Details of the Cloud Hopper Attacks

Reuters has a long article on the Chinese government APT attack called Cloud Hopper. It was much bigger than originally reported.

The hacking campaign, known as "Cloud Hopper," was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud. Prosecutors described an elaborate operation that victimized multiple Western companies but stopped short of naming them. A Reuters report at the time identified two: Hewlett Packard Enterprise and IBM.

Yet the campaign ensnared at least six more major technology firms, touching five of the world's 10 biggest tech service providers.

Also compromised by Cloud Hopper, Reuters has found: Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology. HPE spun-off its services arm in a merger with Computer Sciences Corporation in 2017 to create DXC.

Waves of hacking victims emanate from those six plus HPE and IBM: their clients. Ericsson, which competes with Chinese firms in the strategically critical mobile telecoms business, is one. Others include travel reservation system Sabre, the American leader in managing plane bookings, and the largest shipbuilder for the U.S. Navy, Huntington Ingalls Industries, which builds America's nuclear submarines at a Virginia shipyard.


Posted on July 10, 2019 at 5:51 AM • 17 Comments

Comments

par4July 10, 2019 9:42 AM

The stupidity will continue until we have a GDPR with strict reporting requirements in the US. Currently companies can report breaches whenever the hell they want, or never, with almost no consequences. Deregulation at its finest.

Fraud GuyJuly 10, 2019 11:36 AM

You mean "freedumb".

GDPR isn't perfect, but data breaches should have more than cosmetic consequences.

Jesse ThompsonJuly 10, 2019 5:02 PM

@parabarbarian

Ultimately, that's like saying "being able to see won't stop you getting shot".

When the bullet is already en route, perhaps not.

When you have a chance to find cover, maybe so.

If regulations like the GDPR can coerce companies into stitching security into their bottom lines instead of viewing it as a luxury, then good security practices can at minimum make Chinese state sponsored hacker's jobs a lot more difficult. This may translate to less value compromised, fewer targets successfully breached, etc even when the adversary has that much power.

RealFakeNewsJuly 11, 2019 4:32 AM

GDPR does nothing for security, the same way that trespassing laws do nothing for building standards.

GDPR is about what a company can legally do with data it collects, but if the legal jargon at the point of collection is carefully worded, it doesn't matter.

We need to fix the basic infrastructure if we're serious about fixing security.

It is NOT impossible to start again, and do things better. The sooner we start, the sooner we get there.

Peter GerdesJuly 11, 2019 6:02 AM

Far from showing the danger of the cloud I think the article suggests the cloud is a substantial security benefit for companies who are high value targets who don't themselves have large world class security departments. Yes, if you're a company that has special expertise in cybersecurity you might be worse off using a cloud service but most of HP's clients probably wouldn't have had the expertise to even detect such a sophisticated attack much less take the steps described to counter it.

One might worry that the centralization somehow makes the attacks easier or more productive but that's only really true if there was substantial diversity in the software they would use instead which often isn't true. Yes, the fact the Chinese targeted the cloud provider suggests they felt that it was a worthwhile attack in terms of risk/effort/reward but their risk/reward trade off is different than that of the companies who are being hacked. But as a potential cloud customer you care about the chance that *you* are hacked which likely goes down even if the benefit from other company's data on that cloud provider makes it a more attractive target to the Chinese.

True, if you judge yourself to be too insignificant to be hacked if it's anything but a freebie for the hacker you might be better off avoiding the cloud as far as APTs go but for such a company APTs are probably less of a risk for you than random grifters.

Petre Peter July 11, 2019 6:48 AM

If security comes by default, then for me, the cloud is the way of the future. However, I want encryption, I want search, I want an Export button. I also want the FCC to come up with something similar to GDPR.

War GeekJuly 11, 2019 9:39 AM


HP should explicitly state whether the Intelligently provisioning infrastructure was also compromised. If that was in their cloud then what guarantees do all the SMBs who used that have that they too aren't hosed. Attackers with access to IntProv's controls would have gained full console access to all those on premise hosts.

The HP marketing aggressive 'let us manage your on-prem servers for you' push began with the Proliant HP* Gen8 servers and continued throughout the time frame mentioned in this report.

