Microsoft links SolarWinds hacker group to China

“Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures,” the company said in a blog post.

SolarWinds attack was discovered last year and is named as such because the hackers compromised a popular network monitoring tool called Orion, made by IT firm SolarWinds. The tool, according to reports at the time, was used by over 400 Fortune 500 companies. Some reports originally suspected the group to be of Russian origin at the time.

MSTIC said it has also observed the hacker group targeting “entities in the US Defense Industrial Base Sector and software companies.” It added, “This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.”

The threat intelligence group discovered the zero-day exploit during a “routine investigation” of Microsoft 365 Defender, its enterprise security software suite. SolarWinds had patched the vulnerabilities found by Microsoft on July 9, 2021. “The vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system,” the company said in its disclosure.