Report: Cloud Hopper Attacks Affected More MSPsWall Street Journal Names Companies Affected By Tenacious Chinese Hackers
A persistent question over the past several years is which managed service providers were affected by APT10, the tenacious Chinese hacking group that has plundered organizations for three years.
See Also: Case Study: The Road to Zero Trust
That’s proved to be a difficult nut to crack, owing to the sensitivity around big-name IT companies falling victim to highly skilled Chinese-backed attackers.
Cracking open a managed service provider offers opportunity to snoop for that companies’ clients, opening a door to rich data. Acknowledging a hack – and describing its full scope – could also be damaging to an MSP’s reputation.
But a Wall Street Journal investigation on Monday has revealed new companies affected by the group, whose specific targeting of managed service providers is often referred to as Cloud Hopper attacks.
Managed service providers are an attractive target, as enterprises contract out for hosting, security monitoring, storage and more. That’s in part why the Cloud Hopper attacks so alarmed security experts, especially as organizations increasingly adopt cloud services.
The Journal reports that at least a dozen cloud providers have been hit, including Canada’s CGI Group, the Finnish IT services company Tieto Oyj and IBM. Those companies’ clients include Rio Tinto, Philips, American Airlines, Deutsche Bank, Allianz and GlaxoSmithKline, the Journal reports.
US Navy Records Stolen
The Journal’s investigation builds on a scoop by Reuters a year ago.
At the time, Reuters reported IBM was a victim along with Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corp. and DXC Technology, which was created when Hewlett Packard Enterprise (HPE), also a victim, merged with CSC (see Cloud Hopper: Major Cloud Services Victims Named).
Among the new findings in the Journal’s report is that the U.S. government believes APT10 took personal records for 100,000 U.S. Navy personnel.
Part of the problem around Cloud Hopper has been the reluctance of managed service providers to fully disclose to their clients if they’ve been affected, the Journal reports. One anonymous investigator told the Journal: “It was like trying to pin down quicksand.”
Australia and the U.S. also issued warnings about APT10 and Cloud Hopper. The U.K.’s National Cyber Security Centre even issued a somewhat unusual advisory in April 2017 telling organizations that they should not accept assertions from their managed service providers related to Cloud Hopper, but rather “demand evidence.”
“MSPs who are unwilling to work closely with customers or unwilling to share information with you should be treated with extreme caution,” the NCSC writes.
There’s been plenty of warning as well from private security companies and government agencies. A joint report from PwC and BAE Systems in April 2017 – a few months after Cloud Hopper was identified – warned that APT10’s “compromise of MSP networks has provided broad and unprecedented access to MSP customer networks.”
The attacks often start with spear-phishing emails containing malicious attachments. Even when MSPs have detected Cloud Hopper attacks, it has proven difficult to kick the attackers out. The Journal reports that HPE, which has been battling APT10 for five years, would see the group sneak back in after the systems had been cleaned.
Quieter, But Still Active
The U.S. government has been active in trying to call out APT10. In December 2018 it unsealed an indictment against two Chinese men, Zhu Hua and Zhang Shilong (see 2 Chinese Nationals Indicted for Cyber Espionage).
The government alleges that they worked for the Huaying Haitai Science and Technology Development Company, which acted in association with the Chinese Ministry of State Security's Tianjin State Security Bureau.
As part of APT10, prosecutors allege the two men since 2006 hacked the networks of 45 technology companies and U.S. government agencies. They were charged with wire fraud, aggravated identity theft and conspiracy to commit computer intrusions.
The men haven’t been arrested. The U.S. does not have an extradition treaty with China. Unless the two men travel outside China to a country that does, they will likely never be prosecuted.
Nonetheless, the U.S. has lodged criminal complaints against Russian and Chinese hackers, in part to bring public attention and pressure about attacks against U.S. organizations.
The Journal reports that it is unknown just how much data APT10 has stolen with Cloud Hopper. The group’s activity has declined over the past year, it reports. However, the security company SecurityScorecard still sees IP addresses pinging what is believed to be APT10 infrastructure, the Journal reports.