
China hacked HPE, IBM and then attacked clients - petethomas
https://www.reuters.com/article/us-china-cyber-hpe-ibm-exclusive-idUSKCN1OJ2OY
======
jsnell
> A British government spokeswoman declined to comment on the identities of
> companies affected by the Cloudhopper campaign or the impact of those
> breaches.

> “A number of MSPs have been affected, and naming them would have potential
> commercial consequences for them, putting them at an unfair disadvantage to
> their competitors,” she said.

Wait, what? These companies got repeatedly hacked, were apparently not able to
re-secure the network, allowed themselves to be used as a springboard for
further attacks to their customers, and then covered it up. And letting this
be known would be an "unfair disadvantage"?

~~~
coliveira
So the plan is to hide and not to disclose the problematic companies, and then
blame everything on China... Absurd.

~~~
odiroot
China is the new Boogeyman of 2010s.

~~~
sonnyblarney
China is a state sponsor of hacking and industrial espionage and they're also
incarcerating quite a number of people based on their ethnicity, and
harvesting their organs when they die in incarceration. Among other things.

Call it what you want but, even with a lot of grey in between, these things
are real and material.

That said, I suggest the number of stories appearing in the press as of late
might be part of a steady leak of information from US authorities as part of
their strategy to put pressure on China during trade negotiations.

~~~
Scaevolus
Organs aren't very useful when people die outside of a hospital. They're
harvested from brain dead patients or those that have _just_ undergone cardiac
death.

edit: I was responding to "harvesting their organs when they die in
incarceration" \-- this sounds like it's a natural death.

~~~
drhodes
[https://www.amnestyusa.org/execution-vans-organ-
harvesting-b...](https://www.amnestyusa.org/execution-vans-organ-harvesting-
business-as-usual-in-china/)

> For many years, it has been known that China uses execution vans, kind of
> like specially outfitted ambulances, to more efficiently carry out its
> exceedingly large number of executions. The method of killing in these vans
> is lethal injection, which has been slowly but surely replacing the firing
> squad as China’s preferred means of execution, and both lethal injection and
> the vans are believed to facilitate the widespread practice of harvesting
> organs of the executed prisoners, an unbelievably appalling practice.

~~~
blacksmith_tb
Not that I doubt it's happening, but I'd have thought that lethal injection
would poison the recipients of the stolen organs?

~~~
kortilla
No, they don’t inject you with cyanide or something that kills the organs.

------
roadkillon101
This is an example of the "tail wagging the dog". Whether a "State Sponsored"
organization hacked IBM or someone in their mothers garage, IBM and other
companies ARE responsible for keeping their customers data safe. While it's
true a state sponsored entity would have more resources than a kid in a
basement, IBM has the resources to pay for full time IT security professionals
and for the amount of money they charge for their products and services, they
should have more than enough resources to pay for decent 3rd party Security
products and services. They KNOW they have a target on their back, it's their
responsibility.

~~~
viraptor
> While it's true a state sponsored entity would have more resources than a
> kid in a basement

In this case, according to the indictment, it was a few spearphishing emails
with .docs attached, followed by keylogger and other malware installation. The
companies should be held responsible for being silly in this case.

~~~
ggggtez
It's a bit silly, sure, but just because they got breached in this phishing
attack, doesn't mean they didn't resist other attacks successfully.

Personally, yeah companies need to be held to a higher standard against
hackers, but if we're going to be realistic, we only expect they could do it
because it's IBM and they have a lot of money. What about all the other
companies? Rhetorically, what are we going to do about this issue? There's
been decades of fairly basic confidence schemes and "hacks" and all the
corporate training in the world isn't making a dent in people trusting
strangers and running malicious files.

~~~
viraptor
I have some strong views here. 1. These are cons more than hacks as you wrote.
I believe the protection doesn't exist only because there's no real risk. What
would happen if some employee got conned to send out company money. Why isn't
the same response applied to obtained information? 2. Principle of least
privilege + monitoring. Those companies should know almost immediately about
the break-ins. Even if the training fails, there are mechanisms to stop this.

I'm starting to believe that at some point we should start fining people for
lack of protection.

------
based2
[https://www.justice.gov/opa/pr/two-chinese-hackers-
associate...](https://www.justice.gov/opa/pr/two-chinese-hackers-associated-
ministry-state-security-charged-global-computer-intrusion)

[https://www.us-cert.gov/ncas/alerts/TA18-276B](https://www.us-
cert.gov/ncas/alerts/TA18-276B)

~~~
jammygit
Thanks for the links.

" FOR IMMEDIATE RELEASE Thursday, December 20, 2018

Two Chinese Hackers Associated With the Ministry of State Security Charged
with Global Computer Intrusion Campaigns Targeting Intellectual Property and
Confidential Business Information

(...)"

------
echevil
> International Business Machines Corp said it had no evidence that sensitive
> corporate data had been compromised. Hewlett Packard Enterprise (HPE) said
> it could not comment on the Cloudhopper campaign.

> Both IBM and HPE declined to comment on the specific claims made by the
> sources.

> DXC Technology declined to comment, saying in a statement that it does not
> comment on reports about specific cyber events and hacking groups.

> Reuters was unable to confirm the names of other breached technology firms
> or identify any affected clients.

I wonder why the title of the article sounds so certain while it seems none of
the claims are confirmed

~~~
xster
Because there are no consequences of journalistic malpractice and no one will
read retractions or revisions so the parent conglomerates can shape public
opinion any way it wants.

