
The West’s failed fight against China’s ‘Cloud Hopper’ hackers - metaphysics
https://www.reuters.com/article/us-china-cyber-cloudhopper-special-repor/special-report-inside-the-wests-failed-fight-against-chinas-cloud-hopper-hackers-idUSKCN1TR1DK
======
SiempreViernes
So basically, the cloud providers got hacked over and over but didn't tell all
their clients, who in turn had to discover they used a provided with bad
security one by one.

I don't know if the fact HP got hacked repeatedly is stronger evidence in
favour of the competence of the attacker or of the incompetence of HP.

~~~
placatedmayhem
Why not both? At least, it's safer to assume both when choosing a platform and
where to spend dollars. Security is important yet, in my experience, even more
underfunded than reliability -- features are generally king. A platform that
repeatedly gets breached shows they don't value security as much as they
should. An attacker that has been successful previously should continue to be
successful except against those targets that secure themselves.

------
Angostura
Some top-notch reporting from Reuters here, I think. Kudos to them for sinking
this level of editorial resource into a story.

------
C1sc0cat
Shows the advantage of on prem vs cloud

~~~
a012
It's just the medium, your servers are vulnerable no matter on prem or cloud.

~~~
scurvy
The authors of SPECTRE, Meltdown, Rowhammer (1-4),and whatever else is next
would probably disagree with you. Running in cloud providers absolutely
without doubt exposes your presence to hostile neighbors scheduled on the same
hyoervisor.

~~~
robocat
Security is all about making the best compromises and shoring up the weakest
links.

SPECTRE, Meltdown, Rowhammer are just a few risks amongst thousands. Most
importantly they at least have runtime signatures that could be detected.

There are weaker areas for directed attacks against an organisation (e.g.
spear-fishing).

When attacked by highly skilled, highly motivated, highly resourced and
foreign opponents, an org may find they are better relying upon an external
team for securing your VMs. I would expect Google Cloud to be far better than
the majority of fortune 500 companies at securing hypervisors and VMs.

~~~
scurvy
a) You're ignoring the "and whatever else is next" part of my statement. If
you're on-prem, you don't need to worry about hostile neighbors. Google Cloud
engineers could be great at securing public cloud workloads, but even they
don't know what's yet to be found.

b) You're not running untrusted, random stranger code on your Fortune 500
VM's. I can't signup for an account on Ford's VM's and start ripping through
memory like I can with a public cloud.

------
nova22033
>APT10 often attacked a service provider’s system by “spear-phishing” –
sending company employees emails

sigh...

~~~
kache_
It's a fairly complex and difficult task to phish proof your corporation.

~~~
0xcde4c3db
Especially when IT is more interested in outsourcing every possible service to
a different company/domain. Office 365 alone involves a pretty staggering
number, including such self-evidently trustworthy gems as
"microsoftonline.com", "azurewebsites.net", and "aka.ms". It's hard to keep up
with what's legitimate when seemingly everything you do involves a different
domain with a different design language and account management process. Then
there's the increasingly popular practice of running things "in-house" but
actually on some half-assed cloud stack (What the heck _are_ those stupid
CloudFront subdomains, anyhow?).

~~~
raghava
> It's hard to keep up with what's legitimate when seemingly everything you do
> involves a different domain with a different design language and account
> management process.

Seriously, right!

[https://microsoftazuresponsorships.com](https://microsoftazuresponsorships.com)
[https://getlicensingready.com/](https://getlicensingready.com/)
[https://sysinternals.com](https://sysinternals.com) (fairly popular and well-
known!)
[https://www.microsoftpartnercommunity.com/](https://www.microsoftpartnercommunity.com/)
[https://azureedge.net](https://azureedge.net)

etc

~~~
zantana
More egregious to me has always been my various banks which start out at with
bankofamerica.com, chase.com etc but after authentication and some hops I'm
usually at something phishtastic like bankfrontend.com.

~~~
qseraserasera
Reading this gives me anxiety.

------
AimForTheBushes
So they're state sponsored attacks and then they deny any and all culpability?
Europe needs to join the hard line on China.

~~~
echevil
So where's the proof that they are state sponsored? I failed to find that from
the article?

~~~
AimForTheBushes
> Computer systems owned by a subsidiary of Huntington Ingalls were connecting
> to a foreign server controlled by APT10.

APT10 is a state sponsored hacking group.

~~~
boomboomsubban
How are you making that claim? The only evidence I can find is an Uber receipt
showing someone allegedly connected to APT10 visiting a MSS building.

~~~
Thorrez
Which claim are you doubting? Are you doubting that APT10 hacked Huntington
Ingalls, or are you doubting that APT10 is state sponsored?

~~~
boomboomsubban
The latter.

