By Christopher Bing, Jack Stubbs and Joseph Menn
WASHINGTON/LONDON/SAN FRANCISCO (Reuters) – Hackers working on behalf of China’s Ministry of State Security breached the networks of Hewlett Packard Enterprise Co <HPE.N> and IBM <IBM.N>, then used their access to hack into their clients’ computers, according to five sources familiar with the attacks.
The attacks were part of a Chinese campaign known as Cloudhopper, which the United States and Britain on Thursday said infected technology service providers in order to steal secrets from their clients.
Representatives of Hewlett Packard Enterprise (HPE) and IBM said they had no immediate comment.
While cybersecurity firms and government agencies have issued multiple warnings about the Cloudhopper threat since 2017, they have not disclosed the identity of technology companies whose networks were compromised.
Businesses and governments are increasingly looking to technology companies known as managed service providers (MSPs) to remotely manage their information technology operations, including servers, storage, networking and help-desk support.
Cloudhopper targeted MSPs to access client networks and steal corporate secrets from companies around the globe, according to a U.S. federal indictment of two Chinese nationals unsealed on Thursday. Prosecutors did not identify any of the MSPs that were breached.
Reuters was unable to confirm the names of other breached technology firms or identify any affected clients.
The sources, who were not authorized to comment on confidential information gleaned from investigations into the hacks, said that HPE and International Business Machines Corp were not the only prominent technology companies whose networks had been compromised by Cloudhopper.
Cloudhopper, which has been targeting technology services providers for several years, infiltrated the networks of HPE and IBM multiple times in breaches that lasted for weeks and months, according to another of the sources with knowledge of the matter.
IBM investigated an attack as recently as this summer, and HPE conducted a large breach investigation in early 2017, said the source.
The attackers were persistent, making it difficult to ensure that networks were safe, said another source.
IBM has dealt with some infections by installing new hard drives and fresh operating systems on infected computers, said the person familiar with the effort.
One senior intelligence official, who declined to name any victims who were breached, said attacks on MSPs were a significant threat because they essentially turned technology companies into launchpads for hacks on clients.
“By gaining access to an MSP, you can in many cases gain access to any one of their customers,” said the official. “Call it the Walmart approach: If I needed to get 30 different items for my shopping list, I could go to 15 different stores or I could go to the one that has everything.”
Representatives with the FBI and Department of Homeland Security declined to comment. Officials with the U.S. Justice Department and the Chinese embassy in Washington could not immediately be reached for comment.
A British government spokeswoman declined to comment on the identities of companies affected by the Cloudhopper campaign or the impact of those breaches.
“A number of MSPs have been affected, and naming them would have potential commercial consequences for them, putting them at an unfair disadvantage to their competitors,“ she said.
(Reporting by Christopher Bing in Washington, Jack Stubbs in London, Joseph Menn in San Francisco; Editing by Jim Finkle)