Microsoft says Chinese hackers used a SolarWinds exploit to conduct attacks

The group was targeting US defense and software organizations.

Sponsored Links

The SolarWinds Corp. logo is seen on a sign at the headquarters in Austin, Texas on April 15, 2021 in Austin, Texas. - The United States announced sanctions against Russia  and the expulsion of 10 diplomats in retaliation for what Washington says is the Kremlin's US election interference, a massive cyber attack and other hostile activity. The White House said the sanctions likewise respond to "malicious cyber activities against the United States and its allies and partners," referring to the massive so-called SolarWinds hack of US government computer systems last year. (Photo by SUZANNE CORDEIRO / AFP) (Photo by SUZANNE CORDEIRO/AFP via Getty Images)
SUZANNE CORDEIRO via Getty Images

SolarWinds vulnerabilities continue to be targeted by overseas hackers months after the US information technology company suffered a widespread cyberattack. On Tuesday, Microsoft said that a group operating out of China was using a zero-day remote code execution to attack SolarWinds software. If successfully exploited, the flaw in the IT company's Serv-U software allows hackers to perform actions like install and run malicious payloads or view and change data, Microsoft noted in a blog post

As part of its investigation, Microsoft said it had observed the hacking group targeting organizations in the US military research and development and software sectors. The company has designated the actor as DEV-0322 in reference to its status as an unidentified "development group." Microsoft explained that it uses the label prior to reaching high confidence about the origin or identity of a hacker. The group operating out of China is using commercial VPN solutions and compromised consumer routers to carry out their attacks, Microsoft said. Those affected have been notified and assisted in their response, the company noted. 

SolarWinds confirmed on the weekend that it was notified by Microsoft of a security vulnerability in its Serv-U software. The flaw was related to the product's managed file transfer and secured FTP, which it has since patched.

SolarWinds gained overnight notoriety in December after it became the subject of a supply chain cyberattack that affected 18,000 of its customers; eventually it was revealed that a much smaller number were compromised, totaling about 100 private companies and nine US government agencies. US intelligence released a joint statement in January naming Russia as the most likely source of the hack. The following month, Reuters reported that suspected Chinese hackers had exploited a separate flaw in SolarWinds' software to to help breach US government computers last year. The latest vulnerability is not related to the so-called Sunburst supply chain attack, SolarWinds said.

Correction, 3:30PM ET: This article originally stated that the supply chain cyberattack compromised 18,000 SolarWinds customers. While 18,000 companies could have been affected, a much smaller number were actually impacted and compromised by "follow-on" activity on their system. This story has been updated to reflect the smaller number of organizations that were impacted. 

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget