Chinese gov’t hackers exploiting new Atlassian vulnerability, Microsoft says

Hackers linked to the Chinese government are exploiting a recently-discovered vulnerability affecting an Atlassian product, according to Microsoft.

In a notice on Tuesday evening, Microsoft said it has seen a nation-state actor using the vulnerability — CVE-2023-22515, which affects Atlassian’s Confluence Data Center and Server product — in attacks since September 14.

Atlassian published an advisory and patch to address the issue on October 4, which it updated last night to confirm that it too had “evidence to suggest that a known nation-state actor is actively exploiting” the vulnerability.

The bug was listed by Atlassian as critical — the highest possible rating they have. Microsoft warned that any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application. They urged customers of Atlassian to upgrade to the latest fixed version immediately and isolate vulnerable Confluence applications from the public internet until they are able to upgrade them.

Microsoft gave the hackers exploiting the issue a temporary name, Storm-0062, but noted that other companies track the hackers as DarkShadow or Oro0lxy. The company didn’t mention China specifically in the notice, but Oro0lxy was previously identified in a 2020 Justice Department indictment as the alias of 37-year-old Li Xiaoyu, a hacker working with China’s Ministry of State Security (MSS).

Microsoft did not respond to requests for comment about why it attributed the activity to a nation-state but did not specify China. It also did not explain whether it was Xiaoyu alone or multiple threat actors working alongside him.

Xiaoyu was accused in 2020 alongside another hacker of running a 10-year campaign targeting technology companies in countries like the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom.

According to the DOJ’s indictment of Xiaoyu, the hackers sought to extort cryptocurrency from a victim entity by threatening to release the victim’s stolen source code on the Internet and searched for vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology, and treatments.

“The cybercrime hacking occurring here was first discovered on computers of the Department of Energy’s Hanford Site in Eastern Washington,” U.S. Attorney William Hyslop said at the time.

“The hackers operated from China both for their own gain and with the assistance and for the benefit of the Chinese government’s Ministry of State Security.”

Investigators found that Xiaoyu and his partner “exploited publicly known software vulnerabilities in popular web server software, web application development suites, and software collaboration programs.”

In some cases, those vulnerabilities were newly announced, meaning that many users would not have installed patches to correct them, according to the DOJ.

Tom Kellermann, a former Obama administration cybersecurity official, said the Chinese government has a “vast cyberspy network, many of which focus on arming her with zero-days.”

Several Atlassian vulnerabilities have been widely exploited by hackers in the past, with at least one topping CISA’s list of the top 15 routinely exploited vulnerabilities in 2021.

Jonathan Greig

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.