China (APT10/Cloud Hopper): In 2016 an investigation uncovered an operation, dubbed Cloud Hopper, being carried out by the threat group APT10, which is believed to be linked to the Chinese intelligence service. Recent breakthroughs in the investigation have revealed that the operation was much farther reaching than initially believed. It is now being reported that the intrusion goes well beyond the original 14 companies that were revealed in the criminal indictment unsealed last December and now includes at least a dozen cloud providers. The investigation was conducted by members of the Wall Street Journal through interviews with members of government organizations, as well as multiple security organizations involved in the investigations. The intrusions into cloud providers beyond the initially believed scope mean that the number of victims of the campaign was also significantly greater than previously believed. FBI Director Chris Wray called it the hackers’ equivalent of stealing the master keys to an entire apartment complex. Between April and mid-November there were still thousands of IP addresses globally which were reporting back to APT10’s servers. Private organizations weren’t the only ones hit hard by the campaign; the U.S. Navy had detailed personnel records for more than 100,000 employees stolen. During the course of the investigation, it was discovered that many customers of affected cloud service providers were stonewalled by providers when inquiring about what was happening inside their networks.
Analyst Notes
This campaign highlights the increased vulnerabilities caused by the remote storage of highly sensitive data. When an organization relies on an external entity to store their data, they are also relying on those organizations to properly protect that data. Monitoring workstations and servers for unusual behaviors and data access patterns that may indicate an attacker has control of an authorized account is an important component of a strong defense, especially in situations such as this, when attackers abuse a third-party trust relationship with a cloud service provider. Many of the affected organizations, including the U.S. government, had difficulty attempting to obtain a full accounting of what happened on the providers’ networks during this campaign. The U.S. government is now looking at revising federal contracts to include provisions which would force providers to comply with probes in the future. Other organizations may benefit from including similar provisions in contracts with cloud service providers to ensure that they too are able to obtain a full accounting of any risks that their data are exposed to. Binary Defense provides managed security services, including SIEM monitoring and managed endpoint detection and response that can detect attacker behaviors and quickly respond to contain threats. Further details can be found at https://www.foxbusiness.com/technology/major-us-companies-breached-robbed-and-spied-on-by-chinese-hackers
