← Back to Daily Briefing

A whistleblower lawsuit alleges IBM and AT&T concealed over 56,000 intrusions by Chinese state-sponsored actor APT 10 between 2013 and 2016. The attackers exploited a "flat" network architecture within IBM's cloud infrastructure, operated by AT&T, which lacked critical network segmentation and comprehensive access logging for VPN connections. This architectural failure enabled APT 10 to compromise approximately 400 accounts and 200 systems across 18 countries. The lawsuit claims IBM and AT&T suppressed these findings and provided fraudulent security attestations to maintain multi-billion dollar federal contracts, potentially exposing U.S. military and government records to long-term foreign intelligence exploitation.

  • Technical Failures: Network Architecture and Logging

    • Utilization of a "flat network" design that lacked internal segmentation, allowing adversaries to move laterally across the IBM cloud environment.
    • Critical absence of network access logs for AT&T-managed VPN connections, rendering definitive forensic reconstruction of exfiltration impossible.
    • Failure to implement basic security controls mandated by NIST SP 800-171 and Federal Acquisition Regulation (FAR) requirements for federal contractors.
  • Threat Campaign: APT 10 Infiltration

    • Identification of over 56,000 indicators of compromise (IOCs) linked to APT 10, a Chinese government-linked "hack-for-hire" group.
    • Compromise of nearly 400 user accounts and 200 systems across every IBM business unit and 18 different countries.
    • Persistence established within the "Core Network" infrastructure utilized by the U.S. military and other federal agencies for record storage.
  • Legal Allegations: False Claims Act (FCA)

    • Allegations that IBM and AT&T provided false security certifications to secure billions in federal contracts while aware of active nation-state breaches.
    • Lawsuit filed under seal in 2020 by former IBM VP of Threat Intelligence William Barlow; unsealed in 2026 after the DOJ declined to intervene.
    • Claims that corporate revenue preservation and market performance were prioritized over mandatory federal breach notification timelines.
  • Scope of Exposure: Subsidiary and Partner Risk

    • Alleged concealment of multiple breaches at acquired entities, including healthcare data firm Truven and cybersecurity startup Trusteer.
    • Systemic vulnerability created by the co-dependence between IBM and AT&T in managing the "Core Network," creating a single point of failure.
    • Heightened risk of undetected long-term persistence by state actors due to the intentional suppression of forensic telemetry.
  • Corporate Governance: Intelligence Suppression

    • Internal forensic reports allegedly redacted or "toned down" by executives to avoid market volatility and loss of public trust.
    • Claims that threat intelligence leadership was pressured to omit critical details from reports provided to government clients.
    • Intentional evasion of queries from government agencies regarding the scale and nature of the APT 10 intrusions.

LINK COPIED TO CLIPBOARD