Cyber Incident Victim: Sabre Corporation
Date:
Jan 2010
Location:
United States of America
Summary
Chinese state-sponsored hackers associated with APT10 infiltrated multiple technology service providers through cloud infrastructure vulnerabilities, using this access to compromise corporate and government clients globally. The attackers exfiltrated sensitive data over several years to advance economic interests, persisting despite countermeasures and diplomatic agreements. Victim organizations faced challenges in assessing breach impacts due to service providers withholding critical incident details over liability and reputational concerns, hindering coordinated defense efforts. The campaign exposed systemic risks in outsourced cloud environments and gaps in threat intelligence sharing against sophisticated state-level intrusions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Between 2014 and 2017, suspected Chinese state-sponsored hackers linked to the Ministry of State Security conducted a prolonged cyber espionage campaign known as Cloud Hopper, targeting at least eight major technology service providers and their clients. The attackers, identified as APT10, infiltrated cloud computing services operated by companies including Hewlett Packard Enterprise (HPE), exploiting these providers' networks to gain unauthorized access to customer systems. Swedish telecommunications firm Ericsson experienced five separate breaches during this period, with one intrusion in September 2016 traced directly to compromised HPE infrastructure that served as an attack vector. Security teams at Ericsson documented these incidents through codenamed response operations such as "Pinot Noir," reflecting the persistent nature of the threats. The campaign continued despite a 2015 bilateral agreement between the U.S. and China prohibiting economic cyber espionage, with hackers exfiltrating sensitive corporate and government data to advance Chinese economic interests. Investigators determined that the attackers leveraged vulnerabilities inherent in outsourced cloud services, where third-party vendors managed clients' remote computing and data storage. Multiple technology firms including NTT Data, Dimension Data, Tata Consultancy Services, Fujitsu, and IBM were also compromised, though several companies stated they found no evidence of sensitive data theft.
The attacks caused widespread but poorly quantified damage, as many victims remained unaware of breaches or could not determine the full scope of stolen information. Service providers frequently withheld critical incident details from affected clients due to concerns about legal liability and reputational harm, hampering coordinated defense efforts. This opacity undermined Western institutions' capacity to share threat intelligence effectively against sophisticated cyber intrusions. HPE confirmed working diligently to mitigate the attacks and protect customer data, while IBM maintained its systems showed no compromise of sensitive corporate information. Chinese authorities consistently denied involvement, with the Foreign Ministry rejecting allegations as "slanderous" and asserting opposition to all forms of cyber-enabled industrial espionage. U.S. prosecutors later formally attributed the campaign to Chinese state actors, citing the systematic theft of intellectual property and government secrets. The incident exposed persistent security challenges in cloud computing ecosystems and highlighted limitations in public-private collaboration during multinational cyber investigations. Many organizations potentially impacted by Cloud Hopper may still lack definitive awareness of their compromised status years after the attacks.