In 2016 a hacking group known as Advanced Persistent Threat (APT) 10 was believed to have stolen information from 14 companies by compromising their cloud service providers. The Wall Street Journal reported Monday that the so-called Cloud Hopper attacks were far more effective than previously thought, however, and could have affected "hundreds of firms that had relationships with breached cloud providers."
The Cloud Hopper attacks were deceptively simple: APT 10 was believed to have used targeted phishing attacks, which trick people into giving up information that can later be used to access otherwise secure data, to compromise cloud service providers. The WSJ said its investigation revealed that at least 14 such companies, including Hewlett Packard Enterprises (HPE) and IBM, were affected by the attacks.
The report claimed that several of the affected cloud service providers were less-than-cooperative with government investigations regarding the Cloud Hopper attacks. (A claim the companies denied.) They're also said to have downplayed their customers' exposure to these attacks, and according to the WSJ, it's not clear if APT 10 was ever actually successfully removed from the affected cloud networks.
Compromising those networks gave APT 10 access to all kinds of sensitive information. Examples from the report include the theft of "detailed personnel records of more than 100,000 people from the U.S. Navy," "sensitive medical research for electronics and health-care giant Philips NV" and other data that could allow APT 10 to significantly impact companies and countries around the world.
APT 10 was previously connected to China; U.S. prosecutors charged two Chinese nationals in relation to the attack in December 2018. That connection, among others, could stoke fears that China might use some of the stolen information to undermine the intellectual property of foreign companies or target other countries. The lack of clarity surrounding the Cloud Hopper attacks' resolution makes those fears worse.
The Wall Street Journal's report draws attention to a truism involving massive hacks, data breaches and other cybersecurity incidents: they're often worse than expected. Just look at high-profile attacks like Cloud Hopper and breaches like the one that affected Equifax. Or consider more recent leaks, like the ones affecting Wyze, which quickly went from not having any evidence of any leaks to finding at least two of 'em.
Those incidents were fairly different. Equifax is a credit reporting agency, Wyze is an Internet of Things product maker and the companies targeted during the Cloud Hopper attacks were cloud service providers. Some of the incidents were hacks, others were just leaks. The numbers of affected people and products varied. But all of the incidents ended up being worse than anyone originally anticipated.