Oracle's stock exploded 40% after revealing a $455B AI contract backlog and projections for $144B cloud revenue by 2030. The surge made Larry Ellison briefly the world's richest person—but can the company turn massive bookings into sustainable margins?
Publishers like Reddit and Yahoo launched a new licensing standard to charge AI companies for training data. The Really Simple Licensing protocol lets sites demand payment per crawl or per AI response. No major AI company has agreed to comply yet.
Good Morning from San Francisco, Meta's $72 billion talent splurge hits turbulence. ChatGPT co-creator Shengjia Zhao nearly bailed
Chinese hackers breached America's nuclear weapons agency via Microsoft SharePoint flaws, part of a campaign hitting 400+ organizations worldwide. No classified data stolen, but shows how zero-day exploits can reach sensitive infrastructure.
💡 TL;DR - The 30 Seconds Version
🚨 Chinese hackers breached the US National Nuclear Security Administration through Microsoft SharePoint zero-day vulnerabilities, marking one of the most serious cyber intrusions into America's nuclear infrastructure this year.
📊 The attack campaign compromised over 400 organizations worldwide, with victim count jumping from initial estimates of 60 to 400+ in recent days.
🛡️ No classified nuclear information was stolen because the agency relies heavily on Microsoft's cloud services, while the exploit only affects on-premises SharePoint installations.
🏭 Three Chinese hacking groups exploited the vulnerabilities starting July 7, two months after researchers demonstrated the exploit chain at Berlin's Pwn2Own contest in May.
🌍 Microsoft released emergency patches on July 19, but hackers quickly found bypasses, forcing additional fixes for CVE-2025-53770 and CVE-2025-53771.
🚀 The incident shows how zero-day exploits can reach America's most sensitive infrastructure and how quickly Chinese hackers scale attacks from security research into global espionage operations.
Chinese hackers got into the US National Nuclear Security Administration by exploiting a brand-new Microsoft SharePoint bug. It's one of the worst cyber hits on America's nuclear setup this year.
The NNSA handles the country's nuclear weapons and builds reactors for Navy subs. The hackers did break in, but they didn't steal any classified stuff, according to people who know what happened. The agency dodged a bullet because most of their work runs on Microsoft's cloud - and this particular attack only works against SharePoint servers that companies run themselves.
"The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems," a Department of Energy spokesperson said. "A very small number of systems were impacted. All impacted systems are being restored."
The nuclear agency isn't alone. Hackers have hit more than 400 organizations around the world using the same trick. When security researchers first spotted these attacks, they counted maybe 60 victims. That number exploded over the past week.
The hackers found two serious problems in Microsoft's SharePoint software. These bugs work as a team - one lets attackers sneak past login screens, the other lets them run their own code on target servers. Security folks call the whole thing "ToolShell."
Most victims are in America. After that, the hackers went after organizations in Mauritius, Jordan, South Africa, and the Netherlands. They hit government agencies, schools, and tech companies. The list includes the US Education Department, Florida's tax office, and Rhode Island's state legislature.
Microsoft says three Chinese hacking teams are using the SharePoint bugs. Two groups - Linen Typhoon and Violet Typhoon - work for Beijing. The third one, Storm-2603, seems China-based but Microsoft isn't sure about its government ties.
Linen Typhoon started in 2012. They steal intellectual property from government agencies, defense contractors, and human rights groups. This crew prefers using exploits that already exist rather than building their own.
Violet Typhoon has been around since 2015. They spy on former government workers, ex-military people, NGOs, think tanks, and news organizations across America, Europe, and East Asia. They constantly scan the web looking for vulnerable servers to break into.
Storm-2603 is different. Microsoft thinks they're China-based but can't prove connections to other Chinese hackers. This group has used ransomware before, though nobody knows what they want from the SharePoint attacks.
These bugs trace back to a hacking contest in Berlin. Researchers from Viettel Cyber Security showed off the exploit in May. The vulnerabilities sat unused until July 7, when hackers started hitting them hard.
The attack begins with a request to a SharePoint endpoint called ToolPane. Once inside, hackers drop "web shells" - malicious scripts that give them permanent access. Most of these shells show up as files called "spinstall0.aspx," though hackers mix up the names with variants like "spinstall.aspx" and "spinstall1.aspx."
These shells grab SharePoint's ASP.NET machine keys. Think of these as master passwords for the server's login system. With these keys, hackers can pretend to be real users and access connected systems.
This bug doesn't affect SharePoint Online customers. Microsoft handles security for the cloud version. The problem hits companies that run SharePoint on their own servers.
Microsoft released patches on July 19 during Patch Tuesday. Hackers found ways around them fast. Microsoft discovered two new vulnerabilities - CVE-2025-53770 and CVE-2025-53771 - and pushed out emergency fixes.
CISA put these bugs on its priority list. Federal agencies had to patch immediately. CISA warned the exploits "provide unauthenticated access to systems and enable malicious actors to fully access SharePoint content, including file systems and internal configurations."
Someone posted working exploit code on GitHub this week. That's bad news because it makes the attack available to any hacker who wants to try it.
