WASHINGTON / LONDON / SAN FRANCISCO (Reuters) – Hackers working on behalf of the Chinese Ministry of Domestic Security broke through Hewlett Packard Enterprise Co and IBM networks and then used the gateway to hack into their customers' computers.
Signs for Hewlett Packard Enterprise Co. cover the facade of the New York Stock Exchange on November 2, 2015. REUTERS / Brendan McDermid / File Photo
The attacks were part of a Chinese campaign called Cloudhopper, which, according to the United States and the UK, had infected technology service providers on Thursday to seize their customers' secrets.
Although cybersecurity companies and government agencies have repeatedly warned about the threat posed by Cloudhopper since 2017, they have not disclosed the identity of technology companies whose networks were compromised.
International Business Machines Corp stated that it has no evidence that sensitive corporate data has been compromised. Hewlett Packard Enterprise (HPE) said it could not comment on the Cloudhopper campaign.
Businesses and governments are increasingly looking for technology companies known as Managed Service Providers (MSPs) to remotely manage their IT operations, including servers, storage, networking, and help desk support.
Cloudhopper aimed to access MSPs on customer networks and steal corporate secrets from companies around the world, according to a US indictment claiming that two Chinese citizens were not sealed on Thursday. The prosecution failed to identify any of the MSPs that were violated.
Both IBM and HPE refused to comment on the specifics of the sources.
"IBM was aware of the reported attacks and has already taken comprehensive countermeasures as part of our ongoing effort to protect the Company and our customers from ever-evolving threats," the company said in a statement. "We take the responsible handling of customer data very seriously and have no evidence that sensitive IBM or customer data has been compromised by this threat."
HPE stated in a statement that it will be in 2017 with Computer Sciences Corp. spun off a large managed services company that founded a new company, DXC Technology.
"The security of HPE customer data is our top priority," said HPE. "We can not comment on the details described in the indictment, but HPE's Managed Services Providers business was switched to DXC Technology in 2017 in connection with the divestment of HPE's enterprise services business."
DXC Technology declined to comment and stated in a statement that it was not reporting on specific cyber events and hacking groups.
Reuters was unable to confirm the names of other violated technology companies or identify affected customers.
Sources unauthorized to comment on confidential information obtained from hack investigations said that HPE and IBM are not the only prominent technology companies whose networks have been compromised by Cloudhopper.
Cloudhopper, which has been targeting technology service providers for several years, repeatedly infiltrated the HPE and IBM networks in violations that lasted weeks and months.
IBM investigated an attack this summer, and HPE conducted an extensive investigation in early 2017.
The attackers are persistent, making it difficult to ensure network security, another source said.
IBM has dealt with infections by installing new hard drives and new operating systems on infected computers.
Cloudhopper attacks date back to at least 2014.
The indictment referred to a case in which Cloudhopper compromised data from an MSP in New York and customers in 12 countries, including Brazil, Germany, India, Japan, the United Arab Emirates, the United Kingdom, and the United States. They came from industries such as finance, electronics, medical devices, biotechnology, automotive, mining and petroleum and natural gas exploration.
A senior intelligence official who refused to name victims who were injured said attacks on MSP were a significant threat as they made technology companies essentially launch sites for customer hacks.
"Access to an MSP gives you access to one of your clients in many cases," the official said. "Let's call the Walmart approach: If I had to have 30 different items for my shopping list, I could visit 15 different stores or I could go to the one who has everything."
Representatives of the FBI and the Department of Homeland Security declined to comment. Officials from the US Department of Justice and the Chinese Embassy in Washington could not be reached.
A British government spokeswoman declined to comment on the identity of the companies affected by the Cloudhopper campaign or the impact of these violations.
"A number of MSPs were affected, and naming them would have potential commercial consequences for them, unfairly penalizing them against their competitors," she said.
Report by Christopher Bing in Washington, Jack Stubbs in London, Joseph Menn in San Francisco; Cut by Jim Finkle and Jonathan Oatis