In an effort to access corporate intellectual property and government secrets in the West, Chinese hackers have been conducting a massive “Cloud Hopper” hacking operation against tech providers that dates back to at least 2016. Even more worrisome, these Chinese hackers appear to be working directly with the Chinese Ministry of State Security, meaning that these attacks have at least the tacit approval of the highest echelons of the Chinese government. The elaborate operation victimized high-profile Western tech companies, including Hewlett Packard Enterprise and IBM, as well as other top tech providers around the world, including Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology.
Overall, the scale and scope of these Cloud Hopper attacks against tech providers represents one of the largest and sustained corporate espionage efforts in history. According to Reuters, which first broke the story, Western cyber security experts began unraveling the full extent of the Chinese Cloud Hopper operation only in December 2018, when the U.S. government announced indictments against two Chinese nationals alleged to be part of the high-profile Chinese hacking unit APT10, which is known to be an adjunct of China’s Ministry of State Security. It now appears that the Chinese hackers were specifically targeting tech providers due to their access to a global client base in industries where corporate intellectual property has tremendous value. For example, several of the clients involved in the Cloud Hopper attacks conducted against tech providers include telecom giant Ericsson, travel reservation system Sabre, and military contractor Huntington Ingalls Industries.
How the Cloud Hopper operation was carried out
The Chinese hackers gained access to these high-profile companies via spear-phishing attacks carried out against tech providers. Once the hackers got their hands on important login credentials, they could then infiltrate the entire network and tap into the valuable client data residing in the cloud. As the name of the Cloud Hopper operation indicates, the hackers were then able to “hop” from cloud to cloud, accessing the data they needed. In some cases, this data included strategic plans, blueprints for products, and personal information about senior executives. In other cases, the Chinese hackers simply downloaded as much data as they could, without any real regard for how it might be used later. And, as these hackers encountered anti-virus software or other defensive measures, they often left behind taunting messages to the corporations, letting them know that these defensive measures would have little or no effect on their ability to conduct network intrusions.
For their part, the victimized tech providers at the center of the Cloud Hopper attacks deny that the Chinese hackers ever got their hands on any sensitive corporate secrets. For example, both Sabre and IBM say that there is “no evidence” that any sensitive corporate data was taken. And even cybersecurity forensics experts called in to examine how the Chinese hackers managed to keep their Cloud Hopper attacks going for such a long time without detection say that they can’t detail the full extent of the damage. All they can say is that the toll was “high” and that any corporate IP or government secrets accessed as part of the Cloud Hopper attacks were probably used as part of a sustained Chinese strategy to become the dominant technological and economic giant in the world.
Potential liability facing the world’s top tech providers
There is some concern in the tech world that the Cloud Hopper attacks could lead to a re-thinking of the role of cloud computing. Just a few years ago, “cloud computing” was a brand-new concept. But as tech consumers rapidly embraced the concept (such as by storing all of their music “in the cloud” rather than on their devices), it was only a matter of time before the largest corporations in the world hopped on the bandwagon. We’ve now reached a point where even companies that build nuclear submarines for the U.S. Navy are likely storing data in the cloud, or that the world’s top telecom giants are relying on cloud services provided by top tech providers. Thus, “cloud hopper” hacking operations are now a real risk to any corporation in the world.
Obviously, in the wake of the Reuters report on the Cloud Hopper operation, managed service providers have been quick to minimize any potential damages or liability as the result of the hacking initiative. For one, they are stating that there is no damage or loss on their own IT systems. And, secondly, they are telling clients that there was no damage or loss on their IT systems. If that’s the case, they might avoid lawsuits and regulatory action. But what if that’s not the case, and clients can prove they experienced a material impact on their operations? These technology service providers might be facing millions of dollars in potential liability for failing to defend their IT systems from external attack.
Corporations vs. nation-states
One big question to resolve is how to respond to nation-states such as China that appear to be aggressively targeting Western corporations. Should these corporations be given free rein to “hack back” and protect themselves from intruders? Should the U.S. government escalate the issue to the highest diplomatic levels? For example, back in 2015, the U.S. and China agreed to refrain from economic espionage. But if the Chinese Ministry of State Security is really involved in the Cloud Hopper attacks, as is suspected, then it would appear that China is saying one thing but doing another. That might necessitate the U.S. government stepping up its rhetoric against China or taking steps to punish the China government for its sponsorship of rogue threat actors.
We now appear to have reached a point where it is impossible to separate cyber security issues from broader trade, economic and diplomatic issues. Any discussion of trade or economic policy, for example, must take into account what’s happening in the cyber realm. As a result, diplomats must search out new ways to stop global hacking initiatives from upsetting the current status quo in the world. Now is no time for hackers to overturn trade deals and economic alliances that have been put into place over the past few decades as they pursue short-term economic gains.