Cyberattackers broke into cloud providers to steal data from
scores of companies
By Rob Barry and Dustin Volz
This article is being republished as part of our daily
reproduction of WSJ.com articles that also appeared in the U.S.
print edition of The Wall Street Journal (December 31, 2019).
The hackers seemed to be everywhere.
In one of the largest-ever corporate espionage efforts,
cyberattackers alleged to be working for China's intelligence
services stole volumes of intellectual property, security clearance
details and other records from scores of companies over the past
several years. They got access to systems with prospecting secrets
for mining company Rio Tinto PLC, and sensitive medical research
for electronics and health-care giant Philips NV.
They came in through cloud service providers, where companies
thought their data was safely stored. Once they got in, they could
freely and anonymously hop from client to client, and defied
investigators' attempts to kick them out for years.
Cybersecurity investigators first identified aspects of the
hack, called Cloud Hopper by the security researchers who first
uncovered it, in 2016, and U.S. prosecutors charged two Chinese
nationals for the global operation last December. The two men
remain at large.
A Wall Street Journal investigation has found that the attack
was much bigger than previously known. It goes far beyond the 14
unnamed companies listed in the indictment, stretching across at
least a dozen cloud providers, including CGI Group Inc., one of
Canada's largest cloud companies; Tieto Oyj, a major Finnish IT
services company; and International Business Machines Corp.
The Journal pieced together the hack and the sweeping
counteroffensive by security firms and Western governments through
interviews with more than a dozen people involved in the
investigation, hundreds of pages of internal company and
investigative documents, and technical data related to the
intrusions.
The Journal found that Hewlett Packard Enterprise Co. was so
overrun that the cloud company didn't see the hackers re-enter
their clients' networks, even as the company gave customers the
all-clear.
Inside the clouds, the hackers, known as APT10 to Western
officials and researchers, had access to a vast constellation of
clients. The Journal's investigation identified hundreds of firms
that had relationships with breached cloud providers, including Rio
Tinto, Philips, American Airlines Group Inc., Deutsche Bank AG,
Allianz SE and GlaxoSmithKline PLC.
FBI Director Christopher Wray called it the hackers' equivalent
of stealing the master keys to an entire apartment complex.
It's an open question whether hackers remain inside companies'
networks today. The Journal reviewed data provided by
SecurityScorecard, a cybersecurity firm, and identified thousands
of IP addresses globally still reporting back to APT10's network
between April and mid-November.
U.S. agencies, including the Justice Department, have worried
about their own possible exposure, and whether the hacks now
position the Chinese government to access critical infrastructure,
current and former U.S. officials said. Reuters earlier this year
reported on some aspects of the scope of the Chinese espionage
campaign.
The U.S. government now says APT10 took detailed personnel
records of more than 100,000 people from the U.S. Navy.
Investigators in and out of government said many of the major
cloud companies tried to stonewall clients about what was happening
inside their networks. "It was like trying to pin down quicksand,"
one investigator said.
Officials at the Department of Homeland Security grew so
frustrated by resistance by the cloud companies that they are now
working to revise federal contracts that would force them to comply
with future probes, according to several people familiar with the
matter.
A DHS spokeswoman declined to comment when asked if the agency
experienced a breach. A Justice Department spokesman didn't respond
to requests for comment.
HPE spokesman Adam Bauer said the company "worked diligently to
remediate these intrusions for our customers," adding that "the
security of customer data is our top priority."
"We strongly dispute any allegation that HPE was anything less
than fully cooperative with government authorities from the
outset," Mr. Bauer said. "To suggest otherwise is patently
false."
IBM spokesman Edward Barbini said that the company worked on the
investigation with relevant government agencies, adding, "We have
no evidence that any sensitive corporate data was compromised...We
have worked individually with clients who have expressed
concerns."
The hack illustrates a weakness at the heart of global business,
with the biggest companies in the world increasingly storing their
most sensitive data with cloud providers, also known as managed
service providers, which have long touted their security.
Many firms contacted by the Journal declined to address whether
they were targeted in the attack.
American Airlines said it was notified by HPE in 2015 that
"their systems were involved in a cybersecurity incident," but
"found no evidence to suggest that our systems or data were
compromised."
Philips said it was aware of intrusion efforts that could be
attributed to APT10, and that "to date, these attempts have been
addressed."
