Inside China’s corporate hacking attack
The hackers seemed to be everywhere.
In one of the largest-ever corporate espionage efforts, cyberattackers alleged to be working for China’s intelligence services stole volumes of intellectual property, security clearance details and other records from scores of companies over the past several years. They got access to systems with prospecting secrets for mining company Rio Tinto, and sensitive medical research for electronics and healthcare giant Philips.
They came in through cloud service providers, where companies thought their data was safely stored. Once they got in, they could freely and anonymously hop from client to client, and defied investigators’ attempts to kick them out for years.
Cybersecurity investigators first identified aspects of the hack, called Cloud Hopper by the security researchers who first uncovered it, in 2016, and US prosecutors charged two Chinese nationals for the global operation last December. The two men remain at large.
A Wall Street Journal investigation has found that the attack was much bigger than previously known. It goes far beyond the 14 unnamed companies listed in the indictment, stretching across at least a dozen cloud providers, including CGI Group, one of Canada’s largest cloud companies; Tieto Oyj, a major Finnish IT services company; and International Business Machines.
The Journal pieced together the hack and the sweeping counteroffensive by security firms and Western governments through interviews with more than a dozen people involved in the investigation, hundreds of pages of internal company and investigative documents, and technical data related to the intrusions.
The Journal found that Hewlett Packard Enterprise was so overrun that the cloud company didn’t see the hackers re-enter their clients’ networks, even as the company gave customers the all-clear.
Inside the clouds, the hackers, known as APT10 to Western officials and researchers, had access to a vast constellation of clients. The Journal’s investigation identified hundreds of firms that had relationships with breached cloud providers, including Rio Tinto, Philips, American Airlines Group, Deutsche Bank, Allianz and GlaxoSmithKline.
FBI Director Chris Wray called it the hackers’ equivalent of stealing the master keys to an entire apartment complex.
It’s an open question whether hackers remain inside companies’ networks today. The Journal reviewed data provided by Security Scorecard, a cybersecurity firm, and identified thousands of IP addresses globally still reporting back to APT10’s network between April and mid-November.
US agencies, including the Justice Department, have worried about their own possible exposure, and whether the hacks now position the Chinese government to access critical infrastructure, current and former US officials said. Reuters earlier this year reported on some aspects of the scope of the Chinese espionage campaign.
The US government now says APT10 took detailed personnel records of more than 100,000 people from the US Navy.
Investigators in and out of government said many of the major cloud companies tried to stonewall clients about what was happening inside their networks. “It was like trying to pin down quicksand,” one investigator said.
Officials at the Department of Homeland Security grew so frustrated by resistance by the cloud companies that they are now working to revise federal contracts that would force them to comply with future probes, according to several people familiar with the matter.
A DHS spokeswoman declined to comment when asked if the agency experienced a breach. A Justice Department spokesman didn’t respond to requests for comment.
HPE spokesman Adam Bauer said the company “worked diligently to remediate these intrusions for our customers,” adding that “the security of customer data is our top priority.”
“We strongly dispute any allegation that HPE was anything less than fully cooperative with government authorities from the outset,” Mr Bauer said. “To suggest otherwise is patently false.”
IBM spokesman Edward Barbini said that the company worked on the investigation with relevant government agencies, adding, “We have no evidence that any sensitive corporate data was compromised...We have worked individually with clients who have expressed concerns.”
The hack illustrates a weakness at the heart of global business, with the biggest companies in the world increasingly storing their most sensitive data with cloud providers, also known as managed service providers, which have long touted their security.
Many firms contacted by the Journal declined to address whether they were targeted in the attack.
American Airlines said it was notified by HPE in 2015 that “their systems were involved in a cybersecurity incident,” but “found no evidence to suggest that our systems or data were compromised.”
Philips said it was aware of intrusion efforts that could be attributed to APT10, and that “to date, these attempts have been addressed.”
