Dell Bought EMC for $67 Billion. Chinese Hackers Lived in RecoverPoint for Two Years.

I worked at Dell EMC. I sat in the rooms where they talked about convergence, hyper-convergence, the $67 billion acquisition that was supposed to make Dell the most complete infrastructure company on earth. VxRail, VxBlock, VMAX, Unity, Isilon, Data Domain, Avamar, RecoverPoint. The storage portfolio to end all storage portfolios.

RecoverPoint was the disaster recovery product. The one that replicated your virtual machines to a secondary site so when the primary burns down, you can fail over and keep running. It sits between your VMware hypervisors and your storage, intercepting writes and replicating them. It sees everything. It has root access to the VM infrastructure. It is, by design, the single most privileged appliance in the data center.

It shipped with hardcoded credentials.

CVE-2026-22769 — CVSS 10.0

A hardcoded credential vulnerability in Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1. An unauthenticated attacker with knowledge of the credential can gain access to the underlying operating system with root-level persistence.

Not "could gain access." Can. Will. Did. Since mid-2024.

Google's Mandiant traced the exploitation to a Chinese state-backed group they track as UNC6201. They deployed two backdoors — BRICKSTORM and GRIMBOLT — and a webshell called SLAYSTYLE. Some organizations had breach windows exceeding three years.

Three years. Root access. On the appliance that replicates your virtual machines.

What RecoverPoint Knows

RecoverPoint isn't a peripheral device. It's not a monitoring tool that watches traffic from the side. It's an inline replication engine that sits between ESXi hosts and storage arrays. To do its job, it needs:

• Root access to the underlying Linux OS

• Network connectivity to every ESXi host in the protected cluster

• Access to VM disk writes at the storage layer

• Administrative credentials for vCenter (to manage failover)

• Network paths to the replication target site

That's your entire VM infrastructure. Your production workloads, your databases, your applications, your customer data — all flowing through an appliance with a hardcoded password that Chinese intelligence services have known about since 2024.

Ghost NICs

This is the part that should keep infrastructure architects up at night.

Mandiant observed UNC6201 creating "Ghost NICs" — virtual network interface cards attached to compromised VMs that don't appear in the normal vSphere management view. The ghost interfaces connect to isolated network segments, giving the attackers lateral movement paths that are invisible to standard network monitoring.

Think about that. They're not just moving through the network. They're creating new networks inside your hypervisor that you can't see. Your firewall doesn't know about them. Your SIEM doesn't log them. Your network diagrams don't include them. They exist in the gap between what vCenter shows you and what the hypervisor actually does.

They also implemented Single Packet Authorization using iptables — a technique where a single specially-crafted packet "unlocks" a backdoor port that is otherwise invisible to port scans. The port doesn't respond to SYN. It doesn't show up in nmap. It only opens when the right knock arrives.

Invisible network interfaces. Invisible ports. Root access to the replication engine. For two years.

The $67 Billion Question

Dell acquired EMC in 2016 for $67 billion. The largest technology acquisition in history at the time. The thesis was vertical integration — compute, storage, networking, data protection, all under one roof. One throat to choke. One vendor to trust.

RecoverPoint came with EMC. It was the crown jewel of the data protection portfolio — continuous data protection for VMware, the thing that made the "zero RPO" promise possible. Dell kept selling it. Dell kept deploying it. Dell kept trusting it.

The hardcoded credential wasn't introduced after the acquisition. It's an architectural choice baked into the product. Someone at EMC — years ago — decided that RecoverPoint needed a credential that couldn't be changed by customers. A backdoor by design, shipped as a feature.

I remember the culture. Ship fast, integrate later, worry about security when the customer asks. The storage division treated security as a compliance checkbox, not an engineering constraint. "Air-gapped" was a selling point, as if physical isolation excused embedded credentials. As if nobody would ever connect the management port to a routable network. As if hardcoded passwords were fine because "it's behind the firewall."

The firewall management console got owned yesterday (Cisco FMC, CVE-2026-20131). The backup appliance has been owned since 2024. "Behind the firewall" isn't a security strategy. It's a wish.

What UNC6201 Wanted

This isn't ransomware. This isn't financially motivated. UNC6201 is Chinese state-sponsored espionage.

They want persistent access to enterprise VM infrastructure. They want to read the data flowing through RecoverPoint's replication streams. They want to know what your organization is protecting — because the things you replicate for disaster recovery are the things you can't afford to lose. Your most critical workloads. Your crown jewels.

• Read every VM disk write in real time

• Exfiltrate data through the replication channel (who monitors outbound replication traffic for anomalies?)

• Modify VMs silently — the replication target is supposed to be an exact copy, but what if the attacker introduces changes at the replication layer?

• Survive a DR failover — they're on both sides of the replication pair

BRICKSTORM and GRIMBOLT aren't smash-and-grab tools. They're persistence frameworks designed for long-term access. The switch from BRICKSTORM to GRIMBOLT in September 2025 suggests active development — the operators are improving their tools while sitting inside your infrastructure.

What To Do

1. Update to 6.0.3.1 HF1 or later immediately

2. Assume compromise if running any earlier version — engage incident response

3. Audit all network interfaces on ESXi hosts — look for NICs you didn't create

4. Check iptables rules on the RecoverPoint appliance for SPA configurations

5. Review outbound connections from RecoverPoint to unknown destinations

6. Rotate every credential that RecoverPoint had access to — vCenter admin, storage admin, all of them

1. Ask the vendor: "Does this product contain hardcoded credentials?" If they hesitate, walk.

2. Ask: "What is the minimum privilege this appliance requires?" If the answer is "root on the hypervisor," understand what you're trusting.

3. Ask: "How would we detect compromise of this appliance?" If there's no answer, you can't.

I spent years at Dell EMC watching the storage division prioritize features over security. The $67 billion acquisition bought the most complete infrastructure portfolio on earth and a hardcoded credential in the disaster recovery appliance that Chinese intelligence services exploited for two years.

The things you replicate are the things you can't afford to lose. Now ask who else has root access to the replication engine.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →