Hey China, while you're in all our servers, can you fix these support tickets? IBM, HPE, Tata CS, Fujitsu, NTT and their customers pwned Fresh details have emerged revealing just how deeply Chinese government hackers plundered HPE, IBM, DXC, Fujitsu, Tata, and others, stealing corporate secrets and rifling through their customers' networks. An explosive in-depth report by Reuters today blows the lid off APT10, the infamous Beijing-backed hacking operation that …
What I am saying is I don't trust what the Chinese government is saying about this.
I don't trust what any government is saying about this.
I trust what the media say about it a bit more, but not a lot more: media can be fed information by governments, sometimes they might not be aware that what they are being told is not true or exaggerated.
All countries have laws that compel its citizens to do what they are told to do and then keep quiet about it. This is both for the 'good' and 'bad' countries. I'll let the reader decide which countries are 'good' or 'bad'.
> All countries have laws that compel its citizens to do what they are told to do and then keep quiet about it. This is both for the 'good' and 'bad' countries. I'll let the reader decide which countries are 'good' or 'bad'.
There are no "good people" or "bad people"
It's all "Bad people" - they just happen to work on different sides.
There are no "good" countries left. I could literally not name a single country I would be happy to move to given the chance; there used to be a few not-so-bad ones but in time they all revealed sharp teeth one way or another - mostly against their own citizens. Sanity has left the building - all the buildings - long ago...
In reality they don't actually need to steal anything.
HPE: just ask and some junior administration flunky is bound to hand over their most prized and secretive code. After all they don't seem to understand what due diligence means.
TCS: If they refuse to hand over the code just check any TCS-managed S3 bucket - it is bound to be on there somewhere. Probably open to world+dog and complete with access codes and passwords in a nicely laid out spreadsheet.
Fujitsu: The world's #1 security specialist at apparently storing your PIN codes in plain text, according to Visa. If Visa is to be believed then there is a network security insider prepared to sell access.
Oh dear. And you still believe Santa lives at the North Pole? The US is #1 spier, the NSA caught again spying all over. No evidence even of Chinese attacks, since Reuters is a waffle service, no company will explain the attacks. Why the current drama? G20 in Japan next month, when the Clown needs some accusations to chuck at Xi.
"Human rights"... hmmmmm. What exactly are those?
"That which has no existence cannot be destroyed — that which cannot be destroyed cannot require anything to preserve it from destruction. Natural rights is simple nonsense: natural and imprescriptible rights, rhetorical nonsense — nonsense upon stilts. But this rhetorical nonsense ends in the old strain of mischievous nonsense for immediately a list of these pretended natural rights is given, and those are so expressed as to present to view legal rights. And of these rights, whatever they are, there is not, it seems, any one of which any government can, upon any occasion whatever, abrogate the smallest particle".
- Jeremy Bentham (“Anarchical Fallacies”, 1843)
Incidentally, since you think the USA gives its people so many more "human rights" than China - did you know that 90% of Chinese people own their homes, compared to 64.5% of Americans? (As of 2014 - https://en.wikipedia.org/wiki/List_of_countries_by_home_ownership_rate)
Personally I'd rather have a house than a list of theoretical "human rights".
Personally, I'd rather have my kidneys than a house, but you pays your money and takes your choice I guess.
https://www.independent.co.uk/news/world/asia/china-organ-harvesting-prisoners-falun-gong-deaths-tribunal-a8962661.html
Except of course in China you don't get a choice.
And if you believe in a flying spaghetti monster, you get to attend a concentration camp, so your housing is FREE! Yay!
"Jeremy Bentham (“Anarchical Fallacies”, 1843)"
The concept of human rights is somewhat different today than it was in the mid-19th century.
Back then it was still cool to own brown people and and commit genocide in your overseas colonies.
Save the Bentham quotes for Students Union quiz night...
"The concept of human rights is somewhat different today than it was in the mid-19th century".
But not for the better.
"Back then it was still cool to own brown people..."
In the USA. Slavery was abolished in Britain in 1833, and the slave trade had been illegal since 1807.
https://en.wikipedia.org/wiki/Slavery_Abolition_Act_1833
”But not for the better.”
Oh please do explain to me how you think human rights haven’t changed for the better since the 19th century.
”Slavery was abolished in Britain in 1833...”
Slavery wasn’t finally abolished in Britain until 1838. Slavery wasn’t abolished in East India Company territory, Ceylon and St Helena until the Indian Slavery Act 1843. That’s close enough to “mid-19th century” for me.
Tedious pedants who quote Bentham may possibly view “mid-19th century” as everything between 1849 and 1851...
Slavery wasn’t finally abolished in Britain until 1838. Slavery wasn’t abolished in East India Company territory, Ceylon and St Helena until the Indian Slavery Act 1843. That’s close enough to “mid-19th century” for me.
