Hacked by suspected Chinese cyberspies five times from 2014 to 2017, security staff at Swedish telecoms equipment giant Ericsson had taken to naming their response efforts after different types of wine.
Pinot Noir began in September 2016. After successfully repelling a wave of attacks a year earlier, Ericsson discovered the intruders were back. This time, the company’s cybersecurity team could see exactly how they got in: through a connection to information technology services supplier Hewlett Packard Enterprise (HPE).
Teams of hackers connected to the Chinese Ministry of State Security had penetrated HPE’s cloud computing service and used it as a launchpad to attack customers, for years plundering reams of corporate and government secrets in what US prosecutors say was an effort to boost Chinese economic interests.
Illustration: Yusha
The hacking campaign, known as Cloud Hopper (雲端跳躍), was the subject of a US indictment in December last year that accused two Chinese nationals of identity theft and fraud.
Prosecutors described an elaborate operation that victimized multiple Western companies, but stopped short of naming them.
A Reuters report at the time identified two: Hewlett Packard Enterprise and International Business Machines Corp (IBM).
Yet the campaign ensnared at least six more major technology firms, touching five of the world’s 10 biggest tech service providers.
Reuters found that Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corp and DXC Technology were also compromised by Cloud Hopper.
HPE spun off its services arm in a merger with Computer Sciences Corporation in 2017 to create DXC.
Waves of hacking victims emanate from those six plus HPE and IBM: their clients.
Ericsson, which competes with Chinese firms in the strategically critical mobile telecoms business, is one. Others include travel reservation system Sabre, the US leader in managing plane bookings, and the largest shipbuilder for the US Navy, Huntington Ingalls Industries.
“This was the theft of industrial or commercial secrets for the purpose of advancing an economy,” former Australian national cyber security adviser Alastair MacGibbon said. “The lifeblood of a company.”
Reporters were unable to determine the full extent of the damage done by the campaign, and many victims are unsure of exactly what information was stolen.
Yet the Cloud Hopper attacks carry worrying lessons for government officials and technology companies struggling to manage security threats. Chinese hackers, including the group Advanced Persistent Threat 10, known as APT10, were able to continue the attacks in the face of a counter-offensive by top security specialists and despite a 2015 US-China pact to refrain from economic espionage.
The corporate and government response to the attacks was undermined as service providers withheld information from hacked clients out of concern over legal liability and bad publicity, records and interviews show.
That failure, intelligence officials say, calls into question Western institutions’ ability to share information in the way needed to defend against elaborate cyberinvasions.
Even now, many victims might not be aware they were hit.
The campaign also highlights the security vulnerabilities inherent in cloud computing, an increasingly popular practice in which companies contract with outside vendors for remote computer services and data storage.
“For those that thought the cloud was a panacea, I would say you haven’t been paying attention,” former US National Security Agency (NSA) director Mike Rogers said.
Reporters interviewed 30 people involved in the Cloud Hopper investigations, including Western government officials, current and former company executives and private security researchers.
They also reviewed hundreds of pages of internal company documents, court filings and corporate intelligence briefings.
HPE “worked diligently for our customers to mitigate this attack and protect their information,” company spokesman Adam Bauer said. “We remain vigilant in our efforts to protect against the evolving threats of cybercrimes committed by state actors.”
A spokesman for DXC, the services arm spun off by HPE in 2017, said the company put “robust security measures in place” to protect itself and customers.
“Since the inception of DXC Technology, neither the company nor any DXC customer whose environment is under our control have experienced a material impact caused by APT10 or any other threat actor,” the spokesman said.
NTT Data, Dimension Data, Tata Consultancy Services, Fujitsu and IBM declined to comment. IBM has previously said that it has no evidence sensitive corporate data was compromised by the attacks.
The Chinese government has denied all accusations of involvement in hacking. The Chinese Ministry of Foreign Affairs said that Beijing opposes cyber-enabled industrial espionage.
