Skip to Content
Global News Select

Ghosts in the Clouds: Inside China's Major -2-

"We worked diligently to remediate the intrusions until we were confident the intruders were eliminated from the systems in question," said Mr. Bauer, the HPE spokesman.

In the midst of the attacks, HPE spun off its enterprise cloud business into a new company, known as DXC Technology. HPE has said in public filings at the time that there were no "security breaches" resulting in material losses.

DXC spokesman Richard Adamonis said that "no cyber security incident has resulted in a material adverse effect on DXC or DXC's customers."

A Philips spokesman said services provided by HPE "did not involve the storage, management, or transfer of patient data."

Fighting back

The first real counterstrike began to take shape in early 2017. The growing team of fighters now included several security firms, infected cloud companies and dozens of victims.

The cloud companies, some of which had initially resisted sharing information, had become more cooperative after pressure from Western governments, several people familiar with the matter said.

First, investigators added fake calendar entries in victims' systems, to give hackers the false impression that IT executives would be out of town at a weekend off-site. The goal: to give the hackers a sense that the company didn't suspect anything was wrong and the hackers remained undetected.

Then, the investigators jumped in outside the hackers' usual operating hours and abruptly severed their access, shutting down compromised accounts and isolating infected servers.

APT10 soon came back, this time targeting new victims, including financial services companies, investigators said.

One of the new targets was IBM, which offers cloud services to many Fortune 500 firms, as well as to government agencies like the General Services Administration, the Department of the Interior and the U.S. Army.

A spokeswoman said the GSA works with a number of cloud companies, is aware of Cloud Hopper and "continues to remain vigilant in the management of security threats." The Department of the Interior and the Army declined to comment.

Very little is known about what happened inside IBM. The hackers had become better at hiding and routed their attacks through multiple layers of anonymous servers.

U.S. officials described a sense of panic throughout 2017 and 2018 as they learned of new APT10 hacks. The situation became so dire, they issued a rare public warning, saying the attackers had struck critical infrastructure, including IT, energy, health care and manufacturing.

The Trump administration spent months wrangling over what a case would look like against the hackers, what to disclose and how it might disrupt trade talks. Former U.S. officials familiar with the investigation said they originally hoped to sanction Chinese entities associated with the hack and name about a half-dozen Chinese nationals, including some with direct ties to Chinese intelligence.

In the end, only two were named. People close to the case said an operation like Cloud Hopper would require a far larger staff, including developers, intrusion operators and linguists to handle all the stolen material.

Of the two named, there is little information about Zhu Hua, known online as Godkiller. The other, Zhang Shilong, called "Darling Dragon," was linked by researchers to a social media account that posted about the study of hacking.

Both are still likely in China and could serve up to 27 years in prison for charges of conspiracy, wire fraud and identity theft. The U.S. doesn't have an extradition agreement with China. The Journal couldn't locate them for comment.

Intelligence intercepts collected at the time showed Chinese operators celebrating their newfound notoriety, according to a former U.S. intelligence official.

Today, much remains unknown about plans to use the pilfered data. Unlike in other attacks, the troves of commercial data don't appear to be for sale on the dark web, several investigators said.

The Cloud Hopper attacks continue to be of enormous interest to federal investigators, who are working to unravel whether the campaign is connected to other significant corporate breaches where China is a suspect, according to a current U.S. official.

The final tally of the Cloud Hopper campaign -- both in the total potential access to networks and how much data China ultimately stole -- remains unknown to researchers and Western officials.

While U.S. officials and security firms say they have seen a drop off in APT10's activity over the past year, the threat to cloud providers remains. Security researchers from Google recently reported that Russian state-backed hackers have been trying to break into managed service providers, which have also become targets by criminals.

"I'd be shocked if there were not dozens of companies that have no idea that [APT10] has been or is still in their network," said Luke Dembosky, a former deputy assistant attorney general for national security who now works with companies attacked by groups including APT10.

"The question is, just what is it they're doing?" said Mr. McConkey. "They haven't disappeared. Just whatever they are doing at the minute isn't visible to us."

--Eva Dou and Aruna Viswanatha contributed to this article.

Write to Rob Barry at and Dustin Volz at


(END) Dow Jones Newswires

December 30, 2019 13:17 ET (18:17 GMT)

Copyright (c) 2019 Dow Jones & Company, Inc.