12 October, 2023

Chinese State-Backed Hackers Hit Atlassian

Jan 12, 2020 Mountain View / CA / USA - Atlassian headquarters in Silicon Valley; Atlassian Corporation Plc is an Australian multinational enterprise software company

Microsoft has accused Chinese state-linked hackers of exploiting a critical security gap in Atlassian software to break into customer systems.

The hole was in Atlassian’s Confluence software, which is used by businesses to centralise information. The firm has given it the highest possible severity rating because it can be exploited anonymously and remotely.

“We have evidence to suggest that a known nation-state actor is actively exploiting [the vulnerability],” Atlassian told its customers on Wednesday.

Microsoft’s cybersecurity division said it had detected a “nation-state threat actor” known by various names such as Storm-0062, DarkShadow or Oro0lxy exploiting the vulnerability as long ago as 14 September.

Atlassian first reported the vulnerability on 4 October. Should they gain access, hackers would be able to access Confluence systems and create administrator accounts which could let them access sensitive information or if the system has details of the victim’s wider IT setup, execute further hacks.

The version of Confluence that runs in Atlassian’s cloud is not affected. The company has urged customers running older versions of Confluence on their own systems to immediately upgrade to later versions that do not have the vulnerability.

The Chinese Embassy in Canberra did not immediately reply to a request for comment from the Australian Financial Review, but the Chinese government has long denied it has any role in hacking overseas.

An Atlassian spokeswoman said it encouraged customers to share evidence of any compromised systems to support its response.

“Our priority is the security of our customers’ instances during this critical vulnerability, and we are collaborating with industry-leading threat intelligence partners, such as Microsoft, to obtain additional information that may assist customers with responding to the vulnerability,” the spokeswoman said.

However, the firm said that it would be unable to confirm whether a customer’s Confluence system had been hacked and asked them to look for clues that it may have happened.

“If any evidence is found, you should assume that your instance has been compromised and evaluate the risk of flow-on effects,” Atlassian’s advice to customers reads.

If hackers have got into a Confluence system, Atlassian says, they can “perform any number of unfettered actions” including stealing content, system credentials and installing smaller pieces of malicious code called plug-ins.

Advertise with us

Atlassian