Skip to main content

Microsoft pins recent SolarWinds zero-day attack on Chinese hacker group DEV-0322

Microsoft logo
Microsoft logo (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • Microsoft recently notified SolarWinds of a vulnerability in its products.
  • The threat actors exploiting the vulnerability have been labeled DEV-0322 by Microsoft.
  • They are based out of China.

The most recent issue to beleaguer SolarWinds, now that the company's biggest nightmare of the year is in the rearview mirror, is the vulnerability found in its Serv-U Managed File Transfer Server and Serv-U Secured FTP Server products. The vulnerability leaves room for an exploit that gives threat actors control over server data and allows program installations. Microsoft (opens in new tab) has stated it believes it knows the identity of those responsible for taking advantage of SolarWinds' misfortune.

Microsoft attributes the vulnerability exploitation to a group in China, referred to by Redmond as DEV-0322. That is not the name the group uses for itself, but rather, it is how Microsoft names it. This is the Microsoft Threat Intelligence Center's (MSTIC) labeling process:

"MSTIC tracks and investigates a range of malicious cyber activities and operations. During the tracking and investigation phases prior to when MSTIC reaches high confidence about the origin or identity of the actor behind an operation, we refer to the unidentified threat actor as a "development group" or "DEV group" and assigns each DEV group a unique number (DEV-####) for tracking purposes."

As for DEV-0322's operations outside of troubling SolarWinds, Microsoft notes it has seen the group go after those in the U.S. Defense Industrial Base Sector and software companies. DEV-0322 utilizes VPNs and hijacked consumer routers in its infrastructure.

Microsoft's blog post on the Chinese group outlines the technical details of the SolarWinds product vulnerability and gives those interested in the specifics a better look at what's going on. Remember that SolarWinds already has a hotfix out for the aforementioned issues, so if you're an affected party, be sure to protect yourself.

Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to robert.carnevale@futurenet.com.

2 Comments
  • The question is, are they state sponsored? And if not, why isn't their government cracking down? They're very good at cracking down from what I hear.
  • One would assume there is no consequence in store for these sorts of groups, especially not from their own governments (for obvious reasons).