SYS::ONLINE
Wasteland.
Briefs808
Issues14
SinceFeb 2026
LIVE
▣ Breach IBM-APT10-BREACH 2026-06-07

IBM: APT10 Breach Coverup Allegations

"A newly unsealed whistleblower lawsuit alleges that IBM suffered more than 56,000 cybersecurity intrusions attributed to the Chinese state-linked group APT10 between 2013 and 2016, and then systematically concealed the…"

A newly unsealed whistleblower lawsuit alleges that IBM suffered more than 56,000 cybersecurity intrusions attributed to the Chinese state-linked group APT10 between 2013 and 2016, and then systematically concealed the damage from federal clients and US regulators. The complaint, filed under the False Claims Act by former VP of threat intelligence William Barlow, was unsealed in New York federal court in early June 2026 after the Department of Justice declined to intervene.

What Happened

According to the unsealed complaint, Barlow, who served as vice president of threat intelligence at IBM, documented over 56,000 intrusions tied to APT10 across a three-year window. At least two IBM subsidiaries were also allegedly compromised during the same period. Barlow asserts that IBM corporate executives pressured staff to minimize the severity of these incidents in internal reports and withheld disclosure from US government clients holding active federal contracts with the company.

The lawsuit further alleges that IBM failed to act on a March 2017 warning from the Five Eyes intelligence alliance regarding security concerns at the company. The suit, originally filed under seal in 2020, was unsealed in June 2026. IBM has denied any wrongdoing, noting the allegations concern events more than six years old and stating it acted in compliance with applicable laws. The DOJ's decision not to intervene does not invalidate the claims; Barlow is proceeding independently on behalf of the government.

What Was Taken

The complaint does not enumerate specific datasets exfiltrated in each of the 56,000 intrusions, but the scope is significant given IBM's role as a managed service provider and federal contractor. APT10's historical targeting pattern, validated in the December 2018 DOJ indictment of two group members, focused on intellectual property, client environments accessed through MSP trust relationships, and sensitive data belonging to government, healthcare, and contractor verticals across at least a dozen countries. Any compromise of IBM infrastructure during the 2013 to 2016 window carries downstream exposure for federal agency clients whose data and systems were administered through IBM services.

Why It Matters

If the allegations are substantiated, this case represents one of the largest alleged concealments of nation-state intrusion activity by a major technology vendor serving the US government. The implications extend well beyond IBM. Federal agencies that contracted with the company during the relevant period may have operated under false assumptions about the integrity of their supplier's environment, leaving downstream investigations, breach notifications, and remediation efforts incomplete. The case also tests how the False Claims Act applies to cybersecurity disclosure obligations, an area regulators and prosecutors have signaled growing interest in pursuing.

The Attack Technique

APT10, also tracked as Stone Panda and MenuPass and attributed to China's Ministry of State Security, is best known for the Operation Cloud Hopper campaign that systematically targeted managed service providers to pivot into their downstream clients. The group's tradecraft has historically included spearphishing for initial access, custom malware families such as RedLeaves and PlugX, abuse of legitimate remote administration tools, and lateral movement through MSP trust relationships to reach intended end targets. The specific intrusion vectors used against IBM during the 2013 to 2016 period are not detailed in the unsealed complaint, but the volume and persistence described are consistent with APT10's documented operational tempo against service providers.

What Organizations Should Do

  1. Audit your exposure to IBM managed services and subsidiaries during the 2013 to 2016 window, and reassess whether historical incident response activities relied on assurances that may now warrant revisiting.
  2. Review supplier and MSP contracts for explicit cybersecurity incident disclosure clauses, retention timelines for breach evidence, and audit rights against the provider's internal threat intelligence reporting.
  3. Map APT10 indicators and TTPs against historical SIEM and EDR telemetry where retention permits, with focus on RedLeaves, PlugX, Quasar RAT, and abuse of remote administration tooling.
  4. Apply least-privilege segmentation between any MSP or vendor management plane and your production environment, treating supplier-administered accounts as high-risk identities subject to continuous monitoring.
  5. Establish independent threat intelligence and detection capabilities rather than relying solely on a vendor's self-reporting of incidents in their own environment.
  6. For federal contractors, review False Claims Act exposure tied to cybersecurity representations made in past contract submissions and ensure current attestations reflect verified internal posture.

Sources: Former executive accuses IBM of covering up multiple data breaches linked to Chinese hackers