Treasury Secretary Scott Bessent plans to bring up these hacks during trade talks with China next week in Stockholm. "Obviously things like that will be on the agenda with my Chinese counterparts," he said in a Bloomberg Television interview.
These SharePoint breaches pile onto Microsoft's growing security problems with Chinese hackers. In 2021, suspected Chinese teams compromised tens of thousands of Microsoft Exchange servers. Two years later, another Chinese attack on Exchange broke into senior US officials' email accounts.
The government reviewed that 2023 incident and blamed Microsoft for "a cascade of security failures." Microsoft keeps pointing fingers at China for major cyberattacks, which creates tension between Washington and Beijing.
Chinese Foreign Ministry spokesman Guo Jiakun pushed back on the accusations. "Cybersecurity affects every country, and we should work together to solve it," he said. "China fights against hacking and follows the law."
These attacks show a stubborn problem with how companies handle their own software. Lots of organizations still run their own SharePoint servers instead of moving to cloud versions. Some worry about losing control of their data or meeting compliance rules.
Here's the thing about running your own servers: you have to handle all the security updates yourself. With cloud services, that's the vendor's job. This can reduce your exposure when new attacks pop up.
The whole incident also shows how good Chinese cyber teams have gotten. They moved fast from the initial vulnerability demo to active attacks. That suggests well-funded teams who can quickly turn security research into working weapons.
SharePoint admins have work to do beyond installing patches. Microsoft wants them to enable the Antimalware Scan Interface (AMSI) and deploy antivirus on SharePoint servers. Admins also need to rotate ASP.NET machine keys and restart IIS services. This boots out hackers who already got in.
Can't enable AMSI immediately? Microsoft suggests pulling SharePoint servers offline until patches are installed. That's an extreme move, but it shows how dangerous these flaws are.
Why this matters:
• The nuclear agency breach shows how zero-day exploits can reach America's most sensitive infrastructure, even when classified data stays protected through cloud migration strategies.
• With 400+ victims and counting, this campaign demonstrates how quickly Chinese hackers can scale attacks once they find working exploits - turning a security conference demonstration into a global espionage operation.
Q: What exactly is SharePoint and why do so many organizations use it?
A: SharePoint is Microsoft's document management and collaboration platform used by thousands of organizations to store files, manage workflows, and build internal websites. Companies use it because it integrates with Microsoft Office and can handle everything from simple file sharing to complex business processes.
Q: What's the difference between on-premises and cloud SharePoint?
A: On-premises SharePoint runs on servers that companies own and manage themselves. SharePoint Online is Microsoft's cloud version where Microsoft handles security and updates. Only on-premises installations were vulnerable to this attack - cloud users remained safe.
Q: What can hackers actually do once they break into SharePoint servers?
A: Hackers can steal documents, extract user passwords and login credentials, install permanent backdoors called "web shells," and potentially move to other connected systems. They essentially get the same access as legitimate SharePoint administrators.
Q: What is Pwn2Own and why does it matter for this hack?
A: Pwn2Own is a hacking contest where researchers demonstrate new vulnerabilities to vendors. Viettel Cyber Security showed these SharePoint flaws at the Berlin contest in May 2025, but hackers didn't start exploiting them until July 7.
Q: How long were hackers inside systems before being detected?
A: The earliest signs of exploitation started July 7, but the attacks weren't widely reported until July 18-19 when Microsoft released patches. This means hackers had roughly two weeks of undetected access in many organizations.
Q: How many organizations worldwide still use on-premises SharePoint?
A: Microsoft doesn't publish exact numbers, but millions of organizations globally run on-premises SharePoint. Many stick with it for data control, compliance requirements, or because they've invested heavily in customizations that can't easily move to the cloud.
Q: What should companies do right now if they use on-premises SharePoint?
A: Install Microsoft's emergency patches immediately, enable the Antimalware Scan Interface (AMSI), deploy antivirus software, rotate ASP.NET machine keys, and restart web services. If patching isn't possible immediately, disconnect SharePoint servers from the internet.
Q: Has Microsoft had similar security problems with Chinese hackers before?
A: Yes. In 2021, Chinese hackers compromised tens of thousands of Microsoft Exchange servers. In 2023, another Chinese attack on Exchange breached senior US officials' email accounts. The government called that incident a "cascade of security failures."
Marcus Schuler
Marcus Schuler
Oracle's stock exploded 40% after revealing a $455B AI contract backlog and projections for $144B cloud revenue by 2030. The surge made Larry Ellison briefly the world's richest person—but can the company turn massive bookings into sustainable margins?
Publishers like Reddit and Yahoo launched a new licensing standard to charge AI companies for training data. The Really Simple Licensing protocol lets sites demand payment per crawl or per AI response. No major AI company has agreed to comply yet.
Meta's $72B AI talent hunt is imploding. ChatGPT co-creator nearly quit within a week, forcing tripled compensation. Elite recruits defecting to rivals while existing employees demand parity. The secretive TBD Lab creates new corporate castes.
Arm challenges the smartphone industry's NPU rush with Lumex, betting CPU-based AI can deliver 5x performance gains across 3 billion devices by 2030. The platform's SME2 instructions target developer frustration with fragmented neural engines.
Get the 5-minute Silicon Valley AI briefing, every weekday morning — free.
