Spy chiefs fret over outsourcers IBM and HPE after Chinese commercial hacks

Cyber security agencies across the Five Eyes intelligence community have sent their compatriots in Beijing season’s greetings by shaming outsourcers HPE and IBM for being compromised and formally attributing the Cloudhopper data hoovering campaign to the APT10 hacking unit associated China’s Ministry of State Security.

In a concerted global public relations push mounted on Friday, agencies across the US, Britain and Australia trotted out a chorus of senior officials to bang the economic espionage drum against Chinese state sponsored hacking.

Both IBM and HPE are two of the biggest technology services and hardware suppliers to the Australian government, with the Digital Transformation Agency this year signing off on a $1 billion multi-year deal with Big Blue.

Australian Cyber Security Centre chief Alastair MacGibbon led the charge locally, taking to ABC radio to explain the urgency and gravity of the Chinese state sponsored hacking threat, advising businesses and the community to review security when they “come back from a well-earned Christmas break”.

Pressed on the awkward timing of the big campaign launch and his assessment that remedial action could wait until after the holidays, MacGibbon said that the launch date had been “chosen for us”.

“This is not just normal espionage,” MacGibbon said on ABC Radio Sydney. “This is stealing commercial secrets,”  going on to compare intellectual property theft to stealing food from Australians.

Tempo increases

The coordinated international effort to name and shame Chinese state-backed hacking brigades that aim to exfiltrate intellectual property from companies, the research and development sector and universities follows a series of international manoeuvres to check China’s efforts.

They include an increasing number of arrests and indictments, most notably Huawei's Chief Financial Officer Meng Wanzhou.

Overnight US prosecutors also unsealed indictments against two Chinese men, Zhu Hua (aka ‘Godkiller’) and Zhang Shilongin, for their alleged involvement in the group since 2006.

They have been charged with “conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft”, the indictment from the US Justice Department states.

Both men worked at Huaying Haitai Science and Technology Development Company and “acted in association with the Chinese Ministry of State Security’s Tianjian State Security Bureau”.

Although hacking activities are alleged to date back to 2006, APT10 began its ‘MSP Theft Campaign’ “in or about 2014”, successfully obtaining access to victim companies in 12 countries.

An earlier ‘technology theft campaign’ secured access “to the computers of more than 45 technology companies and US government agencies bases in at least 12 states”.

Following the indictment, Australia called on “all countries - including to uphold commitments to refrain from cyber-enabled theft of intellectual property, trade secrets and confidential business information with the intent of obtaining a competitive advantage.”

“These commitments were agreed by G20 Leaders in 2015. Australia and China reaffirmed them bilaterally in 2017,” it said.

In a separate statement by the ACSC, MacGibbon said the Cloudhopper incident demonstrated the need to end “complacency in boardrooms around Australia when it comes to ensuring organisations have better cyber security protections in place”.

“This is a catalytic event for Australia and an opportunity for all parts of our economy to lift the levels of cyber protection for all Australians, to make Australia the safest place to live, work and play online,” he said.

“Businesses need to understand the inherent risks in cyber-enabled technology and to have the appropriate strategies in place to manage those risks.”

The ACSC has released advice for MSPs in the aftermath of the compromise.

IBM, HPE, DXC on defensive

International news agency Reuters has cited five confidential sources as confirming IBM and HPE, now known as DXC, were penetrated by Chinese attacks.

The target of the Cloudhopper attacks was the clients of the outsourcers.

While cybersecurity firms and government agencies have issued multiple warnings about the Cloudhopper threat since 2017, they have not publicly disclosed the identity of technology companies whose networks were compromised.

IBM said it had no evidence that sensitive corporate data had been compromised. HPE said it could not comment on the Cloudhopper campaign.

Businesses and governments are increasingly looking to technology companies known as managed service providers (MSPs) to remotely manage their information technology operations, including servers, storage, networking and help-desk support.

Cloudhopper targeted MSPs to access client networks and steal corporate secrets from companies around the globe, according to a US federal indictment of two Chinese nationals unsealed on Thursday. Prosecutors did not identify any of the MSPs that were breached.

Both IBM and HPE declined to comment on the specific claims made by the sources.

“IBM has taken extensive counter measures worldwide as part of its continuous efforts to protect itself and its clients against constantly evolving threats,” the company said in an emailed statement.

“We take responsible stewardship of client data very seriously and have no evidence that sensitive IBM or client data has been compromised.”

HPE said in a statement that it had spun out a large managed-services business in a 2017 merger with CSC that formed a new company, DXC Technology.

“The security of HPE customer data is our top priority,” HPE said. “We are unable to comment on the specific details described in the indictment, but HPE’s managed services provider business moved to DXC Technology in connection with HPE’s divestiture of its Enterprise Services business in 2017.”

Representatives with DXC Technology could not be reached immediately for comment.

Reuters was unable to confirm the names of other breached technology firms or identify any affected clients.

The sources, who were not authorized to comment on confidential information gleaned from investigations into the hacks, said that HPE and IBM were not the only prominent technology companies whose networks had been compromised by Cloudhopper.

Cloudhopper, which has been targeting technology services providers for several years, infiltrated the networks of HPE and IBM multiple times in breaches that lasted for weeks and months, according to another of the sources with knowledge of the matter.

IBM investigated an attack as recently as this summer, and HPE conducted a large breach investigation in early 2017, the source said.

The attackers were persistent, making it difficult to ensure that networks were safe, said another source.

IBM has dealt with some infections by installing new hard drives and fresh operating systems on infected computers, said the person familiar with the effort.

One senior intelligence official, who declined to name any victims who were breached, said attacks on MSPs were a significant threat because they essentially turned technology companies into launchpads for hacks on clients.

“By gaining access to an MSP, you can in many cases gain access to any one of their customers,” said the official. “Call it the Walmart approach: If I needed to get 30 different items for my shopping list, I could go to 15 different stores or I could go to the one that has everything.”

Representatives with the FBI and Department of Homeland Security declined to comment. Officials with the US Justice Department and the Chinese embassy in Washington could not immediately be reached for comment.

A British government spokeswoman declined to comment on the identities of companies affected by the Cloudhopper campaign or the impact of those breaches.

“A number of MSPs have been affected, and naming them would have potential commercial consequences for them, putting them at an unfair disadvantage to their competitors,” she said.

With Reuters