Cyber Incident Victim: NTT Data
Date:
Jan 2010
Location:
China
Summary
A suspected Chinese state-sponsored hacking group, APT10, conducted a multi-year cyber espionage campaign targeting major technology service providers, including NTT Data, by compromising their cloud computing infrastructures to gain unauthorized access to client networks. The attackers exploited cloud service vulnerabilities to steal sensitive corporate and government data, aiming to advance Chinese economic interests, while victim organizations faced challenges in detecting and responding due to service providers withholding critical breach information over liability and reputational concerns. Persistent intrusions continued despite countermeasures and international agreements, highlighting systemic risks in third-party cloud dependencies and gaps in coordinated threat response.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 'Cloud Hopper' cyber espionage campaign, attributed to Chinese state-sponsored hackers (APT10) affiliated with the Ministry of State Security, targeted at least eight major technology service providers between 2014 and 2017, including NTT Data, Hewlett Packard Enterprise (HPE), IBM, Fujitsu, Dimension Data, and Tata Consultancy Services. Attackers compromised these IT service providers' cloud infrastructure to gain persistent access to their clients' networks, enabling the theft of corporate intellectual property and government secrets over multiple years. The intrusions exploited vulnerabilities inherent in cloud computing outsourcing models, where third-party vendors managed clients' data storage and remote computing services. APT10 operators used these compromised service providers as launchpads to infiltrate customer networks across multiple sectors, with Swedish telecom giant Ericsson confirming five separate breaches between 2014-2017 linked to its HPE connection.
Security teams at victim organizations like Ericsson documented repeated intrusion attempts, naming response operations such as 'Pinot Noir' after detecting renewed attacks through HPE's systems in September 2016. Despite awareness of the threat, service providers often withheld breach details from affected clients due to legal liability concerns and reputational risks, hindering coordinated defense efforts. U.S. prosecutors asserted the campaign aimed to advance Chinese economic interests through systematic intellectual property theft, continuing even after the 2015 U.S.-China agreement prohibiting economic cyber espionage. NTT Data and other providers declined public comment on their involvement, with IBM stating it found no evidence of sensitive data compromise. The full scope of stolen information remained undetermined, as many victims lacked clarity on exfiltrated data. The incident exposed systemic challenges in cloud supply chain security and cross-institutional threat intelligence sharing during sustained state-sponsored attacks.