Where: Atlassian Data Centers (global), China
Who’s involved: Atlassian Corporation, Chinese state-sponsored hackers (Storm-0062), other threat actors and cyber security firms
In February 2023, an unidentified threat actor began phishing campaigns, targeting various organizations related to Atlassian products. The group demonstrated a particular focus on Atlassian's enterprise collaboration software, such as Confluence, which suggests that this was the initial planning and reconnaissance phase of the breach. It was found that the group likely came from China. In response to the breach, a statement by Atlassian indicated that network and customer information are secure.
On 15/02/2023, Check Point Software warned Atlassian about a data leak that included sensitive facilities information of a third party contractor. Atlassian answered the warning with only a written response, stating that since the contractor was not leaking customer information, that it was not a serious threat.
14/09/2023: The Chinese APT group launched attacks exploiting a zero-day flaw in Atlassian Confluence Data Center and Server instances. These attacks were initiated a week before the bug's disclosure. On 21/09/2023, Atlassian released a patch for four of its main products that allegedly fixed the bugs.
On 4/10/2023, the breach was publicly disclosed, through a formal advisory of the Multi-State Information Sharing and Analysis Center. Atlassian advised customers to immediately shut down and disconnect their server from the network if they suspect their Confluence Server/Data Center instance has been compromised.
On 11/10/2023, Microsoft identified the group as an Advanced Persistent Threat: Storm-0062, who they connected to the Chinese government. The threat to Atlassian’s servers and data centers was considered to be extremely high by Microsoft.
On 16/10/2023, the Cybersecurity and Infrastructure Security Agency (CISA) distributed an advisory based on Microsoft’s findings, indicating that this was considered a serious threat to infrastructure.
On 17/10/2023, a joint statement by The Five Eyes countries’ intelligence chiefs accused China of having a protracted history of intellectual property theft that stood as an “unprecedented threat”.
Storm-0062, also known as DarkShadow or Oro0lxy, is a state-sponsored threat actor linked to China's Ministry of State Security and is known for targeting software, engineering, medical research, government, defense, and tech firms in the U.S., U.K., Australia, and various European countries to collect intelligence.
Atlassian’s software is used by nearly a quarter of a million companies worldwide, including 83% of the Fortune 500 as of 2020. The company’s products are mostly focused on business planning and product development, much of which can be considered sensitive or classified. Companies that utilize Atlassian products include IBM, Tesla, Shell, Lufthansa, and more.
Microsoft's Threat Intelligence analysts have observed that the group exploited the Atlassian flaw as a zero-day bug for nearly three weeks. It was able to access sensitive information for that time, unimpeded.
The group has been involved in stealing terabytes of data by hacking government organizations and companies worldwide. The U.S. Department of Justice accused Li Xiaoyu, a Chinese hacker who created the digital alias Oro0lxy, of infiltrating hundreds of companies in the U.S., Hong Kong, and China, including coronavirus vaccine research developer Moderna.
Storm-0062's activities highlight the increasing threat of state-sponsored cyberattacks and the potential for significant damage to companies and governments worldwide. Specifically, it shows the potential ability for a state actor to conduct reconnaissance of sensitive planning and design information as a product is being developed, in real time. With critical technologies perceived as an issue of national security, theft of intellectual property, through the cyber domain, is a part of China’s strategy to gain access to U.S. designs and gain a competitive edge in advanced technologies and defense contractors.