For that matter, Bentham gave no indication that his theory of natural rights applied only to Britain and the Colonies. He was speaking in generalities, so generalities about the state of the world at the time apply.
Regardless of whether and in what form human rights exist, for me the relevant part of that Bentham quote is at the end: "And of these rights, whatever they are, there is not, it seems, any one of which any government can, upon any occasion whatever, abrogate the smallest particle." This is entirely true, and Bentham's critique of government here is devastating. Since the middle of the 20th century, some of us have been lucky enough to have an overarching structure to enforce human rights that is independent of government (the European Court of Human Rights), yet the spiritual descendants of the people Bentham criticised here in the UK really want to get out from underneath that scrutiny so they can "continue to abrogate the smallest particle upon any occasion whatever."
The article says nothing about the alleged victims having Huawei equipment in their networks. Do you have such info? Please share (if you are not under NDA, of course).
If this case isn't another bloomberg, it is another reminder to all concerned not to put anything of any value in the cloud.
They don't call themselves APT10 - it's a designation used by those who investigate them - and you should now what APT means.
Anyway the took advantage of outsourcing to get into customers' networks. "Cloud" is not only AWS or Azure - and I'm just waiting they discover they've been p0wned too.
They specialise in the cloud though.
Securing clouds is HARD and there are groups that take advantage of that. Some of those groups are state backed, some are - essentially - private enterprise.
In the early days of 'the cloud' I remember seeing a great example of lateral thinking for a 'hack'
The provider was pretty good with the security on the live servers.
If you hired a box in the same data centre as your target though, and then purchased backup services you could, given the right skills, follow that route to a backup box shared with your target...
The security on that box was not as good as live.
"They also call themselves APT 10. Does that mean they live in Apartment #10, or that they have something to do with apartments?"
Actually, unless they've taken it up as an ironic badge of honor, THEY probably don't call themselves that. APT 10 is, I believe, U.S. gov-speak for Advanced Persistent Threat (Number) 10.
So, your snark could be considered misplaced.
> So, your snark could be considered misplaced.
For your convenience, and for all the other commentards' convenience, who did not bother reading the entire Reuters article, I posted a relevant quote from the Reuters article a few posts below.
So, no, my snark was not misplaced. Unlike most of you, I actually read - not skimmed through the first two paragraphs - the Reuters article from top to bottom.
And no, the story in the article has nothing to do with HPE's cloud, or any kind of cloud. According to Reuters, the attack by China's Intelligence Services took place before HPE even existed, and before cloud was even a thing, and it lasted for years.
@ST: have you actually read the article? I mean, the original Reuters article? Have you even clicked on the link?
It should be enough to start reading the 3rd paragraph that says:
Teams of hackers connected to the Chinese Ministry of State Security had penetrated HPE’s cloud computing service and used it as a launchpad to attack customers...
to realize that it is about cloud.
Later in the Reuters piece:
The [Cloud Hopper - TFMR] campaign also highlights the security vulnerabilities inherent in cloud computing, an increasingly popular practice in which companies contract with outside vendors for remote computer services and data storage.
“For those that thought the cloud was a panacea, I would say you haven’t been paying attention,” said Mike Rogers, former director of the U.S. National Security Agency.
> @ST: have you actually read the article?
Yes, I read the article.
I am not sure where the lack of understanding lies here. Maybe it's because discussing Chinese spying activities against Western targets is a really uncomfortable topic for some people here, and deflecting the entire conversation onto ancillary topics removes some of that discomfort.
What is relevant in this story is that the Chinese were able to penetrate networks, stay in there undetected for months, and pilfer data. That's the relevant part.
Also compromised by Cloud Hopper, Reuters has found: Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology. [ ... ] For years, the company’s predecessor, technology giant Hewlett Packard, didn’t even know it had been hacked. It first found malicious code stored on a company server in 2012. The company called in outside experts, who found infections dating to at least January 2010.
Hacking the cloud might sound like a catchy phrase, and it might be marginally effective at deflecting away from the core of the story, but it's not an accurate - or relevant - representation of what happened. HPE didn't even exist in 2010, and HP didn't even offer cloud services back in 2010.
It is therefore inaccurate to claim that the attack vector was HPE's cloud. What is clear from the article is that HP did not even know its networks had been penetrated by the Chinese, and that they stayed ignorant of this attack for many years after it started.
I have to agree with ST here, at least to the extent that focusing on cloud is short-sighted. There were multiple attack vectors over a large attack surface. Various types of "cloud" systems (a poorly defined concept in the first place) were part of that surface, but by no means all of it.
The story is about a large and successful penetration + exfiltration campaign by APT10. Using it as an occasion to gripe about "cloud" is like saying "well, the thieves broke into some of the houses through the living-room windows, so we should ban living-room windows".