An Allianz spokesman said the company had "found no evidence" of
APT10 inside its systems.
GlaxoSmithKline, Deutsche Bank, Rio Tinto and Tieto declined to
comment. CGI didn't respond to multiple inquiries.
The Chinese government didn't respond to requests for comment.
It has denied hacking allegations in the past.
Ghosts
Cloud Hopper was something new for APT10 (short for Advanced
Persistent Threat), one of China's most evasive hacking
collectives, according to researchers.
"You know the old joke of, why rob a bank?" said Anne Neuberger,
the chief of the National Security Agency's cybersecurity
directorate. "Because that's where the money is."
Security firms have been tracking APT10 for more than a decade,
as they ransacked governments, engineering firms, aerospace
companies and telecoms. Much about the team is a mystery, though
U.S. prosecutors have alleged at least some are contractors for the
Chinese Ministry of State Security.
To break into the cloud, the hackers sometimes sent phishing
emails to administrators with high-level access. Other times they
cracked in through contractors' systems, according to
investigators.
Rio Tinto was among the earliest targets and a kind of test
case, according to two people familiar with the matter. The
company, whose operations include copper, diamonds, aluminum, iron
ore and uranium, was breached through cloud provider CGI as far
back as 2013.
What the hackers took is unknown, but one investigator familiar
with the case said such information could be used to buy up real
estate where mining companies plan to dig.
Orin Paliwoda, an FBI special agent who has been investigating
Cloud Hopper, said at a recent cybersecurity conference in New York
that the APT10 team operated essentially as ghosts in the clouds.
They "basically look like any other traffic," he said. "It is a
major, major problem."
Kris McConkey, a top cyber investigator with
PricewaterhouseCoopers in London, was one of the first to see the
extent of APT10's operation. During a routine security audit of an
international consulting firm in early 2016, his monitors began
lighting up with red dots signifying a mass attack.
At first, his team thought the attack was just an unusual
one-off, given they had come through the cloud, rather than the
company's front door. Then they started seeing the same pattern at
other clients.
"When you realize there are multiple cases -- and the actor
actually understands what they've got access to, and how to abuse
it -- you realize the possible severity of it," Mr. McConkey said.
He declined to name specific companies or cloud service providers,
citing nondisclosure agreements.
Mr. McConkey's team -- one group to clean out the bad guys,
another to gather intel about break-ins and where the attackers
might go next -- worked out of a secured floor, accessible only by
separate elevators.
The hackers, they learned, worked in teams. The "Tuesday team,"
as Mr. McConkey dubbed it, would come in one day to make sure all
their stolen usernames and passwords still worked. Another group
would often appear a few days later, whisking away targeted
data.
Other times, the hackers used their victims' networks like
dropboxes for what they stole. One firm later discovered it had
data stashed from at least five separate companies.
In the early months, Mr. McConkey's group began to share
intelligence with other security firms that were also starting to
see ghosts. At times, the attackers taunted their hunters,
registering domain names for its campaign like gostudyantivirus.com
and originalspies.com.
"I haven't seen many Chinese APT groups mocking researchers like
that," said Mike McLellan, a director of security research at
Secureworks. He added that at times APT10 also laced their malware
with phrases insulting researchers' abilities.
One of the hackers' most significant targets was HPE, whose
enterprise cloud service handled sensitive data for thousands of
companies in dozens of countries. One of its clients, Philips,
manages 20,000 terabytes of data, including millions of pieces of
information about clinical studies and an app for people with
diabetes, according to a promotional video posted to HPE's Twitter
account in 2016.
APT10 had been a serious issue at HPE since at least early 2014
-- and the company didn't always tell clients the extent of the
problem in its cloud, according to people familiar with the
matter.
Making matters more complicated, the hackers had gained access
to the company's cyber incident response team, according to several
people familiar with the matter. As HPE worked to clear infections,
the hackers monitored the process -- and sneaked back into the
cleaned systems, beginning the cycle again, one of the people
said.
"We worked diligently to remediate the intrusions until we were
confident the intruders were eliminated from the systems in
question," said Mr. Bauer, the HPE spokesman.
In the midst of the attacks, HPE spun off its enterprise cloud
business into a new company, known as DXC Technology. HPE has said
in public filings at the time that there were no "security
breaches" resulting in material losses.
