation.
https://en.wikipedia.org/wiki/Operation_Olympic_Games#Signif...
> The Washington Post reported that Flame malware was also part of Olympic Games.
https://www.washingtonpost.com/world/national-security/us-is... | https://web.archive.org/web/20220322045917/https://www.washi... | https://archive.is/6hRl7
> “We are now 100 percent sure that the Stuxnet and Flame groups worked together,” said Roel Schouwenberg, a Boston-based senior researcher with Kaspersky Lab.
> The firm also determined that the Flame malware predates Stuxnet. “It looks like the Flame platform was used as a kickstarter of sorts to get the Stuxnet project going,” Schouwenberg said.
https://en.wikipedia.org/wiki/Flame_(malware)
> OT cybersecurity specialists interviewed by CSO say that KCNSC’s production systems are likely air-gapped or otherwise isolated from corporate IT networks, significantly reducing the risk of direct crossover. Nevertheless, they caution against assuming such isolation guarantees safety.
This was also not a nuclear facility, however. The article says it makes "non-nuclear components".
In my experience auditing critical infrastructure, most facilities are "air gapped". I put that in quotes because while you can't browse the Internet from the control network(s), there are ways to exfiltrate data. The managers, engineers, regulators, and vendors need to know what is going on in real-time. Back in the day this could've been a serial port connecting two systems for a one-way feed. Now I imagine it's something far more sophisticated and probably more susceptible to abuse.
As an example, you might have a collection of turbines manufactured by GE and GE needs to have real-time data coming from them for safety monitoring and maintenance. The turbines might have one connection for control traffic and another for monitoring. How to secure these vendor connections was always a debate.
Btw, there are strong cybersecurity regulations around critical infrastructure. CIP-005-07 covers security perimeters. You can view them here: https://www.nerc.com/pa/Stand/Reliability%20Standards%20Comp...
The only world where "likely" is a reasonable word is in reference to possible physical taps or a precise enumeration of physical access points that went unaudited, but have reliably followed safe access control/configuration procedures. Anything else is plain incompetence.
This article is full of nonsense and speculation.
It's an answer from talking heads, not from people from the facility.
The root fault with this article, and the resulting discussion, is the extent to which it generalizes over one of the larger organizations in a very complex part of the defense industrial complex. Many parts of KCNSC's operations are absolutely not exposed by this incident. Other parts absolutely are. Determining which fall into which category, and to what extent that is acceptable, keeps quite a few people employed.
Sleep well.
It has a bug with Solidworks (3D design suite) that sporadically makes files completely un-openable unless you go in and change some metadata. They are aware of this, doesn't seem to be any limitation preventing them from fixing it, and it has sat unfixed for years.
Microsoft's cloud storage as a whole is an insane tangle where you never know where you'll find something you're looking for or whether it will work. Some things work only in browser, some only in the app, zero enumeration of these things anywhere.
Completely unsurprised and I'm sure there are many more vulnerabilities ripe for the picking.
It ended up being easier just to switch to paid Overleaf and teach our non-tech members how to write LaTeX and/or use the built-in editor. The documents are beautiful, Overleaf doesn't miss a beat and we are very happy with their solution.
Microsoft should be ashamed - I don't know how anybody would ever consider using them for any serious production work.
[1] https://learn.microsoft.com/en-us/answers/questions/5216132/...
* Too few people use Firefox to access Office online, they don't care
* Your organization is too small for them to care
It's pretty much the majority of their Linux users. Firefox is often the default browser on many distros due to the Chrome/Chromium data sharing concern.
> * Your organization is too small for them to care
Then why even have a business tier if not for the support?
The result of Microsoft's current stance is simply that users look elsewhere. I mentioned Overleaf, but Google Docs is also a solid choice. For local editing we are using LibreOffice.
Sure, but for heavy users of office 365, how many use Linux to begin with?
"yes, your car exploded, but you were driving on a dirt drive way. it works just fine on the highway"
I know for example that some companies will hire subcontractors for high risk parts of a project, just so that there is somebody to blame if anything goes wrong.