And so many people have said how bad Trump is for not trusting Huawei in telecoms networks. This is precisely why. No matter what you think of him he is right on this.
Absolute bollocks. Trump said he'd lift sanctions on Huawei if he could get a more favourable tariff deal:
TRUMP: Huawei is something that’s very dangerous. You look at what they’ve done from a security standpoint, from a military standpoint, it’s very dangerous. So it’s possible that Huawei even would be included in some kind of a trade deal. If we made a deal, I could imagine Huawei being possibly included in some form, some part of a trade deal.
He's also presurring other countries to boycott them.
It's nothing to do with security, He's using them as a bargaining chip. Nothing else.
> I'd love to know why you thumbed me down [ ... ]
I thumbed you down, for the following reasons:
1. You quoted Trump. That's a loser.
2. You actually paid attention to what Trump said. That's an even bigger loser. The guy's a moron.
3. You declare by fiat the Reuters article to be "absolute bollocks" while you have exactly zero knowledge of the article's sourcing and fact-checking. Reuters isn't known for being a Trumpist outfit.
4. Just because the article contradicts your own biases, it does not necessarily follow that the article is wrong. Believing that everything that contradicts your biases is inherently wrong is a common sense fallacy.
5. Not everyone who is suspicious of Huawei and their activities on behalf of the Chinese Intelligence Services is a Trump supporter.
6. Trump derangement syndrome is a term used exclusively by Trumpkins when they play their victim card. No-one else uses it.
Sorry you shot yourself in the foot. Try harder next time.
"stealing corporate secrets and rifling through their customers' networks". How is this different than using armies of nearly competent 3rd party resources for key support/stewardship of your IT?
You gave your data away when you made those economical decisions. Hope your "solution partner" SLA covers all your damage...
Is it really vastly skilled hax0rs targeting things, or do the service providers _need_ it to be a very advanced attack to avoid liability.
"But don't many of those companies sell their own cyber (euughh) defence services?"
Sure, but they are selling you defences against a guy in his bedroom. Protecting yourself against the Chinese state is a whole different matter, and eventually hopeless. A guns and ammo shop in the States can get you tooled up to prevent a house invasion (not really) but if the assailants are a foreign army you are still in trouble.
You keep your crown jewels off the network, and check everyone going in and coming out of the room. Only way to be sure.
As far as I can see, the evidence for these exploits having anything to do with China is paper-thin. About as trustworthy, in fact, as the UK government's assigning blame for the Skripal affair to Russia.
In his previous 2017 article, the usually reliable John Leyden wrote:
'PwC UK and BAE Systems rate it "highly likely" that APT10 is a China-based threat actor. The group has been active since 2009, and has already been profiled by other security researchers at FireEye and CrowdStrike among others'.
"Highly likely", eh? In Mr Leyden's defence, he wrote those words before the Skripal affair brought the expression into extreme disrepute. Since March 2018 we all understand that "highly likely", when used by government authorities, means "untrue".
And just look at the highly-qualified IT forensics experts cited. PwC (a bunch of crooked beancounters), BAE Systems (a crooked armaments manufacturer), FireEye (a US "security" firm that frequently blames any and all exploits on Russia or China), and... wait for it... CrowdStrike! Now why is that name familiar??
"The Democratic National Committee cyber attacks took place in 2015 and 2016, in which computer hackers infiltrated the Democratic National Committee (DNC) computer network, leading to a data breach. Some cybersecurity experts, as well as the U.S. government, stated that the cyberespionage was the work of Russian intelligence agencies.
"Forensic evidence analyzed by several cybersecurity firms, CrowdStrike, Fidelis, and Mandiant (or FireEye), strongly indicates that two Russian intelligence agencies infiltrated the DNC computer systems. The American cybersecurity firm CrowdStrike, which removed the hacking programs, revealed a history of encounters with both groups and had already named them, calling one of them Cozy Bear and the other Fancy Bear, names which are used in the media".
https://en.wikipedia.org/wiki/Democratic_National_Committee_cyber_attacks
Some advice: Take your downvotes and move on with your life. Otherwise you just sound like a whiny pain in the arse..
APT10 is just the name used by FireEye/Mandiant to distinguish them from other hacking teams. Don’t get hung up on it. Other names are used also - MSS, Potassium, Stone Panda, etc. Your opinion as to the crookedness of security companies is neither here nor there.
This post has been deleted by its author
It has been going on for years and was common knowledge.
Execs pretended it never happened because it might affect their bonuses.
It probably practice for the PLA crackers since the information could just be asked for with a reasonable chance the victims would cough up because if denied your factory workers would go on strike or the factory would burn down or you would be banned from selling on mainland China.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