------
pollymolly
It is really strange to see that, when a US company or one goverment
department doing something, we call it by its name or its branch, but when a
Chinese company or a department doing something affect copyright or anything
wrong (there's no exuse for that I know) but we summerise it as "China". I am
working in a Chinese company right now, this mentality really affects some
good Chinese company out there to do some fair business.

~~~
tk75x
That's because the Chinese government has its thumbs in every pie in their
country. If the government wanted, they could easily compel your company to do
its bidding.

~~~
friedman23
Exactly, the seemingly good independent Chinese companies are simply the ones
that haven't caught the attention of the thousand eyed spider. The company is
in the web regardless.

~~~
pollymolly
Is there a way to prove your counterpart arguement? Logically, it's much
easier to prove your arguements than mine even if the truth favours mine.

~~~
friedman23
The only way the US has influence over business is via the judicial system. If
a business takes issue with the outcome of the court cases they can even take
the extreme step of shutting their business down as was done with Lavabit.

The Chinese government has routinely stooped to using coercion such as
blackmail and kidnapping of family members to control its citizens. It's
really not comparable.

------
not_real_acct
One afternoon I was doing some consulting work at one of HP's oldest offices.
I needed to print something, so I had the printer produce a configuration
page, so I could get the IP address.

Lo and behold, _it was a public IP._

As in, this old-ass printer, sitting at an HP office, was sitting on the
Internet. And it was connected to the office network.

Really blew my mind.

The office was very old, and there were things laying around the hallways that
seemed to have been untouched for 20 or even 40 years. So I'm guessing that
workhorse of a printer had been chugging away for decades, and was configured
long before anyone had thought about information security.

Also, if this sounds too crazy to be possible, you can test this for yourself.
If you do a Google search on the welcome page of an HP printer, you will find
hundreds with public IP addresses.

~~~
viraptor
> it was a public IP.

IP exposed to the internet, or an IP from the public range?

HP has 2 /8s. Lots of things got public IPs in there since they can hand them
out like candy. It doesn't mean though that they're available from the
internet.

~~~
freehunter
Yeah, I've worked with plenty of companies who have a whole public range and
use it internally, but the external firewall still stops them from being
publicly routed. Simply having a public IP doesn't mean it's actually public.

------
krautt
They are persistent. I see attacks from them on my company in the thousands
every day. Some ip ranges have continued to hit us dozens of times after
prolonged blocking.

------
verdverm
While I was at IBM, I deployed an sshkey to the internal Bluemix staging
environment, called "Dr Worm" (it's my title :) About 3 months later they
froze my account and called my manager, freaking out. Apparently it was not
allowed.

We were like, wait, if it's not allowed, they why was I able to? And why did
it take 3 months?! They backed down and we laughed over beers.

I'd be surprised if IBM even has the visibility into the situation... because
that's just one of the war stories.

------
walrus01
Meanwhile, the CFO is Huawei is reported to have _seven passports_.

[https://www.bbc.com/news/world-asia-46507974](https://www.bbc.com/news/world-
asia-46507974)

~~~
fbarriga
fun fact: according to this article in Wikipedia you can have up to 10 valid
german passports.

[https://en.m.wikipedia.org/wiki/German_passport](https://en.m.wikipedia.org/wiki/German_passport)

------
justaman
When does this become an act of war?

~~~
x0rx0r
When human lives are threatened.

~~~
beginningguava
the vast majority of the fentanyl that's killing 70,000+ people a year in the
US is manufactured in China. The Chinese government has done next to nothing
to prevent this

~~~
mikro2nd
The manufacture of Fentanyl has been illegal in China since 1 March 2017.

How effectively and stringently that ban is enforced might be open to
question, but to say that the Chinese government has done "next to nothing" is
hyperbolic.

~~~
beginningguava
They get around it by making precursors and then sending it to Mexico for the
cartels to finish and then traffic into the US. It's a loophole China allows
to stay open

[https://www.sandiegouniontribune.com/news/public-
safety/sd-m...](https://www.sandiegouniontribune.com/news/public-safety/sd-me-
fentanyl-pipeline-20180617-story.html)

------
systematical
I wonder if we are doing the same thing to China and it just doesn't get as
much press here or China doesn't disclose it. From a layman view, things seem
very one-sided.

------
AndyMcConachie
Sure would be nice if there was some evidence.

------
lorenzorhoades
When someone says 'china' hacked these companies, what does that even mean?
The chinese version of the NSA, or FBI hacked these companies? Can anyone shed
some light on this?

------
zwaps
As long as there are no consequences, this will continue. 1\. Hacked firms
should be investigated for neglience. If opening a doc file can bonk the
entire system, somewhere best practices were not followed.

2\. The judicative should viciously go after the largest hostile actor,
including state actors, they can get a hold of.

3\. And lastly, politics should go after China. Every week there is a new
story how China stole IP, hacked something or showed hostile behavior Compared
with their rethoric and genocidial tendencies, it should become clear to every
state that China is not an ally to anyone but the CCP, and no Chinese firm is
at the end not owned by the CCP. The harshest consequences that are reasonable
are approrpriate at this point, or Chinas behavior will just get worse
Appeasement does not work anymore.

------
shard972
I thought HPE was a majority owned Chinese company?

------
simonsays2
That which can be asserted without evidence, can be dismissed without
evidence.

~~~
burtonator
Read the indictment:

[https://www.justice.gov/opa/press-
release/file/1121706/downl...](https://www.justice.gov/opa/press-
release/file/1121706/download)

... this still has to go in front of a judge of course but it's not like
they're claiming there's no evidence.

------
mensetmanusman
Can’t blame them. Wall St. and their financied politicians cashed out
technology leadership for short term gain.

