Issue link: https://maltatoday.uberflip.com/i/1135882
27.06.19 7 After a 2015 tip-off from the U.S. Federal Bureau of Investigation about infected computers communicating with an external server, HPE combined three probes it had underway into one effort called Tripleplay. Up to 122 HPE-managed systems and 102 systems designated to be spun out into the new DXC operation had been compro- mised, a late 2016 presenta- tion to executives showed. An internal chart from mid- 2017 helped top brass keep track of investigations code- named for customers. Rubus dealt with Finnish conglom- erate Valmet. Silver Scale was Brazilian mining giant Vale. Greenxmass was Swedish manufacturer SKF, and Ocu- lus covered Ericsson. Projects Kronos and Echo re- lated to former Swiss biotech firm Syngenta, which was tak- en over by state-owned Chi- nese chemicals conglomerate ChemChina in 2017 – during the same period as the HPE investigation into Chinese at- tacks on its network. Ericsson said it does not comment on specific cyberse- curity incidents. "Our priori- ty is always to ensure that our customers are protected," a spokesman said. "While there have been attacks on our en- terprise network, we have found no evidence in any of our extensive investigations that Ericsson's infrastructure has ever been used as part of a successful attack on one of our customers." A spokesman for SKF said: "We are aware of the breach that took place in conjunc- tion with the 'Cloud Hopper' attack against HPE … Our in- vestigations into the breach have not found that any com- mercially sensitive informa- tion was accessed." Syngenta and Valmet de- clined to comment. A spokes- man for Vale declined to com- ment on specific questions about the attacks but said the company adopts "the best practices in the industry" to improve network security. 'Drunken burglars' The companies were bat- tling a skilled adversary, said Rob Joyce, a senior adviser to the U.S. National Securi- ty Agency. The hacking was "high leverage and hard to de- fend against," he said. According to Western of- ficials, the attackers were multiple Chinese govern- ment-backed hacking groups. e most feared was known as APT10 and directed by the Ministry of State Security, U.S. prosecutors say. National se- curity experts say the Chinese intelligence service is compa- rable to the U.S. Central In- telligence Agency, capable of pursuing both electronic and human spying operations. Two of APT10's alleged members, Zhu Hua and Zhang Shilong, were indicted in December by the United States on charges of conspir- acy to commit computer in- trusions, wire fraud and ag- gravated identity theft. In the unlikely event they are ever extradited and convicted, the two men would face up to 27 years in an American jail. Reuters was unable to reach Zhu, Zhang or lawyers repre- senting the men for comment. China's Foreign Ministry said the charges were "warrantless accusations" and it urged the United States to "withdraw the so-called lawsuits against Chinese personnel, so as to avoid causing serious harm to bilateral relations." The U.S. Justice Department called the Chinese denials "ritualistic and bogus." "The Chinese Government uses its own intelligence ser- vices to conduct this activity and refuses to cooperate with any investigation into thefts of intellectual property ema- nating from its companies or its citizens," DOJ Assistant Attorney General John De- mers told Reuters. APT10 often attacked a service provider's system by "spear-phishing" – sending company employees emails designed to trick them into revealing their passwords or installing malware. Once through the door, the hack- ers moved through the com- pany's systems searching for customer data and, most im- portantly, the "jump servers" – computers on the network which acted as a bridge to cli- ent systems. After the attackers "hopped" from a service provider's net- work into a client system, their behavior varied, which suggests the attacks were conducted by multiple teams with different skill levels and tasks, say those aware of the operation. Some intruders re- sembled "drunken burglars," said one source, getting lost in the labyrinth of corporate systems and appearing to grab files at random. Hotels and submarines It's impossible to say how many companies were breached through the service provider that originated as part of Hewlett Packard, then became Hewlett Packard En- terprise and is now known as DXC. The HPE operation had hun- dreds of customers. Armed with stolen corporate cre- dentials, the attackers could do almost anything the ser- vice providers could. Many of the compromised machines served multiple HPE custom- ers, documents show. One nightmare situation involved client Sabre Corp, which provides reservation systems for tens of thousands of hotels around the world. It also has a comprehensive system for booking air travel, working with hundreds of air- lines and 1,500 airports. A thorough penetration at Sabre could have exposed a goldmine of information, in- vestigators said, if China was able to track where corporate executives or U.S. govern- ment officials were traveling. That would open the door to in-person approaches, phys- ical surveillance or attempts at installing digital tracking tools on their devices. In 2015, investigators found that at least four HP machines dedicated to Sabre were tun- neling large amounts of data to an external server. The Sa- bre breach was long-running and intractable, said two for- mer HPE employees. HP management only grudgingly allowed its own defenders the investigation access they needed and cau- tioned against telling Sa- bre everything, the former employees said. "Limiting knowledge to the customer was key," one said. "It was in- credibly frustrating. We had all these skills and capabilities to bring to bear, and we were just not allowed to do that." "The security of HPE cus- tomer data is always our top priority," an HPE spokesman said. Sabre said it had disclosed a cybersecurity incident involv- ing servers managed by an unnamed third party in 2015. Media reports at the time said the hackers were linked to the Chinese government but did not name HP. A Sabre spokeswoman said an investigation of the breach "concluded with the impor- tant finding that there was no loss of traveler data, including no unauthorized access to or acquisition of sensitive pro- tected information, such as payment card data or person- ally identifiable information." The spokeswoman declined to comment on whether any non-traveler data was com- promised. NEWS failed fight against Hopper' hackers