China-linked hackers exploited SolarWinds software in 2020 breach, researchers say

The hackers, like the alleged Russians, tailored the code to the SolarWinds platform.
Sudhakar Ramakrishna
SolarWinds CEO Sudhakar Ramakrishna testifies before the Senate Intelligence Committee in February. (Photo by Demetrius Freeman / POOL / AFP) (Photo by DEMETRIUS FREEMAN/POOL/AFP via Getty Images)

Suspected Chinese spies exploited popular enterprise software built by SolarWinds in a hacking operation last year, Dell-owned Secureworks said Monday, a conclusion that follows news that Russian hackers also leveraged SolarWinds technology.

The suspected Chinese attackers had access to an unnamed private sector organization as early as 2018. Upon being evicted by incident responders, the hackers broke back into the organization in November 2020 by exploiting SolarWinds software, according to Secureworks.

The findings underscore the premium that multiple sets of foreign operatives have apparently put on accessing valuable organizational data held by the SolarWinds Orion network monitoring software. The disclosure comes as U.S. organizations are also coping with another suspected Chinese spying operation that exploits Microsoft Exchange Server software to steal organizations’ emails.

In both the suspected Russian and Chinese schemes involving SolarWinds, the attackers wrote malicious code tailored to exploit the Orion platform and sift through data stored on it. Austin-based  SolarWinds has issued software updates addressing the security issues.


The suspected Chinese hackers siphoned off credentials the victim organization used to manage its network, and then accessed sensitive files hosted in Microsoft 365 software, according to Secureworks.

With long-running access to the target organization, the hackers “would have been able to access intellectual property and data on customers of the victim, both of which would help with espionage goals,” Don Smith, senior director of cyber intelligence at Secureworks, said in an email.

Smith’s team is not certain the attackers are based in China. They did, however, find some evidence linking the activity to China, including a Chinese IP address that the attackers apparently inadvertently exposed.

The alleged Russian hacking, which has infiltrated nine U.S. federal agencies, has gotten much more attention because some 18,000 organizations downloaded the malicious code used by the attackers. By contrast, the breach of the private firm is the only set of intrusions that Secureworks has tied to the possible Chinese hacking group, dubbed Spiral.

Microsoft said in December that a second hacking group had exploited the SolarWinds software in an operation distinct from that of the alleged  Russians. Microsoft did not identify the group, but described hacking tools that Spiral also used, including a malware known as Supernova.


“The group could be characterized as a classic [advanced persistent threat] actor, stealthily living off the land using native tools,” Smith said.

While malicious hackers have dug into the Orion platform, so, too, have other researchers.

Analysts at Trustwave in February revealed two critical Orion bugs, one of which would have given an attacker a similar level of control over the software that the alleged Russians enjoyed.

“This report references an incident where a network was first compromised in a way that was unrelated to SolarWinds,” a SolarWinds spokesperson said in a statement. “That breach enabled the attackers to add the malicious Supernova code to Orion software on the customer’s network. It is important to note that Supernova is not associated with the broad and sophisticated supply chain attack that targeted multiple software companies as vectors.”


Update, March 8, 5:35pm ET: This article was updated to include a statement from SolarWinds.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts