Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Cloud Hopper: Major Cloud Services Victims Named
Reuters Says Fujitsu, Tata, NTT Data, Dimension Data, CSC and DXC AffectedSix major cloud services providers apparently were victims of Cloud Hopper, an umbrella name for deep cyber intrusions suspected to originate in China, Reuters reports.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
The technology service providers affected, Reuters reports, include: Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corp. and DXC Technology.
DXC is a spinoff company created when Hewlett Packard Enterprise, also a victim, merged with CSC. Reuters reported in December that Cloud Hopper affected IBM and HPE.
The report is likely to create tension between companies that depend on cloud computing services for their businesses and questions over whether critical data has been stolen.
When contacted by Reuters, NTT Data, Dimension Data, Tata, Fujitsu and IBM declined to comment. DXC told Reuters that neither it nor any of its clients experienced a “material impact.”
Cloud Hopper has been the subject of numerous reports by private computer security companies and warnings by governments, including the U.S., U.K. and Australia. The difficult-to-repel Cloud Hopper hacking groups target cloud service providers and the data held on behalf of their clients, a fearful combination in the era of widespread cloud computing.
But no alleged victims became public until the December report by Reuters. Now, Reuters’ latest report raises questions over what data the groups affiliated with Cloud Hopper had access to and the ongoing risks.
Also, it brings questions over what obligations those service providers have to their clients to notify them about the intrusions, a potential legal minefield.
Full Disclosure?
Cloud Hopper is suspected to be executed by several China-aligned groups, including APT10. The attacks against managed service providers started around late 2016, according to a joint report by PwC and BAE Systems in April 2017.
The Cloud Hopper attacks allowed “unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally,” the two companies wrote at the time. The attacks usually kicked off with a spear-phishing campaign with a malicious attachment.
But the victims remained a closely held secret, although it was noted that some of the largest service providers worldwide were being targeted.
Reuters reports that the “corporate and government response to the attacks was undermined as service providers withheld information from hacked clients, out of concern over legal liability and bad publicity.”
The Reuters report contained the most insight into the behind-the-scenes activity at HPE. HPE fought Cloud Hopper continually for at least five years, booting the attackers only to be struck again, according to the report. HPE says it remains vigilant in its efforts to mitigate attacks.
The attackers stole directories of credentials, which allowed them to impersonate HPE employees, Reuters reports. Once inside a managed service provider, the attackers would “jump” from the MSP network to servers hosting client data. One of the resulting victims of an attack against HPE was Sabre, the reservation system for hotels, according to the news report.
But two former HPE employees tell Reuters that the company cautioned its employees against telling Sabre everything about the attack. “Limiting knowledge to the customer was key,” one former HPE employee tells the news agency. Also hit via HPE was Ericsson, the Swedish telecommunications equipment developer, Reuters reports.
The news service quotes Jeanette Manfra, an assistant director for cybersecurity within the Department of Homeland Security, as saying the U.S. government encouraged companies to notify their customers, but she says “we can’t force their hand.”
Perhaps sensing that companies would be reluctant to disclose intrusions to their customers, the U.K.’s National Cyber Security Centre advised in April 2017 that companies should press their MSPs for details.
“You should contact your MSP and discuss their response to these attacks, including whether and how you have been affected,” according to the advisory. “You should ensure that your MSPs are doing everything necessary to investigate whether they have been compromised and what effect any such compromise has had on their customers. Do not accept assertions from your provider, but instead demand evidence.”
APT10 Indictment
There's been some progress in calling out one Cloud Hopper member: APT10. The group is also known as Menupass, Stone Panda and Red Apollo.
The U.S. Justice Department unsealed an indictment in December against two Chinese men alleged to be part of APT10. The two men, Zhu Hua and Zhang Shilong, worked for Huaying Haitai Science and Technology Development Company but acted in association with the Chinese Ministry of State Security's Tianjin State Security Bureau, federal prosecutors said (see: 2 Chinese Nationals Indicted for Cyber Espionage).
China and the U.S. don’t have an extradition treaty. It’s unlikely either of the men will face trial as long as they don’t travel to a country that has an extradition treaty with the U.S.
The U.S. has increasingly opted to file charges against alleged Chinese hackers, in part, out of frustration over activity it says results in the loss of intellectual property from U.S. companies.
The U.S. lodged an agreement with China in 2015 that sought to put intellectual property out of bounds from state-sponsored hackers. While it was temporarily successful, the activity resumed and continues to strain the two countries’ relationship.