Cyber Incident Victim: Ericsson
Date:
Jan 2010
Location:
China
Summary
A Swedish telecoms equipment giant was repeatedly targeted by suspected Chinese state-sponsored hackers over multiple years, compromising its systems through a breached IT service provider's cloud platform. The attackers, linked to China's Ministry of State Security and identified as APT10, exploited cloud service vulnerabilities to steal corporate and government secrets, persisting despite security countermeasures and international agreements against economic espionage. The incident exposed systemic challenges as service providers withheld critical breach details from affected clients, hampering response efforts and leaving many victims unaware of compromises. This campaign underscored inherent security risks in outsourced cloud computing models while demonstrating advanced threat actors' ability to maintain prolonged access for intellectual property theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Between 2014 and 2017, Swedish telecommunications company Ericsson suffered five separate cyber intrusions linked to suspected Chinese state-sponsored actors. The attacks formed part of a broader campaign known as 'Cloud Hopper,' which targeted multiple technology service providers and their clients. Attackers affiliated with the Chinese Ministry of State Security, including the group identified as APT10, compromised Hewlett Packard Enterprise's (HPE) cloud computing infrastructure and used this access to infiltrate Ericsson's systems. Security teams at Ericsson detected the renewed breach in September 2016, designating their response effort 'Pinot Noir'—continuing a practice of naming incident responses after wines following a prior attack wave in 2015.
The attackers exfiltrated corporate and government secrets over multiple years, though the full scope of stolen data remained unclear to victims and investigators. U.S. authorities asserted the campaign aimed to advance Chinese economic interests. Despite a 2015 bilateral agreement between the U.S. and China prohibiting economic cyber espionage, APT10 continued operations. Ericsson and other victims faced challenges in mounting an effective defense due to service providers' reluctance to share breach details, driven by concerns over legal liability and reputational damage. HPE stated it "worked diligently" to mitigate the attack and protect customer information. The incident underscored systemic vulnerabilities in cloud service supply chains and highlighted obstacles to coordinated threat response among Western entities. Chinese officials consistently denied involvement, calling accusations "slanderous" and reaffirming opposition to cyber-enabled industrial espionage.