An Allianz spokesman said the company had “found no evidence” of APT10 inside its systems.
GlaxoSmithKline, Deutsche Bank, Rio Tinto and Tieto declined to comment. CGI didn’t respond to multiple inquiries.
The Chinese government didn’t respond to requests for comment. It has denied hacking allegations in the past.
Cloud Hopper was something new for APT10 (short for Advanced Persistent Threat), one of China’s most evasive hacking collectives, according to researchers.
“You know the old joke of, why rob a bank?” said Anne Neuberger, the chief of the National Security Agency’s cybersecurity directorate. “Because that’s where the money is.”
Security firms have been tracking APT10 for more than a decade, as they ransacked governments, engineering firms, aerospace companies and telecoms. Much about the team is a mystery, though US prosecutors have alleged at least some are contractors for the Chinese Ministry of State Security.
To break into the cloud, the hackers sometimes sent phishing emails to administrators with high-level access. Other times they cracked in through contractors’ systems, according to investigators.
Rio Tinto was among the earliest targets and a kind of test case, according to two people familiar with the matter. The company, whose operations include copper, diamonds, aluminium, iron ore and uranium, was breached through cloud provider CGI as far back as 2013.
What the hackers took is unknown, but one investigator familiar with the case said such information could be used to buy up real estate where mining companies plan to dig.
Orin Paliwoda, an FBI special agent who has been investigating Cloud Hopper, said at a recent cybersecurity conference in New York that the APT10 team operated essentially as ghosts in the clouds. They “basically look like any other traffic,” he said. “It is a major, major problem.”
Kris McConkey, a top cyber investigator with PricewaterhouseCoopers in London, was one of the first to see the extent of APT10’s operation. During a routine security audit of an international consulting firm in early 2016, his monitors began lighting up with red dots signifying a mass attack.
At first, his team thought the attack was just an unusual one-off, given they had come through the cloud, rather than the company’s front door. Then they started seeing the same pattern at other clients.
“When you realise there are multiple cases -- and the actor actually understands what they’ve got access to, and how to abuse it -- you realise the possible severity of it,” Mr McConkey said. He declined to name specific companies or cloud service providers, citing nondisclosure agreements.
Mr McConkey’s team -- one group to clean out the bad guys, another to gather intel about break-ins and where the attackers might go next -- worked out of a secured floor, accessible only by separate elevators.
The hackers, they learned, worked in teams. The “Tuesday team,” as Mr McConkey dubbed it, would come in one day to make sure all their stolen usernames and passwords still worked. Another group would often appear a few days later, whisking away targeted data.
Other times, the hackers used their victims’ networks like dropboxes for what they stole. One firm later discovered it had data stashed from at least five separate companies.
In the early months, Mr McConkey’s group began to share intelligence with other security firms that were also starting to see ghosts. At times, the attackers taunted their hunters, registering domain names for its campaign like gostudyantivirus.com and originalspies.com.
“I haven’t seen many Chinese APT groups mocking researchers like that,” said Mike McLellan, a director of security research at Secureworks. He added that at times APT10 also laced their malware with phrases insulting researchers’ abilities.
One of the hackers’ most significant targets was HPE, whose enterprise cloud service handled sensitive data for thousands of companies in dozens of countries. One of its clients, Philips, manages 20,000 terabytes of data, including millions of pieces of information about clinical studies and an app for people with diabetes, according to a promotional video posted to HPE’s Twitter account in 2016.
APT10 had been a serious issue at HPE since at least early 2014 -- and the company didn’t always tell clients the extent of the problem in its cloud, according to people familiar with the matter.
Making matters more complicated, the hackers had gained access to the company’s cyber incident response team, according to several people familiar with the matter. As HPE worked to clear infections, the hackers monitored the process -- and sneaked back into the cleaned systems, beginning the cycle again, one of the people said.
We worked diligently to remediate the intrusions until we were confident the intruders were eliminated from the systems in question,” said Mr Bauer, the HPE spokesman.
