China’s Cloud Hopper Cyberhack Bigger Than First Revealed

Cloud Hopper, a massive cybertheft effort allegedly run by China’s intelligence services and operating through cloud services since at least 2016, is much bigger than it was originally believed to be. U.S. prosecutors identified and charged two Chinese nationals, but both remain at large. The original indictment listed 14 unnamed companies and about a dozen cloud providers. The Trump administration escalated the military’s use of cyber weapons, but hasn’t revealed its rules, leading to a bipartisan push for transparency.

The Wall Street Journal reports that Cloud Hopper has stolen “volumes of intellectual property, security clearance details and other records from scores of companies over the past several years,” including “prospecting secrets for mining company Rio Tinto, and sensitive medical research for electronics and health-care giant Philips.”

Among the dozen or so cloud services impacted were Canada’s CGI Group, Finnish Tieto Oyj, and IBM. WSJ conducted the research that led to the discovery that, “Hewlett Packard Enterprise was so overrun that the cloud company didn’t see the hackers re-enter their clients’ networks, even as the company gave customers the all-clear.” Other companies breached by the hackers (known as APT10 in the West) included American Airlines, Deutsche Bank, Allianz and GlaxoSmithKline.

SecurityScorecard “identified thousands of IP addresses globally still reporting back to APT10’s network between April and mid-November … [making it] an open question of whether hackers remain inside companies’ networks today.” U.S. agencies, including the Justice Department, have “worried about their own possible exposure, and whether the hacks now position the Chinese government to access critical infrastructure.”

APT10 (short for Advanced Persistent Threat) stole “detailed personnel records of more than 100,000 people from the U.S. Navy,” said the government. Cloud companies were not forthcoming to their clients about the hack. Sources said that the Department of Homeland Security officials were so frustrated that, “they are now working to revise federal contracts that would force them to comply with future probes.”

The stolen data does not appear to be for sale on the dark web, said investigators who are “working to unravel whether the campaign is connected to other significant corporate breaches where China is a suspect.” APT10’s activity seems to have lessened in the past year, but “the threat to cloud providers remains.”

“I’d be shocked if there were not dozens of companies that have no idea that [APT10] has been or is still in their network,” said former deputy assistant AG for national security Luke Dembosky, who now works with companies attacked by groups including APT10.

Elsewhere, WSJ reports that Trump’s classified directive, dubbed National Security Presidential Memorandum 13, was issued nearly a year-and-a-half ago, and its “less restrictive rules for the military’s use of cyber weapons … has allowed the administration to rely on cyber operations to confront a broader array of threats and to react more nimbly to changing circumstances.”

But the administration has rejected “repeated bipartisan requests” to view the directive, which led “Congress to include a provision in its latest defense bill … that will require the president to allow selected congressional committees to read in a secure facility copies of the document and any other presidential memorandum relating to the Pentagon’s ‘operations in cyberspace’ within 30 days.”