Cyber Incident Victim: International Business Machines Corporation
Date:
Dec 2018
Location:
United States of America
Summary
Chinese state-linked hackers conducted the "Cloud Hopper" campaign by breaching multiple major technology service providers' cloud infrastructures, including IBM, to steal corporate and government secrets for economic espionage. The attackers exploited cloud service vulnerabilities to compromise client networks, extracting sensitive data over several years despite security countermeasures and international agreements. While IBM stated no evidence of sensitive data compromise, the broader campaign highlighted systemic risks in cloud outsourcing and failures in threat information sharing between providers and clients, leaving many victims unaware of breaches or data losses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 4 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 'Cloud Hopper' cyber espionage campaign, attributed to Chinese state-sponsored hackers operating as APT10, targeted at least eight major technology service providers between 2014 and 2017, including IBM. Attackers linked to China's Ministry of State Security breached information technology service providers' cloud computing infrastructure, using these compromised networks as launchpads to infiltrate client organizations across multiple sectors. The campaign exploited vulnerabilities inherent in outsourced cloud services, where third-party vendors managed data storage and remote computing for corporate and government clients. IBM was among the affected providers, though internal investigations by the company found no conclusive evidence that sensitive corporate data had been compromised. Security researchers and Western government officials identified the attackers' pattern of leveraging legitimate vendor-client relationships to bypass perimeter defenses, enabling sustained access to victim networks for intellectual property theft. The attacks persisted despite a 2015 U.S.-China agreement prohibiting economic cyber espionage, with Ericsson documenting five separate breaches between 2014-2017 that required dedicated incident response operations.
The prolonged campaign revealed systemic challenges in cloud security coordination, as service providers like HPE and IBM initially withheld breach details from affected clients due to liability concerns and reputational risks. This information gap delayed containment efforts and left many victims unaware of compromises, undermining institutional trust in cloud service models. While IBM maintained standard breach notification protocols, the broader industry response was fragmented, with some providers failing to disclose the full scope of supply chain compromises. U.S. prosecutors later asserted the operation aimed to advance Chinese economic interests through theft of trade secrets and government data. The Chinese government consistently denied involvement, characterizing allegations as "slanderous" and reaffirming opposition to cyber-enabled industrial espionage. Forensic investigations identified data exfiltration from multiple victim organizations, though many could not determine precisely what information was stolen due to the attackers' operational security measures and the complexity of cloud service architectures.