In the midst of the attacks, HPE spun off its enterprise cloud business into a new company, known as DXC Technology. HPE has said in public filings at the time that there were no “security breaches” resulting in material losses.
DXC spokesman Richard Adamonis said that “no cyber security incident has resulted in a material adverse effect on DXC or DXC’s customers.”
A Philips spokesman said services provided by HPE “did not involve the storage, management, or transfer of patient data.”
The first real counterstrike began to take shape in early 2017. The growing team of fighters now included several security firms, infected cloud companies and dozens of victims.
The cloud companies, some of which had initially resisted sharing information, had become more cooperative after pressure from Western governments, several people familiar with the matter said.
First, investigators added fake calendar entries in victims’ systems, to give hackers the false impression that IT executives would be out of town at a weekend off-site. The goal: to give the hackers a sense that the company didn’t suspect anything was wrong and the hackers remained undetected.
Then, the investigators jumped in outside the hackers’ usual operating hours and abruptly severed their access, shutting down compromised accounts and isolating infected servers.
APT10 soon came back, this time targeting new victims, including financial services companies, investigators said.
One of the new targets was IBM, which offers cloud services to many Fortune 500 firms, as well as to government agencies like the General Services Administration, the Department of the Interior and the U.S. Army.
A spokeswoman said the GSA works with a number of cloud companies, is aware of Cloud Hopper and “continues to remain vigilant in the management of security threats.” The Department of the Interior and the Army declined to comment.
Very little is known about what happened inside IBM. The hackers had become better at hiding and routed their attacks through multiple layers of anonymous servers.
US officials described a sense of panic throughout 2017 and 2018 as they learned of new APT10 hacks. The situation became so dire, they issued a rare public warning, saying the attackers had struck critical infrastructure, including IT, energy, health care and manufacturing.
The Trump administration spent months wrangling over what a case would look like against the hackers, what to disclose and how it might disrupt trade talks. Former US officials familiar with the investigation said they originally hoped to sanction Chinese entities associated with the hack and name about a half-dozen Chinese nationals, including some with direct ties to Chinese intelligence.
In the end, only two were named. People close to the case said an operation like Cloud Hopper would require a far larger staff, including developers, intrusion operators and linguists to handle all the stolen material.
Of the two named, there is little information about Zhu Hua, known online as Godkiller. The other, Zhang Shilong, called “Darling Dragon,” was linked by researchers to a social media account that posted about the study of hacking.
Both are still likely in China and could serve up to 27 years in prison for charges of conspiracy, wire fraud and identity theft. The US doesn’t have an extradition agreement with China. The Journal couldn’t locate them for comment.
Intelligence intercepts collected at the time showed Chinese operators celebrating their new-found notoriety, according to a former US intelligence official.
Today, much remains unknown about plans to use the pilfered data. Unlike in other attacks, the troves of commercial data don’t appear to be for sale on the dark web, several investigators said.
The Cloud Hopper attacks continue to be of enormous interest to federal investigators, who are working to unravel whether the campaign is connected to other significant corporate breaches where China is a suspect, according to a current US official.
The final tally of the Cloud Hopper campaign -- both in the total potential access to networks and how much data China ultimately stole -- remains unknown to researchers and Western officials.
While US officials and security firms say they have seen a drop off in APT10’s activity over the past year, the threat to cloud providers remains. Security researchers from Google recently reported that Russian state-backed hackers have been trying to break into managed service providers, which have also become targets by criminals.
“I’d be shocked if there were not dozens of companies that have no idea that (APT10) has been or is still in their network,” said Luke Dembosky, a former deputy assistant attorney general for national security who now works with companies attacked by groups including APT10.
“The question is, just what is it they’re doing?” said Mr McConkey. “They haven’t disappeared. Just whatever they are doing at the minute isn’t visible to us.”
Wall Street Journal