DXC spokesman Richard Adamonis said that "no cyber security
incident has resulted in a material adverse effect on DXC or DXC's
customers."
A Philips spokesman said services provided by HPE "did not
involve the storage, management, or transfer of patient data."
Fighting back
The first real counterstrike began to take shape in early 2017.
The growing team of fighters now included several security firms,
infected cloud companies and dozens of victims.
The cloud companies, some of which had initially resisted
sharing information, had become more cooperative after pressure
from Western governments, several people familiar with the matter
said.
First, investigators added fake calendar entries in victims'
systems, to give hackers the false impression that IT executives
would be out of town at a weekend off-site. The goal: to give the
hackers a sense that the company didn't suspect anything was wrong
and the hackers remained undetected.
Then, the investigators jumped in outside the hackers' usual
operating hours and abruptly severed their access, shutting down
compromised accounts and isolating infected servers.
APT10 soon came back, this time targeting new victims, including
financial services companies, investigators said.
One of the new targets was IBM, which offers cloud services to
many Fortune 500 firms, as well as to government agencies like the
General Services Administration, the Department of the Interior and
the U.S. Army.
A spokeswoman said the GSA works with a number of cloud
companies, is aware of Cloud Hopper and "continues to remain
vigilant in the management of security threats." The Department of
the Interior and the Army declined to comment.
Very little is known about what happened inside IBM. The hackers
had become better at hiding and routed their attacks through
multiple layers of anonymous servers.
U.S. officials described a sense of panic throughout 2017 and
2018 as they learned of new APT10 hacks. The situation became so
dire, they issued a rare public warning, saying the attackers had
struck critical infrastructure, including IT, energy, health care
and manufacturing.
The Trump administration spent months wrangling over what a case
would look like against the hackers, what to disclose and how it
might disrupt trade talks. Former U.S. officials familiar with the
investigation said they originally hoped to sanction Chinese
entities associated with the hack and name about a half-dozen
Chinese nationals, including some with direct ties to Chinese
intelligence.
In the end, only two were named. People close to the case said
an operation like Cloud Hopper would require a far larger staff,
including developers, intrusion operators and linguists to handle
all the stolen material.
Of the two named, there is little information about Zhu Hua,
known online as Godkiller. The other, Zhang Shilong, called
"Darling Dragon," was linked by researchers to a social media
account that posted about the study of hacking.
Both are still likely in China and could serve up to 27 years in
prison for charges of conspiracy, wire fraud and identity theft.
The U.S. doesn't have an extradition agreement with China. The
Journal couldn't locate them for comment.
Intelligence intercepts collected at the time showed Chinese
operators celebrating their newfound notoriety, according to a
former U.S. intelligence official.
Today, much remains unknown about plans to use the pilfered
data. Unlike in other attacks, the troves of commercial data don't
appear to be for sale on the dark web, several investigators
said.
The Cloud Hopper attacks continue to be of enormous interest to
federal investigators, who are working to unravel whether the
campaign is connected to other significant corporate breaches where
China is a suspect, according to a current U.S. official.
The final tally of the Cloud Hopper campaign -- both in the
total potential access to networks and how much data China
ultimately stole -- remains unknown to researchers and Western
officials.
While U.S. officials and security firms say they have seen a
drop off in APT10's activity over the past year, the threat to
cloud providers remains. Security researchers from Google recently
reported that Russian state-backed hackers have been trying to
break into managed service providers, which have also become
targets by criminals.
"I'd be shocked if there were not dozens of companies that have
no idea that [APT10] has been or is still in their network," said
Luke Dembosky, a former deputy assistant attorney general for
national security who now works with companies attacked by groups
including APT10.
"The question is, just what is it they're doing?" said Mr.
McConkey. "They haven't disappeared. Just whatever they are doing
at the minute isn't visible to us."
--Eva Dou and Aruna Viswanatha contributed to this article.
Write to Rob Barry at rob.barry@wsj.com and Dustin Volz at
dustin.volz@wsj.com
(END) Dow Jones Newswires
December 31, 2019 02:47 ET (07:47 GMT)
Copyright (c) 2019 Dow Jones & Company, Inc.
Rio Tinto (ASX:RIOCD)
Historical Stock Chart
From Aug 2024 to Sep 2024
Rio Tinto (ASX:RIOCD)
Historical Stock Chart
From Sep 2023 to Sep 2024