Chinese hackers gained access to clients of huge American corporations, according to a report from Reuters.
The hackers, working for China’s Ministry of State Security, broke into the networks of Hewlett Packard Enterprise (HPE) Company and IBM, among other unnamed companies. Once they had access to those companies, the hackers went after the clients. Reuters cited five anonymous sources that were familiar with the attacks.
The hacks are part of a larger Chinese campaign named Cloudhopper, which cybersecurity firms and governments have been warning about since at least 2017.
The hackers used a unique method to gain access. Most large companies use what are called managed service providers (MSPs) to handle the day-to-day operations of certain technological functions of a company, like information technology and networking, servers, storage and help-desk services. The Cloudhopper campaign targeted MSPs to get access to companies’ client lists and steal secrets from them, according to a U.S. indictment of two Chinese individuals unsealed on Thursday (Dec. 20).
In a statement, IBM said it takes its customers’ data seriously. “IBM has taken extensive counter measures worldwide as part of its continuous efforts to protect itself and its clients against constantly evolving threats,” the company said. “We take responsible stewardship of client data very seriously and have no evidence that sensitive IBM or client data has been compromised.”
HPE commented that it had outsourced its MSP business in a 2017 partnership with a company called Computer Sciences Corp. and formed a new company called DXC Technology.
“The security of HPE customer data is our top priority,” HPE said. “We are unable to comment on the specific details described in the indictment, but HPE’s managed services provider business moved to DXC Technology in connection with HPE’s divestiture of its enterprise services business in 2017.”
Some of the data breaches lasted for months, according to sources. A senior intelligence official who spoke to Reuters said the technique of going after the MSPs was especially effective.
“By gaining access to an MSP, you can in many cases gain access to any one of their customers,” the official said. “Call it the Walmart approach: If I needed to get 30 different items for my shopping list, I could go to 15 different stores or I could go to the one that has everything.”