“The Chinese government has never in any form participated in or supported any person to carry out the theft of commercial secrets,” it said in a statement.
BREAK-INS, EVICTIONS
For security staff at HPE, the Ericsson situation was just one dark cloud in a gathering storm, according to internal documents and 10 people with knowledge of the matter.
For years, the company’s predecessor, technology giant Hewlett-Packard, did not even know it had been hacked. It first found malicious code stored on a company server in 2012. The company called in outside experts, who found infections dating to at least January 2010.
Hewlett-Packard security staff fought back, tracking the intruders, shoring up defenses and executing a carefully planned expulsion to simultaneously knock out all of the hackers’ known footholds.
Yet the attackers returned, beginning a cycle that continued for at least five years.
The intruders stayed a step ahead. They would grab reams of data before planned eviction efforts by Hewlett-Packard engineers. Repeatedly, they took whole directories of credentials, a brazen act netting them the ability to impersonate hundreds of employees.
The hackers knew exactly where to retrieve the most sensitive data and littered their code with expletives and taunts.
One hacking tool contained the message “FUCK ANY AV” — referencing their victims’ reliance on anti-virus software.
The name of a malicious domain used in the wider campaign appeared to mock US intelligence: “nsa.mefound.com”
Then things got worse, documents show.
After a 2015 tip-off from the US FBI about infected computers communicating with an external server, HPE combined three probes it had under way into one effort called Tripleplay.
Up to 122 HPE-managed systems and 102 systems designated to be spun out into the new DXC operation had been compromised, a late 2016 presentation to executives showed.
An internal chart from mid-2017 helped top brass keep track of investigations codenamed for customers.
Rubus dealt with Finnish conglomerate Valmet. Silver Scale was Brazilian mining giant Vale. Greenxmass was Swedish manufacturer SKF, and Oculus covered Ericsson.
Projects Kronos and Echo related to former Swiss biotech firm Syngenta, which was taken over by state-owned Chinese chemicals conglomerate ChemChina in 2017 — during the same period as the HPE investigation into Chinese attacks on its network.
Ericsson said it does not comment on specific cybersecurity incidents.
“Our priority is always to ensure that our customers are protected,” an Ericsson spokesman said. “While there have been attacks on our enterprise network, we have found no evidence in any of our extensive investigations that Ericsson’s infrastructure has ever been used as part of a successful attack on one of our customers.”
A spokesman for SKF said: “We are aware of the breach that took place in conjunction with the Cloud Hopper attack against HPE... Our investigations into the breach have not found that any commercially sensitive information was accessed.”
Syngenta and Valmet declined to comment.
A spokesman for Vale declined to comment on specific questions about the attacks, but said the company adopts “the best practices in the industry” to improve network security.
‘DRUNKEN BURGLARS’
The companies were battling a skilled adversary, said Rob Joyce, the Senior Adviser for Cybersecurity Strategy to the Director of the NSA.
The hacking was “high leverage and hard to defend against,” he said.
The attackers were multiple Chinese government-backed hacking groups, Western officials said.
The most feared was known as APT10 and directed by the Chinese Ministry of State Security, US prosecutors say.
National security experts say the Chinese intelligence service is comparable to the US CIA, capable of pursuing electronic and human spying operations.
Two of APT10’s alleged members, Zhu Hua (朱華) and Zhang Shilong (張士龍), were indicted in December by the US on charges of conspiracy to commit computer intrusions, wire fraud and aggravated identity theft.
In the unlikely event they are ever extradited and convicted, the two men would face up to 27 years in a US jail.
Reporters were unable to reach Zhu, Zhang or lawyers representing the men for comment.
The Chinese Ministry of Foreign Affairs said that the charges were “warrantless accusations” and urged the US to “withdraw the so-called lawsuits against Chinese personnel, so as to avoid causing serious harm to bilateral relations.”
