Cloud Hopper operation hit 8 of the world’s biggest IT service providers

A long-running operation carried out by China-linked hackers, and tracked as Cloud Hopper, has targeted clients of major companies, including IBM, HPE, Tata CS, Fujitsu, and NTT.

Hackers broke into the internal networks on major companies, such as HPE and IBM, and stole corporate data and trade secrets. Then the attackers used the stolen information to target into customer systems.

The list of victims is long and includes tech giants like HPE, IBM, DXC, Fujitsu, and Tata.

“Teams of hackers connected to the Chinese Ministry of State Security had penetrated HPE’s cloud computing service and used it as a launchpad to attack customers, plundering reams of corporate and government secrets for years in what U.S. prosecutors say was an effort to boost Chinese economic interests.” reads a report published by the Reuters agency.

“The hacking campaign, known as “Cloud Hopper,” was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud. Prosecutors described an elaborate operation that victimized multiple Western companies but stopped short of naming them. A Reuters report at the time identified two: Hewlett Packard Enterprise and IBM.”

The report attributed the cyberespionage campaign to the China-linked APT10 (aka Menupass, and Stone Panda), the same group recently accused of hacking telco operators worldwide. The group has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.

An initial report revealed that Cloud Hopper hackers compromised the internal networks at HPE and IBM, then targeted customer servers that were managed by the IT giants, or connected in some way to their infrastructure.

Now, the Reuters revealed that at least another six companies were hacked as part of the same campaign conducted by the APT10 threat actors. The breached companies are Fujitsu, Tata Consultancy Services, Dimension Data, NTT, and Computer Sciences Corporation.

Even is HPE has been hacked multiple times since 2010, most of the hack occurred between 2015 and 2017.

APT10 hackers also targeted the customers of the IT companies stealing plans, blueprints, personal information, and other data.

“APT10 often attacked a service provider’s system by “spear-phishing” – sending company employees emails designed to trick them into revealing their passwords or installing malware. Once through the door, the hackers moved through the company’s systems searching for customer data and, most importantly, the “jump servers” – computers on the network which acted as a bridge to client systems.” continues the report.

“After the attackers “hopped” from a service provider’s network into a client system, their behavior varied, which suggests the attacks were conducted by multiple teams with different skill levels and tasks, say those aware of the operation. Some intruders resembled “drunken burglars,” said one source, getting lost in the labyrinth of corporate systems and appearing to grab files at random.”

According to the Reuters, the hackers had a total control over the HPE corporate network, they also left messages taunting system administrators.

One of the hacking tool used by the group in the campaign contained the message ‘FUCK ANY AV’ referencing the fact that victims’ protected their infrastructure with antivirus software. In one case, threat actors used the name nsa.mefound.com to mock US intelligence.

The situation is disconcerting and unique certainly is that Cloud Hopper campaign is still ongoing and hackers are adopting new techniques to remain under the radar for a long.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Cloud Hopper, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]