As the US rallies its western allies to resist China’s state-backed hackers, who have stolen countless trade secrets from companies across the globe, one operation has generated indictments in the US after it was revealed that hackers infiltrated US-based managed-service providers and used them as a springboard to infiltrated hundreds of these companies’ clients.
Operation Cloudhopper, as it’s called, is one of the most extensive Chinese hacking campaigns ever exposed. The DOJ has already brought charges against some of the hackers allegedly responsible (though it’s unlikely they will ever see the inside of a US courtroom or jail cell). During Cloudhopper’s heyday, the MSS-affiliated hacking group known only as “ATP10” (Advanced Persistent Threat 10), infiltrated storied US firms including IBM and HP.
It was widely believed by intelligence officials that ATP targeted MSPs in Europe, Asia and beyond, as well as the US. And now, those suspicions have been publicly confirmed thanks a Reuters report.
According to Reuters, ATP 10 also targeted a Norwegian MSP called Visma during Operation Cloudhopper. And the same anonymous sources who informed Reuters of the Visma breach warned that “many more” MSPs were likely also targeted.
Visma took the decision to talk publicly about the breach to raise industry awareness about the hacking campaign, which is known as Cloudhopper and targets technology service and software providers in order reach their clients.
Cyber security firms and Western governments have warned about Cloudhopper several times since 2017 but have not disclosed the identities of the companies affected.
Reuters reported in December that Hewlett Packard Enterprise Co and IBM were two of the campaign’s victims, and Western officials caution in private that there are many more.
At the time IBM said it had no evidence sensitive corporate data had been compromised, and Hewlett Packard Enterprise said it could not comment on the Cloudhopper campaign.
However, the Visma breach could potentially be devastating for the European economy, because the Norwegian software firm provides business software products to some 900,000 businesses of all sizes across Scandinavia and Europe. Visma itself takes in $1.3 billion in revenue a year. If there is a silver lining, according to Espen Johansen, Visma’s security manager, it’s that the attack was detected “shortly” after the hackers gained entree into Visma’s systems. Johansen said he’s “confident” no client networks were accessed.
But being confident isn’t the same thing as being certain.
“But if I put on my paranoia hat, this could have been catastrophic,” he said. “If you are a big intelligence agency somewhere in the world and you want to harvest as much information as possible, you of course go for the convergence points, it’s a given fact.”
“I’m aware that we do have clients which are very interesting for nation states,” he said, declining to name any specific customers.
Two security consultants quoted in the Reuters story pointed out that these types of attacks are particularly troublesome for independent companies. If anything, this case shows that as firms devote more resources to improving their own cybersecurity, hackers are adapting by finding other ways in, like finding a point of entry elsewhere along the supply chain.
Paul Chichester, director for operations at Britain’s National Cyber Security Centre, said the Visma case highlighted the dangers organizations increasingly face from cyber attacks on their supply chains.
“Because organizations are focused on improving their own cyber security, we are seeing an increase in activity targeting supply chains as actors try to find other ways in,” he said.
Priscilla Moriuchi, director of strategic threat development at Recorded Future and a former intelligence officer at the U.S. National Security Agency, said the hackers’ activity inside Visma’s network suggested they intended to infiltrate client systems in search of commercially-sensitive information.
“We believe that APT 10 in this case exploited Visma networks to enable secondary operations against Visma’s customers, not necessarily to steal Visma’s own intellectual property,” she said. “Because they caught it so early they were able to discourage and prevent those secondary attacks.”
According to a report issued by a private security firm, ATP 10 first accessed Visma’s network by using a stolen set of login credentials. As global security officials unravel the true extent of operation Cloudhopper, we imagine these revelations won’t exactly assuage US fears’ that China has no intentions of stopping its campaign to steal trade secrets by any means necessary, as the DOJ indictment against Huawei recently showed.