WG

Peter GalbavyJuly 11, 2019 10:54 AM

@RealFakeNews - GDPR is much more than how personal data is used (and who owns it). It sets standards for how personal data is handled, stored and secured (from malicious or accidental disclosure to other parties as well as other uses) and also sets onerous - but good - reporting requirements on data processors in case of breaches etc.

tfbJuly 11, 2019 5:17 PM

@Peter Gerdes

I think there is a game theory thing here which needs to be worked out: If I am an organisation which may be a target but don't have my own security expertise, then I gain by outsourcing my computing & storage to someone who does. But if lots of organisations outsource things to the same supplier then, if that supplier is compromised, all of them are compromised, meaning that, while the risk to me goes down the overall risk may go up. And attackers are willing to work very hard indeed to compromise the supplier since the payoff is so big. Finally a compromise of a really large supplier (AWS, say) may have results which scale much worse than linearly: if enough (all) AWS users get compromised as a result then there may be systemic collapse of various kinds.

I think it would be worth actually formalising this: in fact I assume someone has done so! I'd like to see the maths, so if anyone has pointers...

RealFakeNewsJuly 11, 2019 11:00 PM

@Peter Galbavy:

As I understand it, GDPR only makes suggestions about securing data. It's not a requirement, and like PCIDSS, you're only compliant until your data is stolen.

GDPR is not the panacea many think it is. In fact, since its introduction, there have been several laws passed that fatally reduce the effectiveness of GDPR.

65535July 12, 2019 2:49 AM

@ tfb

"...there is a game theory thing here which needs to be worked out: If I am an organisation which may be a target but don't have my own security expertise, then I gain by outsourcing my computing & storage to someone who does. But if lots of organisations outsource things to the same supplier then, if that supplier is compromised, all of them are compromised, meaning that, while the risk to me goes down the overall risk may go up... attackers are willing to work very hard indeed to compromise the supplier since the payoff is so big. Finally a compromise of a really large supplier (AWS, say) may have results which scale much worse than linearly: if enough (all) AWS users get compromised as a result then there may be systemic collapse of various kinds... I'd like to see the maths..."

That is an interesting combinoral/stastical quesion! I also would like to see the math.

[Big problem]

Reuters:

"...corporate and government response to the attacks was undermined as service providers withheld information from hacked clients, out of concern over legal liability and bad publicity... HP management only grudgingly allowed its own defenders the investigation access they needed and cautioned against telling Sabre everything, the former employees said. “Limiting knowledge to the customer was key,” one said. “It was incredibly frustrating. We had all these skills and capabilities to bring to bear, and we were just not allowed to do that.” [Attackers] often attacked a service provider’s system by “spear-phishing” – sending company employees emails designed to trick them into revealing their passwords or installing malware. Once through the door, the hackers moved through the company’s systems searching for customer data and, most importantly, the “jump servers” – computers on the network which acted as a bridge to client systems" ...They [hackers] would grab reams of data before planned eviction efforts by HP engineers. Repeatedly, they took whole directories of credentials, a brazen act netting them the ability to impersonate hundreds of employees. The hackers knew exactly where to retrieve the most sensitive data and littered their code with expletives and taunts. One hacking tool contained the message “F*CK ANY AV” – referencing their victims’ reliance on anti-virus software. The name of a malicious domain used in the wider campaign appeared to mock U.S. intelligence: “nsa.mefound.com” -Reuters

ht tps://www.reuters.com/investigates/special-report/china-cyber-cloudhopper/

[link broken to hamper bots]

Reuter's side bar [Picture of NSA's Mike Rogers]

[Cloud Data centers] ‘NO PANACEA:’ Former National Security Agency Director Mike Rogers said the case shows cloud computing can be compromised. REUTERS/Eric Thayer

[see link above]

Given that Cloud Data Centers are juicy targets for hackers, I can see why they would go after them. Once, the hackers gain a foot hold then they can move latterly [or East - West] and score big.

There are a number of employees who could bought-off or intimidated into aiding and abetting hackers.

Next, if the cloud data centers are in the USA the NSA/CIA/FBI could NSL them or legally put and implant in them [or simply break in and get what they want]. That is the problem with big data residing in the USA [or most Five eye countries].

If huge data companies can hide the breaches they will hide breaches. This is the way corporations work. Without actual hard data on breaches at data centers it hard calculate the odds of the next breach - or keeping your company's data in-house. GDPR would be a help but I don't see it coming to the USA any time soon.