>Sorry for that we may have no enough resources about the Linux environment.
I remember years ago there was a browser demo, some kind of game I think, that would only be played on Internet Explorer. If you changed your User Agent string to be Internet Explorer, the demo would work entirely without issue. I think this was prior to Microsoft getting a large fine for not offering other browser choices.
> >Sorry for that we may have no enough resources about the Linux environment.
That is a difficult to parse sentence. "may" indicates uncertainty about the claim about to be made. "have no enough resources" seems to indicate that there is not enough engineering time available. "about the Linux environment" seems to indicate that it is a knowledge gap. Very strange.
How did that go? :)
Recently I tried to configure a new subdomain to handle mail on 365 and even finding their DKIM configuration section was a mission. Once finding it, I learned that their DNS check fails to properly handle subdomains for email, so you have to put their DKIM keys against your root domain. Genius!
Edit to say: this is for MS files like Excel docs
If a file server breaks basic Unix tools it should be unplugged and put in the garbage.
I went there to try to find where company meetings got recorded to.
I went to my sharepoint bookmark, which weirdly is www.office.com after some previous nightmare rebrand.
Except what used to be the way into your sharepoint files, is now just a full page copilot screen with no hint of where the fuck your files are.
Even though you've been visiting this bookmark for years, to get to your sharepoint files.
Ok, so you search bing sign into sharepoint.
Top result is office.com . You ignore it.
Next result is:
https://support.microsoft.com/en-gb/office/sign-in-to-sharep...
This links you to https://m365.cloud.microsoft/
Ok great. Nope! Redirects you back to copilot.
I do NOT want to ask copilot to dig out my files every time you want a file. I want to get back to the directory listing so I can find the directory listing to find the company meeting recording.
How does MS not understand that replacing all UX with copilot is not an improvement, and is not helping sell copilot.
I've no idea how to find the "proper" way into the system.
The also targeted the IT side, not the operational side, which, according to the article is likely to be airgapped. Even sensitive production facilities need some internet access, people work there and like everyone else, they need food, office supplies, toilet paper, etc... they can't be cut off the rest of the world completely.
Not having internet access at all is like not having your building connected to public roads. That makes it harder (but not impossible) for bad guys to come, but it is so much of a hassle that almost no one does that. Instead, they use gates and checkpoints.
Same idea for internet access. They have internet access, but they have security systems, from traditional firewalls and VPNs to airgaps.
Security is about letting the good guys in while keeping the bad guys out, the latter is meaningless without the former. That's why security is hard, if is was just about blocking everything, it would be easy, but nothing would be done.
Sounds like they need to seriously redesign their security policies.
Decisions like these need to be done from first principles. SharePoint shouldn't even have been a contender here if looked at seriously. Do your own homework.
Vendors can be accountable without providing source code, for example through contracts specifying performance.
I don't know how large Sharepoint's source is, though it has many components and I assume there is quite a bit of code. Auditing the source code of something like Microsoft Office seems almost impossible.
> first principles.
What does that mean in this context?
https://www.paloaltonetworks.com/cyberpedia/what-is-the-purd...
I don't see news about that much - but to be fair, I am not looking for it.
How do you know it's happening?
Don't use Exchange? Cool, what should we use instead? Does it support 15 people all the way up to 150000 people? I used to run Exchange cluster for 70k people, is there other mail software out there complete with non-shared disk redundancy? Where the users connect to single endpoint and software figures it out from there?
Sharepoint with another 2 RCEs. Not shocked, the software is terrible. However, it's only software that will stand up under load and let us shard it easily. All open-source software is one of those, runs fine in Homelab, likely falls down under load. Few Open Source Developers want to work on this stuff which I get because it's tedious work interfacing with computer illiterate end users. I'd rather chug sewage then do this work for free.
Finally, it's somewhat backwards compatible. Most businesses are filled with ancient software that no one has worked on in 20 years. That Excel document with Macros from 1997. With some registry changes degrading security posture, still works. I doubt you will find Office software with level of backwards compatibility unless they are using Microsoft Office level of compatibility.
