Microsoft has revealed that the massive SolarWinds cyber attack was operated by a group of hackers from China. Microsoft Threat Intelligence Centre (MSTIC) team detected a zero-day remote code execution exploit, being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks.
"MSTIC attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures," the company said in an update on Wednesday.
To carry out the attack, hackers installed a malware in the Orion software sold by the IT management company SolarWinds. Reports suggested that the hackers compromised at least 250 federal agencies and top enterprises in the US.
The zero-day attack was first spotted in a routine Microsoft 365 Defender scan.
"The vulnerability being exploited is CVE-2021-35211, which was recently patched by SolarWinds. We strongly urge all customers to update their instances of Serv-U to the latest available version," Microsoft advised.
According to Microsoft, the hackers compromised 'SolarWinds' software allowing them to "impersonate any of the organisation's existing users and accounts, including highly privileged accounts."
The company said it had discovered its systems were infiltrated "beyond just the presence of malicious 'SolarWinds' code."
It may take several months for the US government to complete the investigation into the SolarWinds hack.
Alarmed at repeated cyber-attacks on the country especially after at a key fuel pipeline, US President Joe Biden has signed an executive order, implementing new policies to improve national cybersecurity.