Hey China, while you’re in all our servers, can you fix these support tickets? IBM, HPE, Tata CS, Fujitsu, NTT and their customers pwned

Fresh details have emerged revealing just how deeply Chinese government hackers plundered HPE, IBM, DXC, Fujitsu, Tata, and others, stealing corporate secrets and rifling through their customers’ networks.

An explosive in-depth report by Reuters today blows the lid off APT10, the infamous Beijing-backed hacking operation that was just accused of hacking mobile carriers around the world. APT10 was previously fingered for raiding corporations and organizations globally, and siphoning off blueprints and databases for President Xi’s regime.

This week’s bombshell builds on last year’s revelations that a multi-year operation known as Cloud Hopper had worked its way into the internal networks at HPE and IBM, stealing corporate data and trade secrets along the way, and then drilled into customer systems. The hackers compromised customer servers that were managed by the IT giants, or slipped in via network links between the tech providers and their big-name clients. Hence the name: Cloud Hopper.

Now, word has dropped that another six companies fell victim to APT10 during that same campaign: Fujitsu, Tata Consultancy Services, Dimension Data, NTT, and Computer Sciences Corporation. It is believed most of the hacking took place between 2015 and 2017, though it’s said HP at least had been repeatedly pwned since 2010. (CSC is now known as DXC following its merger with HPE’s spun-off Enterprise Services in 2017.)

The revelations mean that the reach of the Cloud Hopper operation was far greater than first feared. In addition to the tech goliaths themselves, the hackers pushed their way into customer systems from the compromised providers, dramatically increasing the pool of valuable industrial and aerospace data stolen. Beijing’s miscreants had not just access to the internal files of HPE, IBM, Tata CS et al, but also their network-connected customers, putting designs, plans, personal information, and more, at their fingertips. Jackpot.

FBI wanted poster of Zhu Hua and Zhang Shilong

Uncle Sam fingers two Chinese men for hacking tech, aerospace, defense biz on behalf of Beijing

READ MORE

We’re told that APT10 crew would typically find and exploit a vulnerability in an external-facing server to break in, or a spear-phish an employee to gain access to their intranet account.

From there, they harvested additional account credentials from the compromised machine, and used those to access other boxes and services on the network, which were in turn ransacked for more login details, and used further move around the network until the attackers had near complete control over the entire infrastructure. From there, the intruders could siphon off information, and probe network-connected customers, particularly if they gained control of managed or cloud server administrator accounts.

This mirrors the pattern found by researchers at Cybereason, who earlier this month detailed efforts by APT10, or a gang operating just like the Chinese, to compromise ten or more cellular telcos around the world to spy on a few dozen VIPs – think politicians, foreign agents, etc.

Taunts

Given the resources and time afforded to the operation, it comes as no surprise that APT10 was able to so thoroughly pwn their targets. By the end of the HPE operation, it is said that the hackers had such total control over the corporate network that they had begun leaving messages taunting system administrators.

“One hacking tool contained the message ‘FUCK ANY AV’ – referencing their victims’ reliance on antivirus software,” the Reuters team noted. “The name of a malicious domain used in the wider campaign appeared to mock US intelligence: nsa.mefound.com.”

In a statement to The Register, a DXC spokesperson claimed: “DXC has robust security measures in place to actively detect, prevent and alert attacks by actors such as APT10 We also have implemented tools that allow detailed reconstruction of any intrusions attempts, should they happen.

“Since the inception of DXC Technology [in 2017], neither the company nor any DXC customer whose environment is under our control have experienced a material impact caused by APT10 or any other threat actor.”

A spokesperson for HPE told The Register with a straight face: “The security of HPE customer data is always our top priority. As is the case in any breach, the company worked diligently for our customers to mitigate this attack and protect their information. And, we remain vigilant in our efforts to protect against the evolving threats of cyber-crimes committed by state actors.”

The rest – IBM, Fujitsu, Tata CS, Dimension Data, and NTT – are keeping schtum. Big Blue previously claimed it found no evidence that hackers had accessed its sensitive corporate data. ®

Bootnote

Props to China for its deadpan comedy bit in response to today’s revelations: “The Chinese government has never in any form participated in or supported any person to carry out the theft of commercial secrets.”

READ MORE HERE