Report: Hackers Working for Chinese Intelligence Targeted Corporate Cloud Storage

The Wall Street Journal on Monday reported that a cyberattack identified in 2016 as “Cloud Hopper” was much larger than previously believed.

The attack, originally thought to have affected 14 companies, allegedly involved numerous massive corporate cloud storage providers based in several different countries that hackers linked to Chinese intelligence penetrated. According to the WSJ, hundreds of companies that used these cloud services may have had their data stolen, and some of their networks could remain compromised to this day.

The newspaper concluded that Cloud Hopper was the work of Advanced Persistent Threat (APT) 10, a hacking group tied to the Chinese Ministry of State Security. APT10 has operated under several code names, including Red Apollo, menuPass, CVNX, and Stone Panda.

The hacking group is believed to be based in the Chinese port city of Tianjin and is headed by Zhu Hua and Zhang Shilong, who have both been indicted and are wanted by the FBI but remain at large in China. Zhu Hua works under the hacker alias “Godkiller,” while Zhang Shilong likes to be called “Darling Dragon.”

FBI Director Christopher Wray described APT10’s targets as a “Who’s Who of the global economy” when announcing the indictments against Zhu and Zhang in 2018, but at the time they were thought to have raided 45 corporations at most. 

According to Monday’s WSJ report, the target list was much larger and included government databases as well, such as a raid on U.S. Navy personnel records. Data was stolen from corporations in the aviation, manufacturing, pharmaceutical, energy, legal, and information sectors. Among the highest-profile targets were Hewlett Packard and IBM.

“The hack illustrates a weakness at the heart of global business, with the biggest companies in the world increasingly storing their most sensitive data with cloud providers, also known as managed service providers, which have long touted their security,” the WSJ argued.

One reason the true scope of the hack was unclear for so long is that cloud storage providers were extremely reluctant to discuss how thoroughly their systems were allegedly penetrated. Many of them still refused to discuss Cloud Hopper when the WSJ contacted them for comment. U.S. government security agencies and private investigators were said to be frustrated at the lack of cooperation from cloud providers, to the point where federal contracts with the companies may be rewritten to compel greater transparency in the future.

APT10’s exact methods are still mysterious, although the group is often described as masters of the “spear phishing” technique, in which the employees of targeted companies are tricked into revealing passwords or installing viral software on their computers by emails that appear to come from trusted friends and associates. One of the earliest known Cloud Hopper exploits involved data from a mining company stolen through spear phishing in 2013.

In a Cloud Hopper attack on a Norwegian company called Visma uncovered in 2018, the intruders stole valid user names and passwords with spear phishing, used the stolen credentials to install commercially available remote-control software on the targeted computers, and then used their remote access to install a plethora of viruses. Once they were able to create a copy of the data they wanted, they used more readily available commercial software to compress the data and send it to a cloud storage account of their own.

Investigators described APT10 as highly organized and businesslike, with a habit of sending in “Tuesday teams” of hackers every week to make sure stolen passwords were still valid, and presumably giving all-clear signals to other teams that entered the systems to steal data. The hackers were so comfortable inside targeted systems that they taunted security teams and stashed data from other heists onto systems they penetrated. 

At a huge cloud service called HPE, the intruders reportedly hacked the corporate security team, quietly watched it clean out the viruses they had deposited in the main system, and then slipped back into the “clean” systems and contaminated them all over again.

Many details of Cloud Hopper remain unknown, or at least have not been disclosed to the public by investigators. The hack was clearly many times larger than originally believed, but no one is entirely sure how big it was, or what was done with the stolen data. 

Most disturbingly, although APT10’s activity fell off after Zhu and Zhang were indicted, it is not known how many computer systems are still compromised. APT10 is notoriously persistent, frequently returning to systems they were ejected from to attack again.

“The question is, just what is it they’re doing? They haven’t disappeared. Just whatever they are doing at the minute isn’t visible to us,” PricewaterhouseCoopers investigator Kris McConkey told the WSJ.