We learned a full year ago from the Department of Justice that state-affiliated Chinese hacking group, APT10, had penetrated the cloud computing systems of major U.S. technology companies. The Wall Street Journal identified the companies as IBM and HPE, an offshoot of Hewlett-Packard. IBM was quoted as saying it found no evidence of the hacking.
Now comes the National Security Agency promising to issue guidelines on cloud computing security. The NSA is taking its sweet time recognizing what is already obvious: the Chinese in particular know how to penetrate cloud computing systems, giving them access to all the systems of companies and governmental institutions that entrusted their secrets to the cloud computing providers. As the article in the Wall Street Journal notes, if someone can penetrate a cloud computing system, they don’t need to bother penetrating 40 or 50 different customers. They are already in.
The way it worked in the APT10 case was that the Chinese deceived the intrusion detection systems of the cloud service providers. They are that good with malware. Once inside, they used other malware to record the keystrokes that legitimate users made on their keyboards. That allowed them to capture legitimate user IDs and passwords. They became invisible. And they spent four years inside without anyone noticing until the feds figured it out. That’s incredible. Imagine all that they could have encrypted and exfiltrated back out.
The Chinese have developed stunning Information and Communications Technology skills, partly because of a large base of people with technical training. If it takes the NSA a full year to issue its recommendations after such a major breach as the APT10 case, the American government is simply failing to respond in real time to massive and devastating penetrations of our computer systems. Cloud computing could be one of the worst IT “innovations” of all time.