~~~
Thorrez
There's a fair amount of evidence that APT10 is sponsored by China here[1].
It's not 100% proof, but what are the alternatives, and what chances do they
have? The alternative possibilities seem slim to me.

The US government accused them of working for China[2]. Of course not
everything the US government says is true, but it seems likely to me this is
true and they have some non-public evidence to back it up.

[1] [https://www.crowdstrike.com/blog/two-birds-one-stone-
panda/](https://www.crowdstrike.com/blog/two-birds-one-stone-panda/)

[2] [https://www.justice.gov/opa/press-
release/file/1121706/downl...](https://www.justice.gov/opa/press-
release/file/1121706/download)

~~~
boomboomsubban
>There's a fair amount of evidence that APT10 is sponsored by China here

All I'm seeing is the Uber receipt, which even they say they can't verify.

>It's not 100% proof, but what are the alternatives, and what chances do they
have?

The alternative is that they are black hat hackers, which is very likely.

>Of course not everything the US government says is true, but it seems likely
to me this is true and they have some non-public evidence to back it up.

The default position should be skepticism, and any evidence should be made
public before a "hard line" is taken on China.

~~~
Thorrez
>All I'm seeing is the Uber receipt, which even they say they can't verify.

There's other stuff there. For example Gao was recruiting for Laoying Baichen
Instruments which shares an address with CNITSEC (which is run by MSS).
CNITSEC has in the past been confirmed to work with APT3.

>The alternative is that they are black hat hackers, which is very likely.

Are there a lot of advanced Chinese black hat hackers that don't work with the
Chinese government? Because it seems like there are a lot of advanced Chinese
hackers that work for the government. For example APT3 and APT1. Also the
APT10 stuff appears to have happened during Chinese working hours, which is
indicative of government work[1].

[1] [https://intrusiontruth.wordpress.com/2018/08/09/was-
apt10-th...](https://intrusiontruth.wordpress.com/2018/08/09/was-apt10-the-
work-of-individuals-a-company-or-the-state/)

~~~
boomboomsubban
>There's other stuff there. For example Gao was recruiting for Laoying Baichen
Instruments which shares an address with CNITSEC

They can't verify that was Gao, that the poster represented that company, or
show that they occupied the office building with the other company.

>Are there a lot of advanced Chinese black hat hackers that don't work with
the Chinese government? Because it seems like there are a lot of advanced
Chinese hackers that work for the government

Any hack reported by the western media immediately gets linked to the
government, no matter how thin the evidence is. Chinese people can be smart
and motivated by greed too, and they have a ton of people.

If you personally think China is behind this based on the released evidence,
that's fine. Using it as justification for attacks on the Chinese requires
more proof to even be considered.

~~~
Thorrez
>Any hack reported by the western media immediately gets linked to the
government, no matter how thin the evidence is.

The October hack of Facebook[1] didn't seem to be blamed on any government by
the media. It seems to me like a fairly sophisticated attack that could have
been done by a government.

And the western media blames some hacks on the US government and its allies as
well[2][3].

> Chinese people can be smart and motivated by greed too

How do they plan to make money by hacking NASA and the US military's
shipbuilder? They're not installing ransomware asking for bitcoin payment. If
they want to hack for money, I would think they would target credit cards, or
banks, or better yet: cryptocurrency exchanges. Or maybe popular websites
whose databases they can use for credential stuffing. One way to make money by
hacking NASA is to be paid by the Chinese government.

[1] [https://www.nytimes.com/2018/10/12/technology/facebook-
hack-...](https://www.nytimes.com/2018/10/12/technology/facebook-hack-
investigation.html)

[2] [https://www.reuters.com/article/us-usa-cyber-yandex-
exclusiv...](https://www.reuters.com/article/us-usa-cyber-yandex-
exclusive/exclusive-western-intelligence-hacked-russias-google-yandex-to-spy-
on-accounts-sources-idUSKCN1TS2SX)

[3]
[https://www.nytimes.com/2010/09/30/world/middleeast/30worm.h...](https://www.nytimes.com/2010/09/30/world/middleeast/30worm.html)

~~~
boomboomsubban
>The October hack of Facebook[1] didn't seem to be blamed on any government by
the media. It seems to me like a fairly sophisticated attack that could have
been done by a government.

Sorry, I should have said "any hack originating in China." Poor wording on my
part.

>How do they plan to make money by hacking NASA and the US military's
shipbuilder?

Their methods were to gain access to a machine, and then try to use that
access to jump to client servers. There's nothing saying NASA or government
contactor's were specifically targeted, but seem like excellent jump targets
if an opportunity arose.

