Microsoft has revealed that the massive SolarWinds cyber attack was operated by a group of hackers from China. Microsoft Threat Intelligence Centre (MSTIC) team detected a zero-day remote code execution exploit, being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks
“Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures,” the company said in a blog post.
To carry out the attack, hackers installed a malware in the Orion software sold by the IT management company SolarWinds. Reports suggested that the hackers compromised at least 250 federal agencies and top enterprises in the US. The zero-day attack was first spotted in a routine Microsoft 365 Defender scan. “The vulnerability being exploited is CVE-2021-35211, which was recently patched by SolarWinds. We strongly urge all customers to update their instances of Serv-U to the latest available version,” Microsoft advised. According to Microsoft, the hackers compromised ‘SolarWinds’ software allowing them to “impersonate any of the organisation’s existing users and accounts, including highly privileged accounts.”
The company said it had discovered its systems were infiltrated “beyond just the presence of malicious ‘SolarWinds’ code.” It may take several months for the US government to complete the investigation into the SolarWinds hack.
The first hack that shoved SolarWinds into the limelight in December 2020 exposed hundreds of government agencies and businesses. Unlike the previous hack, which is now widely connected to a Russian state-affiliated group of hackers called Cozy Bear, Microsoft says this zero-day attack originated in China. DEV-0322 has made a habit of attacking “entities in the US Defense Industrial Base Sector,” Microsoft writes, and is known for “using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.”