A Reuters Exclusive
Inside the West’s failed fight against China’s ‘Cloud Hopper’ hackers
CLOUD HOPPER: Major corporations, from IBM to Hewlett Packard Enterprise to Fujitsu, were invaded by Chinese cyber spies, Reuters found. Illustration by Catherine Tai/REUTERS
Eight of the world's biggest technology service providers were hacked by Chinese cyber spies in an elaborate and years-long invasion, Reuters found. The invasion exploited weaknesses in those companies, their customers, and the Western system of technological defense.
By JACK STUBBS, JOSEPH MENN and CHRISTOPHER BING
Filed June 26, 2019, 6 a.m. GMT
LONDON – Hacked by suspected Chinese cyber spies five times from 2014 to 2017, security staff at Swedish telecoms equipment giant Ericsson had taken to naming their response efforts after different types of wine.
Related content
-
Exclusive: China hacked HPE, IBM and then attacked clients -
Exclusive: Ex-NSA cyberspies reveal how they helped hack foes of UAE -
Former NSA spies hacked BBC host, Al Jazeera chairman for UAE
Teams of hackers connected to the Chinese Ministry of State Security had penetrated HPE’s cloud computing service and used it as a launchpad to attack customers, plundering reams of corporate and government secrets for years in what U.S. prosecutors say was an effort to boost Chinese economic interests.
The hacking campaign, known as “Cloud Hopper,” was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud. Prosecutors described an elaborate operation that victimized multiple Western companies but stopped short of naming them. A Reuters report at the time identified two: Hewlett Packard Enterprise and IBM.
Yet the campaign ensnared at least six more major technology firms, touching five of the world’s 10 biggest tech service providers.
WANTED: An FBI poster citing Zhu Hua and Zhang Shilong as Chinese hackers. Both were indicted on identify theft and other charges. Federal Bureau of Investigation/Handout via REUTERS.
Also compromised by Cloud Hopper, Reuters has found: Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology. HPE spun-off its services arm in a merger with Computer Sciences Corporation in 2017 to create DXC.
Waves of hacking victims emanate from those six plus HPE and IBM: their clients. Ericsson, which competes with Chinese firms in the strategically critical mobile telecoms business, is one. Others include travel reservation system Sabre, the American leader in managing plane bookings, and the largest shipbuilder for the U.S. Navy, Huntington Ingalls Industries, which builds America’s nuclear submarines at a Virginia shipyard.
“This was the theft of industrial or commercial secrets for the purpose of advancing an economy,” said former Australian National Cyber Security Adviser Alastair MacGibbon. “The lifeblood of a company.”
Reuters was unable to determine the full extent of the damage done by the campaign, and many victims are unsure of exactly what information was stolen.
Yet the Cloud Hopper attacks carry worrying lessons for government officials and technology companies struggling to manage security threats. Chinese hackers, including a group known as APT10, were able to continue the attacks in the face of a counter-offensive by top security specialists and despite a 2015 U.S.-China pact to refrain from economic espionage.
The corporate and government response to the attacks was undermined as service providers withheld information from hacked clients, out of concern over legal liability and bad publicity, records and interviews show. That failure, intelligence officials say, calls into question Western institutions’ ability to share information in the way needed to defend against elaborate cyber invasions. Even now, many victims may not be aware they were hit.
The campaign also highlights the security vulnerabilities inherent in cloud computing, an increasingly popular practice in which companies contract with outside vendors for remote computer services and data storage.
“For those that thought the cloud was a panacea, I would say you haven’t been paying attention,” said Mike Rogers, former director of the U.S. National Security Agency.
‘NO PANACEA:’ Former National Security Agency Director Mike Rogers said the case shows cloud computing can be compromised. REUTERS/Eric Thayer
Reuters interviewed 30 people involved in the Cloud Hopper investigations, including Western government officials, current and former company executives and private security researchers. Reporters also reviewed hundreds of pages of internal company documents, court filings and corporate intelligence briefings.
HPE “worked diligently for our customers to mitigate this attack and protect their information,” said spokesman Adam Bauer. “We remain vigilant in our efforts to protect against the evolving threats of cyber-crimes committed by state actors.”
A spokesman for DXC, the services arm spun off by HPE in 2017, said the company put “robust security measures in place” to protect itself and customers. “Since the inception of DXC Technology, neither the company nor any DXC customer whose environment is under our control have experienced a material impact caused by APT10 or any other threat actor,” the spokesman said.
NTT Data, Dimension Data, Tata Consultancy Services, Fujitsu and IBM declined to comment. IBM has previously said it has no evidence sensitive corporate data was compromised by the attacks.
The Chinese government has denied all accusations of involvement in hacking. The Chinese Foreign Ministry said Beijing opposed cyber-enabled industrial espionage. “The Chinese government has never in any form participated in or supported any person to carry out the theft of commercial secrets,” it said in a statement to Reuters.
Break-ins and evictions
For security staff at Hewlett Packard Enterprise, the Ericsson situation was just one dark cloud in a gathering storm, according to internal documents and 10 people with knowledge of the matter.
For years, the company’s predecessor, technology giant Hewlett Packard, didn’t even know it had been hacked. It first found malicious code stored on a company server in 2012. The company called in outside experts, who found infections dating to at least January 2010.
Hewlett Packard security staff fought back, tracking the intruders, shoring up defenses and executing a carefully planned expulsion to simultaneously knock out all of the hackers’ known footholds. But the attackers returned, beginning a cycle that continued for at least five years.
The intruders stayed a step ahead. They would grab reams of data before planned eviction efforts by HP engineers. Repeatedly, they took whole directories of credentials, a brazen act netting them the ability to impersonate hundreds of employees.
The hackers knew exactly where to retrieve the most sensitive data and littered their code with expletives and taunts. One hacking tool contained the message “fukk ANY AV” – referencing their victims’ reliance on anti-virus software. The name of a malicious domain used in the wider campaign appeared to mock U.S. intelligence: “nsa.mefound.com”
Then things got worse, documents show.
After a 2015 tip-off from the U.S. Federal Bureau of Investigation about infected computers communicating with an external server, HPE combined three probes it had underway into one effort called Tripleplay. Up to 122 HPE-managed systems and 102 systems designated to be spun out into the new DXC operation had been compromised, a late 2016 presentation to executives showed.
An internal chart from mid-2017 helped top brass keep track of investigations codenamed for customers. Rubus dealt with Finnish conglomerate Valmet. Silver Scale was Brazilian mining giant Vale. Greenxmass was Swedish manufacturer SKF, and Oculus covered Ericsson.
Projects Kronos and Echo related to former Swiss biotech firm Syngenta, which was taken over by state-owned Chinese chemicals conglomerate ChemChina in 2017 – during the same period as the HPE investigation into Chinese attacks on its network.