Microsoft has real gordian knot here and few solutions besides "Backwards compatibility is OVER. Upgrade to modern or GTFO". Meanwhile, I get hit up by $ThreeJobsAgo over some Exchange Web Services solution I slapped together for them in Python they wanted me to upgrade to GraphAPI since Microsoft turned off Exchange Web Services in Office365.
Microsoft was founded in 1975. The standard for SMTP wasn't published in 1981. Most early predecessors were the late 70s.
In 1971 Ray Tomlinson sent the first mail message between two computers on the ARPANET, introducing the now-familiar address syntax with the '@' symbol designating the user's system address.[2][3][4][5] Over a series of RFCs, conventions were refined for sending mail messages over the File Transfer Protocol. Several other email networks developed in the 1970s and expanded subsequently.
Proprietary electronic mail systems began to emerge in the 1970s and early 1980s. IBM developed a primitive in-house solution for office automation over the period 1970–1972, and replaced it with OFS (Office System), providing mail transfer between individuals, in 1974.
Market pressures dominate nuclear weapons development?
No one wants to go back to that.
Just like with Windows, Microsoft has built a moat with Exchange, but the question is why do all the companies buy into their full ecosystem, especially for anything relating to web technologies (you even bring up Exchange Web Services), because this they do really badly, and Sharepoint seems to be the worst.
However, I am certain there are big Postfix/Dovecot installations scaling easily to 150k people, but we probably wouldn't know about them. Eg. here a couple of accounts of people doing that: https://www.reddit.com/r/linuxadmin/comments/32fq67/how_woul...
Fastmail today would be much bigger again, and they’re on CMU Cyrus.
150k is rookie numbers. Perhaps that was meant ironically to satirise mediocre enterprise thinking?
Try managing a calendar or booking resources.
But no, people get self backdoored by using Exchange... Or clolud :) Or AI hosted by someone else...
It's a serious post, unfortunately.
But at the same time, within an org of 150k people, we have separate people to support our Teams usge, our Outlook usage, our AD/Entra usage: with the same number of "sysadmins", could we do the same with open source stack?
I don't know, but I know the bugs I see with MS365.
In any case, Exchange is not just email, it has Calendaring/Contacts stuff going on as well.
Sure, PostFix/DoveCot will scale if you are doing just email. Once you add GroupWare requirements, PostFix/Dovecot are no longer in same boat.
Or the government could pay people to work on said open source software, providing a benefit to the public along the way. The US government started something like this called "18F" under the Obama administration. It was so effective at making software that was useful to the American public that Trump promptly shut it down 2 months into his second term, in no small part because they had the temerity to develop free-to-use tax filing software.
See
https://handbook.tts.gsa.gov/18f/history-and-values/ https://web.archive.org/web/20250000000000*/https://handbook... https://archive.is/CIXG1
and
https://www.lawfaremedia.org/article/learning-from-the-legac... https://web.archive.org/web/20250000000000*/https://www.lawf... https://archive.is/fmaf6
I'm shocked. Shocked, I tell you.
https://archive.ph/plNZU
Then according to this report, 'sometime in August' the exploit is used against the Honeywell-managed nuclear facility, since it wasn't patched, if I read correctly? So it really could have been anyone, and it's hardly just Russia and China who have a record of conducting nuclear espionage in the USA using their nation-state cybercapabilities (Israel?). As the article notes:
> "The transition from zero-day to N-day status, they say, opened a window for secondary actors to exploit systems that had not yet applied the patches."
Also this sounds like basically everything that goes into modern nuclear weapons, including the design blueprints. Incredible levels of incompetence here.
> "Located in Missouri, the KCNSC manufactures non-nuclear mechanical, electronic, and engineered material components used in US nuclear defense systems."
What?
Gee, who would have guessed this isn't secure.
(809 points, 447 comments) https://news.ycombinator.com/item?id=44629710
US Nuclear Weapons Agency Breached in Microsoft SharePoint Hack (18 points) https://news.ycombinator.com/item?id=44654869
219 more comments available on Hacker News