Sign in Subscribe

Chernobyl.exe: When SharePoint Goes Nuclear

A desolated view somewhere in the Chernobyl Exclusion Zone.
Photo by Viktor Hesse / Unsplash

By: Paco Campbell
Published: Friday, October 31st, 2025

Last week, reports surfaced that foreign hackers breached a U.S. nuclear weapons facility by exploiting vulnerabilities in Microsoft SharePoint.

The details are still unfolding, but the image is seared in my mind: a critical system — part of the country’s nuclear backbone — undone by the same product line that powers your company’s cafeteria menu.

It’s darkly funny, if only because it shouldn’t be. The gap between a nuclear plant and a lunch portal isn’t measured in technology. It’s measured in trust.

We’ve built civilization on the same stack we use to order sandwiches.

The Human Error Reactor

In Chernobyl (the HBO miniseries), a technician insists the reactor can’t explode. “It’s not a nuclear bomb,” he says — meaning, the model says it can’t happen.

That’s the same assurance you hear in every boardroom after a breach.
“It was segmented.”
“It was patched.”
“It was fine.”

Chernobyl wasn’t an accident. It was a belief system. So is every enterprise network that treats uptime as proof of safety.

I’ve seen that belief up close.

Years ago, I inherited a system built on a programming language that had already been deprecated. Everyone knew the change was coming. Migration plans existed. Meetings were held. Nothing moved. The system kept running because it always had. Business as usual was the strongest dependency in the stack.

When the cutoff finally arrived, it wasn’t a failure — it was a reckoning we’d already scheduled and ignored.

Blue Screen of Deterrence

The Kansas City National Security Campus produces 80% of the non-nuclear parts in the U.S. stockpile. You’d assume that sort of place would run on hardened systems, air gaps, and vaults. Instead, the weak point was SharePoint — a glorified filing cabinet with better fonts.

This isn’t Microsoft’s sin alone. Every organization has its own SharePoint: that unpatched relic held together by policy exceptions and prayer. The thing that’s “too critical to update” and “too messy to retire.”

We run reactors on duct tape because duct tape scales.

If Chernobyl had a service desk ticket, it would read:

  • Run safety test after shift change
  • Ignore conflicting readings
  • Document later

Resolved. No further action required.

The Meltdown We Deserve

After the meltdown, in the miniseries, a supervisor insists the graphite on the ground can’t be from the reactor. “That’s physically impossible,” he says — while not only seeing, but standing on graphite.

That’s us.

We’re knee-deep in compromised credentials, muttering that it’s fine because we have MFA and a quarterly awareness campaign. We confuse controls with control. We think governance can outvote physics.

Uptime as Religion

Five nines. Zero downtime. Continuous everything. We’ve built an industry where turning something off is unthinkable. The Chernobyl operators pushed their reactor to prove stability.

We push our systems to prove commitment.

They lost coolant. We lose context.
Different century, same math.

Radiation You Can’t Measure

Radiation doesn’t announce itself, and neither do vulnerabilities.

Both are invisible, cumulative, and easy to rationalize away.
Exposure feels harmless — right up until it doesn’t.

Every unpatched host, every dangling account, every “temporary exception” is another hour in the control room.

You can’t see the dose, but it’s there. It always is.

Corporate Meltdown Procedures

In an imaginary — yet likely — future, these would be the actions taken by tech companies had the breach occurred at one of the many nuclear facilities they are advocating to build and operate to fuel their AI growth:

  • Google would announce a new framework to measure “resilience OKRs.” Then send all leaders to calibration sessions.
  • Amazon would host a leadership review to decide who owns the outage. And three different teams will have an N-Pager by the end of the week.
  • Apple would remain silent. Remind you the iPhone is private.
  • Microsoft would release a patch mid-presentation. Now rebooting…

Different brands, same outcome.
All of them would call it “learning.”
None of them would call it what it is: fallout.

Patch Management, but for Truth

The real link between a Soviet reactor and a modern data center isn’t uranium — it’s hierarchy.

Both reward the people who stay quiet.
Both punish the ones who say “stop.”

Every postmortem eventually lands on the same sentence:

We were aware of the vulnerability.

It’s never ignorance that gets us.
It’s conviction.

Cooling the Core

When a reactor overheats, you insert control rods.
When an organization overheats, you need humility.

They work the same way — they slow the reaction before it consumes everything.

Humility doesn’t trend on LinkedIn.
But it’s the only thing that keeps the lights from going white.

Critical Mass

Chernobyl wasn’t about physics; it was about people who couldn’t imagine being wrong.

Now we build systems with the same faith — infinite uptime, perfect patches, dashboards glowing green. We stand on graphite and call it concrete.

Somewhere, a red light is blinking.
No one’s looking up.

And the cafeteria menu is still loading.

Happy Halloween! 🎃

Subscribe to PacoPacket

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe