Ghosts in the clouds – mysterious Chinese attack
- Tram Ho
Lasting for more than 10 years, “ghosts” attacked the US data clouds, causing investigators to bewildered. No one can confirm that the attacks have ended.
The attack is like stealing a key of a building.
The hacker group, later identified as APT10, attacked a variety of cloud service providers. In the immediate aftermath of the attack, the list of victims was only 14 unnamed companies.
After the incident, many cloud service providers tried to hide information from the attack. The true size was only revealed after the Wall Street Journal investigated, and showed the list of victims up to dozens of companies, and included many dumb names such as IBM, CGI Group (major cloud provider. Canada) or Tieto Ojy, a large Finnish business.
Thousands of victims
According to the Wall Street Journal, the APT10 attack and the subsequent response by Western security companies is one of the largest. Hundreds of companies have been hacked through cloud service providers, including many big companies like Philips, American Airlines, Deutsche Bank or GlaxoSmithKline.
Hewlett Packard Enterprise (HPE), one of the hacked cloud service providers, was even hacked and re-entered by hackers many times without knowing it, and still claimed to eliminate all risks. . FBI Director Christopher Wray likened the attack to taking the key of a building.
FBI Director Christopher Wray announced two Chinese hackers were charged in the APT10 case. Image: |
So far, no one has concluded that the hacker group has been completely removed from the network or is still quietly stealing data. According to security company SecurityScoreCard, by mid-November there were still thousands of IP addresses associated with APT10’s networks.
The US government said APT10 stole over 100,000 personal data from the US Navy.
The attack has shown the economy’s vulnerability, when many companies store their sensitive data on cloud servers, which belong to a few large vendors. Providers always talk about their security capabilities, but the truth is not so.
Attack like ghosts
The attack was named Cloud Hopper, and it was a strange behavior of a high-profile group of hackers APT10 from China. Security researchers have been tracking APT10 for a decade, when they attacked government organizations, engineering companies and aviation. US investigators suspect that there are several members of the Chinese National Security Ministry, but most remain in the dark.
The first targets, such as mining company Rin Tinto, were hacked through cloud provider CGI in 2013. Nobody knows what information the hacker took, but some investigators think the information on the next mining sites that have been taken advantage of to trade real estate.
Technology giants such as IBM or HP also cannot avoid this attack. Image: |
“Their attacks look like normal visits. It is a very serious matter, ”said Orin Paliwoda, FBI agent investigating the Cloud Hopper case.
In a cyber security test in early 2016, Kris McConkey, cybersecurity specialist at PricewaterhouseCoopers, noticed signs of a full-scale attack. At first, he thought it was a single attack, but then realized the problem was much more serious when many other companies were attacked in the same way.
“When you realize there are many similar attacks, you begin to realize the seriousness of the problem,” McConkey said.
Hackers work in groups. The “Third” group will try to steal all possible accounts and passwords, then another group will use these accounts to steal information a few days later.
Unusual behavior also manifested when the hacker group used one victim’s infrastructure to store information obtained from another victim. After a few months of hiding, McConkey really caught the behavior of these “ghosts”.
One of the biggest goals of the hacker group is HP Enterprise (HPE), a cloud service provider for thousands of companies. Philips, an HPE customer, stores tens of thousands of terabytes of data on the HPE system, including numerous clinical and user health data.
APT 10 members conducted major offensive campaigns, targeting U.S. government agencies and US and global companies, stealing hundreds of gigabytes of confidential intellectual property and business information.
APT 10 members conducted major offensive campaigns, targeting U.S. government agencies and US and global companies, stealing hundreds of gigabytes of confidential intellectual property and business information. FBI Director Christopher Wray.
APT10 has been attacking HPE since 2014, breaking into the network of its own network security team. When HPE proceeds to eliminate malicious devices, the hacker group captures the whole process, and then invades again.
Reply
The first counter-attack took place in early 2017. Dozens of members who are security research teams of the affected companies came together to trap the hacker group.
First, author calendars are set up so that the hacker group thinks security experts are not near the system. This is how the expert team makes the hacker off guard. Shortly thereafter, they interrupted the hacker attack to quickly identify the hacked accounts and infected servers.
APT10 of course does not give up. They return to new goals like financial companies and this time target IBM, one of the world’s largest service providers.
Hackers even infiltrate the network of HP’s cybersecurity team, making it easy to get back in after the company’s “vulnerability scanning” effort. Image: |
According to many US government officials, the new APT10 attacks in 2017-2018 have made observers worried. In October, the US Department of Homeland Security’s network and platform security agency (CISA) had to issue a warning, saying a series of critical infrastructure had been hacked.
After months of investigation, in December 2018, the US only announced two individuals involved in the attack, instead of many organizations directly related to China as originally hoped. According to the Wall Street Journal, many experts said that only two hackers could not create large-scale attacks like the Cloud Hopper case.
Zhu Hua and Zhang Shilong, two individuals named by the United States, are most likely in China. The two hackers could face up to 27 years in prison for charges of conspiracy, fraud and identity theft, but the United States has no extradition agreement with China.
Deputy Attorney General Rod Rosenstein said the defendants worked for Huaying Haitai Science and Technology Development Company in Tianjin, China and on behalf of the Tianjin MSS office.
Unlike the usual attacks, the target of the hacker group in the Cloud Hopper case when stealing information is not for sale. So far, investigations have failed to confirm how the stolen data was used.
“I would not be surprised if dozens of companies do not know whether they have been attacked by APT10, or are still being hacked,” said Luke Dembosky, a US domestic security expert.
“The question remains the same: what did they do. This hacker group has never disappeared. They are still taking action, but we do not realize it, ”Mr. McConkey commented.
The question remains intact: What have they been doing? Kris McConkey, security expert at PricewaterhouseCoopers.
Source : Techtalk