The US Department of Justice called the Chinese denials “ritualistic and bogus.”
“The Chinese government uses its own intelligence services to conduct this activity and refuses to cooperate with any investigation into thefts of intellectual property emanating from its companies or its citizens,” US Assistant Attorney General for National Security John Demers said.
APT10 often attacked a service provider’s system by “spear-phishing” — sending company employees e-mails designed to trick them into revealing their passwords or installing malware. Once through the door, the hackers moved through the company’s systems searching for customer data and, most importantly, the “jump servers” — computers on the network which acted as a bridge to client systems.
After the attackers “hopped” from a service provider’s network into a client system, their behavior varied, which suggests the attacks were conducted by multiple teams with different skill levels and tasks, those aware of the operation say.
Some intruders resembled “drunken burglars,” said one source, getting lost in the labyrinth of corporate systems and appearing to grab files at random.
HOTELS, SUBMARINES
It is impossible to say how many companies were breached through the service provider that originated as part of Hewlett-Packard, then became HPE and is now known as DXC.
The HPE operation had hundreds of customers. Armed with stolen corporate credentials, the attackers could do almost anything the service providers could.
Many of the compromised machines served multiple HPE customers, documents show.
One nightmare situation involved client Sabre Corp, which provides reservation systems for tens of thousands of hotels around the world. It also has a comprehensive system for booking air travel, working with hundreds of airlines and 1,500 airports.
A thorough penetration at Sabre could have exposed a goldmine of information, investigators said. If China was able to track where corporate executives or US government officials were traveling, that would open the door to in-person approaches, physical surveillance or attempts at installing digital tracking tools on their devices.
In 2015, investigators found that at least four Hewlett-Packard machines dedicated to Sabre were tunneling large amounts of data to an external server. The Sabre breach was long-running and intractable, two former HPE employees said.
HP management only grudgingly allowed its own defenders the investigation access they needed and cautioned against telling Sabre everything, the former employees said.
“Limiting knowledge to the customer was key,” one said. “It was incredibly frustrating. We had all these skills and capabilities to bring to bear, and we were just not allowed to do that.”
“The security of HPE customer data is always our top priority,” an HPE spokesman said.
Sabre said it had disclosed a cybersecurity incident involving servers managed by an unnamed third party in 2015.
Media reports at the time said the hackers were linked to the Chinese government, but did not name Hewlett-Packard.
A Sabre spokeswoman said an investigation of the breach “concluded with the important finding that there was no loss of traveler data, including no unauthorized access to or acquisition of sensitive protected information, such as payment card data or personally identifiable information.”
The spokeswoman declined to comment on whether any non-traveler data was compromised.
UNINVITED GUESTS
The threat also reached into the US defense industry.
In early 2017, HPE analysts saw evidence that Huntington Ingalls Industries, a significant client and the largest US military shipbuilder, had been penetrated by the Chinese hackers, two sources said. Computer systems owned by a subsidiary of Huntington Ingalls were connecting to a foreign server controlled by APT10.
During a private briefing with HPE staff, Huntington Ingalls executives voiced concern the hackers could have accessed data from its biggest operation, the Newport News shipyard in Virginia where it builds the US’ nuclear-powered submarines, said a person familiar with the discussions. It is not clear whether any data was stolen.
Huntington Ingalls is “confident that there was no breach of any HII data” via DXC or HPE, a spokeswoman said.
Another target was Ericsson, which has been racing against China’s Huawei Technologies (華為) to build infrastructure for 5G networks expected to underpin future hyper-connected societies.
The hacking at Ericsson was persistent and pervasive, said people with knowledge of the matter.
Logs were modified and some files were deleted. The uninvited guests rummaged through internal systems, searching for documents containing certain strings of characters.
Some of the malware found on Ericsson servers was signed with digital certificates stolen from big technology companies, making it look like the code was legitimate so it would go unnoticed.
