In December 2019, the U.S. government issued indictments against two Chinese hackers who were allegedly involved in a multi-year effort to penetrate the systems of companies managing data and applications for customers via the computing cloud. The men, who remain at large, are thought to be part of a Chinese hacking collective known as APT10.
A recently published investigation by the Wall Street Journal revealed that the hacking campaign, dubbed “Cloud Hopper” by security researchers, impacted a wider set of cloud companies than was previously thought. The hackers used their access to these firms to target some of their customers in what has became one of the biggest corporate espionage efforts in history.
The latest news is unlikely to deter businesses from entrusting more of their data and applications to the computing cloud as they seek to drive down costs and boost efficiency. But the affair holds some important security lessons for CIOs and other senior tech executives overseeing cloud projects:
Nation-state hackers are now the biggest threat to cloud security
CIOs have long counted on the fact that managed service providers (MSPs), who hold data and manage applications for businesses via the cloud, can invest far more in cybersecurity defenses than most companies. By handing over management of data and applications to MSPs, customers receive a higher level of protection in return. Bruce Schneier, a well-known security expert, has described this arrangement as “feudal security”.
In reality, responsibility for cybersecurity is shared between cloud providers and their customers, but the fundamental belief has been that cloud businesses are far less likely to be targeted by hackers because of their ability to spend so heavily on defenses. This spending was enough to deter cyber criminals and other hackers, but the rise of nation-state hackers has created a new group with the means and patience to take on even the big-spending cloud companies.
The Cloud Hopper attackers, who had been at work for a number of years before they were discovered, reportedly targeted at least a dozen MSPs, including IBM and DXC Technology in the U.S., and CGI in Canada. If they found weaknesses in cloud companies’ defenses, they exploited them to hop across different customers’ networks, stealing intellectual property, security clearances and other data as they went.
Cloud companies can still get basic cyber hygiene wrong
Cloud companies are investing heavily in the latest and greatest security automation tools. But these are of little value if basic security practices aren’t effective. The attackers behind Cloud Hopper were able to get hold of security credentials by sending spoof emails to workers at cloud businesses. They then leveraged the access these “spear-phishing” attacks gave them to install malware that let them steal security credentials and conduct reconnaissance.
Once inside cloud companies’ systems, the hackers were able to find so-called “jump servers” that let them access different customers’ networks. They were certainly highly skilled, managing to make their activity appear like normal traffic, but better network segmentation and monitoring would almost certainly have helped limit the damage. The lesson here is for CIOs and their security teams to put even more focus on basic cyber hygiene as part of their due diligence efforts when sizing up cloud providers.
Shared infrastructure inevitably creates hidden risks
There is a hidden level of risk in cloud services that isn’t visible to customers using them. Even if a company has done robust due diligence on an MSP, there’s always a risk that hackers can breach another of its customers with relatively weak security and then use the access as a jumping off point to the cloud company. From there, they can then attack customers using its services in the same way that the Cloud Hopper hackers did. Preventing this from happening is hard, but one important step is to ensure that use of “jump servers” is subject to especially tight security.
The cloud must be treated as an extension of a company’s network
Shifting workloads and data to cloud providers can lull companies into a false sense of security. “You think you can set it and forget it, but you can’t,” says Ed Cabrera, chief cybersecurity officer of Trend Micro and a former chief information security officer of the U.S. Secret Service.
The same practices CIOs would apply to their companies’ on-premise systems should guide how they approach the cloud, too. These include things like ensuring strong encryption is used for intellectual property and other sensitive data residing in cloud services and ensuring that things such as digital keys for application programming interfaces are held securely. When companies set up cloud deals, they often think they can save money on security, but cutting too deep could leave them more vulnerable.
Getting information about suspected breaches can be a challenge
Investigators from the U.S. Department of Homeland Security (DHS) trying to uncover the full extent of the Cloud Hopper campaign have found it hard to get a clear picture of this because MSPs have sometimes been reluctant to share information with their customers, according to the Wall Street Journal’s investigation.
Cloud companies such as IBM and DXC have repeatedly claimed they have worked closely with any client concerned about the attacks and that there have been no material adverse impacts on customers.
The Cloud Hopper campaign nevertheless raises important questions about whether more can be done to improve collaboration in future. The DHS is reportedly keen to add clauses to cloud contracts that would compel providers to participate fully in any future breach investigations. Companies may want to review their own contracts too. “Transparency will not emerge on its own,” says Matt Butkovic, technical director, cyber risk and resilience at Carnegie Mellon University’s Software Engineering Institute. “It’s going to require direct action by the consumers of cloud services.”