I am sure there also various ways of damaging cloud data centers via sabotage or mistakes by employees. That a quick look at the Google outage:

[Arstechnia]

...the Internet had a conniption. In broad patches around the globe, YouTube sputtered. Shopify stores shut down. Snapchat blinked out. And millions of people couldn’t access their Gmail accounts. The disruptions all stemmed from Google Cloud, which suffered a prolonged outage—an outage which also prevented Google engineers from pushing a fix...The root cause of the outage, as Google explained this week, was fairly unremarkable. (And no, it wasn’t hackers.) At 2:45pm ET on Sunday, the company initiated what should have been a routine configuration change, a maintenance event intended for a few servers in one geographic region. When that happens, Google routinely reroutes jobs those servers are running to other machines, like customers switching lines at Target when a register closes. Or sometimes, importantly, it just pauses those jobs until the maintenance is over... next gets technically complicated—a cascading combination of two misconfigurations and a software bug—but had a simple upshot. Rather than that small cluster of servers blinking out temporarily, Google’s automation software descheduled network control jobs in multiple locations. Think of the traffic running through Google’s cloud like cars approaching the Lincoln Tunnel. In that moment, its capacity effectively went from six tunnels to two. The result: Internet-wide gridlock... Google’s network is designed to “fail static,” which means even after a control plane has been descheduled, it can function normally for a small period of time. It wasn’t long enough. By 2:47 pm ET, this happened: ...the lifeboats fill up in a specific order. “The network became congested, and our networking systems correctly triaged the traffic overload and dropped larger, less latency-sensitive traffic in order to preserve smaller latency-sensitive traffic flows,” wrote Google vice president of engineering Benjamin Treynor Sloss in an incident debrief, “much as urgent packages may be couriered by bicycle through even the worst traffic jam.” See? Lincoln Tunnel...Still, it’s unclear whether Google, or any cloud provider, can avoid collapses like this entirely. Networks don’t have infinite capacity... Arstechnia

https://arstechnica.com/information-technology/2019/06/the-catch-22-that-broke-the-internet/

On balance it would be interesting to see unbiased actual calculation on the odds of a individual being hacked or a cloud data center being hacked [The individual would presumably have backup capabilities]. Any odds makers want to give it a go?

Clive RobinsonJuly 12, 2019 8:27 AM

@ tfb,

But if lots of organisations outsource things to the same supplier then, if that supplier is compromised, all of them are compromised,

Actually your security probably goes down if you outsource to a supplier for a number of reasons.

Firstly a large supplier takrs hybrid vigour out of the market. Thus "one attack fits all" on that suppliers systems.

This actually is benificial in more than one way to an attacker. Because not only does the attack cost get spread across all those who outsourced to the supplier, making the actuall attack cost fall in real terms, it also makes availavle more targets than the attacker would have otherwise attacked.

That is bad as a small organisations security might be, it's probably sufficiently different to every other organisation that it requires a custom attack if the attacker wants to be stealthy. But even if the attacker does not care to be stealthy it's very much a target rich environmet, which means on the balance of probability that the small organisation would have not been successfully attacked.

Then of course there is the issue of overly broad National Security Letters or similar. There is a very high probabilty that the larger the supplier the more likely they are to have received one and the more likely it is to be overly broad in a number of ways...

On balance all but the smallest organisations are wiser to not out source business critical applications and data etc.

Mel OrcaJuly 12, 2019 10:23 AM

Question I would like to ask is:

When a company outsources their work to some offshore firm and gets an "IT Consultant" from them to work on some project for, say, some US-based customer, how do you make sure that said IT Consultant is not a hacker working for the foreign nations intelligence service?

JamesJuly 15, 2019 8:51 PM

Agree with the many statements on GDPR not not more effective than Prohibition, Sanctions, and every government enforced rule - no matter how expensive they make the fines... that cost will simply come back to the consumer to pay

As a penn tester I have social engineered my way right into very secure data centres and all it demonstrate that people will always be fallible. there is no amount of money or technology an company can throw at the solution that will adequately secure the human component... they will click that link, will be kind to that stranger, will pick up that usb, type the url from the txt message ,print a document, forward an email, work from home

the reality is - when using a large provider - your system sit behind millions of pre-investment (100's if not 10,000 times more than what you will spend yourself on security)

what is glaringly missing in nearly every successful penntest , is the lack of businesses to verify that they are getting the controls they assumed they are getting.. are you measuring the SLA's on a regular basis. When last did you do a vendor due-diligence

One of the biggest issues i see as a penn tester is that people outsource systems, assuming the 3rd party will magically fix their broken security ..... i.e. if I run my end-of-life and unsupported system in your secure cloud it will now be secure because you are certified

or why is my system exposed to the internet and with any business - the client is always right

Andrew MerryJuly 17, 2019 5:41 AM

As I have read the article, the content is really very informative and you will get to learn a lot of things regarding this topic and if required, you may also consult with snapchat australia for further details.

fred luisJuly 17, 2019 6:04 AM

I think we have roughly a generation before we have a solid police state that will offer total information control over the population. kitchen remodel

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.