Like many Cloud Hopper victims, Ericsson could not always tell what data was being targeted. Sometimes, the attackers appeared to seek out project management information, such as schedules and timeframes. Another time they went after product manuals, some of which were already publicly available.
“The reality is that most organizations are facing cybersecurity challenges on a daily basis, including Ericsson,” Ericsson chief security officer Par Gunnarsson said in a statement, declining to discuss specific incidents. “In our industry, and across industries, we would all benefit from a higher degree of transparency on these issues.”
WHITE WOLF
In December, after struggling to contain the threat for years, the US government named the hackers from APT10 as agents the Chinese Ministry of State Security.
The public attribution garnered widespread international support: Germany, New Zealand, Canada, Britain, Australia and other allies all issued statements backing the US allegations against China.
Even so, much of Cloud Hopper’s activity has been deliberately kept from public view, often at the urging of corporate victims.
In an effort to keep information under wraps, security staff at the affected managed service providers were often barred from speaking even to other employees not specifically added to the inquiries.
In 2016, HPE’s office of general counsel for global functions issued a memo about an investigation codenamed White Wolf.
“Preserving confidentiality of this project and associated activity is critical,” the memo said, stating without elaboration that the effort “is a sensitive matter.”
Outside the project, it said, “do not share any information about White Wolf, its effect on HPE, or the activities HPE is taking.”
The secrecy was not unique to HPE. Even when the government alerted technology service providers, the companies would not always pass on warnings to clients, Jeanette Manfra, a senior cybersecurity official with the US Department of Homeland Security, told reporters.
“We asked them to notify their customers,” Manfra said. “We can’t force their hand.”
Additional reporting by Gao Liangping, Cate Cadell and Ben Blanchard.
Yesterday’s recall and referendum votes garnered mixed results for the Chinese Nationalist Party (KMT). All seven of the KMT lawmakers up for a recall survived the vote, and by a convincing margin of, on average, 35 percent agreeing versus 65 percent disagreeing. However, the referendum sponsored by the KMT and the Taiwan People’s Party (TPP) on restarting the operation of the Ma-anshan Nuclear Power Plant in Pingtung County failed. Despite three times more “yes” votes than “no,” voter turnout fell short of the threshold. The nation needs energy stability, especially with the complex international security situation and significant challenges regarding
Most countries are commemorating the 80th anniversary of the end of World War II with condemnations of militarism and imperialism, and commemoration of the global catastrophe wrought by the war. On the other hand, China is to hold a military parade. According to China’s state-run Xinhua news agency, Beijing is conducting the military parade in Tiananmen Square on Sept. 3 to “mark the 80th anniversary of the end of World War II and the victory of the Chinese People’s War of Resistance Against Japanese Aggression.” However, during World War II, the People’s Republic of China (PRC) had not yet been established. It
There is an old saying that if there is blood in the water, the sharks will come. In Taiwan’s case, that shark is China, circling, waiting for any sign of weakness to strike. Many thought the failed recall effort was that blood in the water, a signal for Beijing to press harder, but Taiwan’s democracy has just proven that China is mistaken. The recent recall campaign against 24 Chinese Nationalist Party (KMT) legislators, many with openly pro-Beijing leanings, failed at the ballot box. While the challenge targeted opposition lawmakers rather than President William Lai (賴清德) himself, it became an indirect
A recent critique of former British prime minister Boris Johnson’s speech in Taiwan (“Invite ‘will-bes,’ not has-beens,” by Sasha B. Chhabra, Aug. 12, page 8) seriously misinterpreted his remarks, twisting them to fit a preconceived narrative. As a Taiwanese who witnessed his political rise and fall firsthand while living in the UK and was present for his speech in Taipei, I have a unique vantage point from which to say I think the critiques of his visit deliberately misinterpreted his words. By dwelling on his personal controversies, they obscured the real substance of his message. A clarification is needed to
RSS