A newly unsealed federal whistleblower complaint alleges that IBM and AT&T were repeatedly breached by foreign government-linked hackers over a period of years, and that both companies concealed those intrusions from the U.S. government in order to win and retain lucrative federal contracts. The lawsuit, filed in 2020 by former IBM Vice President of Threat Intelligence William Barlow, became public this week after the Justice Department declined to intervene. It is now pending in a federal court in New York.
What Happened
According to the complaint, the IBM "Core Network," a massive cloud computing environment operated in partnership with AT&T and used extensively by U.S. government customers including the military, was repeatedly infiltrated by foreign and unidentified threat actors. Barlow alleges that IBM and AT&T failed to disclose multiple intrusions and made false assurances about the security posture of these systems when negotiating and executing federal contracts. In several instances, the companies were reportedly unable to determine who the attackers were or what data had been exfiltrated. The whistleblower complaint, filed under the False Claims Act, sat under seal for nearly six years before the government declined to intervene, allowing Barlow to pursue the case independently.
What Was Taken
The complaint does not enumerate specific datasets, but the scope of potential exposure is substantial. The Core Network supports a wide range of U.S. federal customers, including Department of Defense components, meaning workloads, configurations, credentials, and sensitive operational data belonging to government agencies could be in scope. Critically, the suit alleges the companies in some cases "couldn't determine who got in, or what was taken," a forensic gap that leaves the full impact of the alleged intrusions unknown to both the operators and their federal customers.
Why It Matters
This case strikes at the foundation of the federal supply chain security model. Contractor self-attestation about cyber hygiene and incident disclosure is the mechanism by which agencies extend trust into cloud and telecommunications infrastructure they do not directly operate. If proven, the allegations describe a structural failure: two of the largest providers in the federal market suppressing knowledge of nation-state intrusions to protect contract revenue. The implications extend beyond IBM and AT&T. Every agency relying on managed cloud, managed network services, or telecom transit must now ask whether undisclosed compromises sit upstream of their own environments, and whether contractual attestations reflect operational reality.
The Attack Technique
The complaint does not publicly attribute the intrusions to a specific named threat group, but characterizes the attackers as linked to foreign governments and notes repeated, multi-year access. The fact that defenders sometimes could not identify the intruder or scope the theft is consistent with advanced persistent threat tradecraft: living off the land, use of legitimate cloud and telecom administrative tooling, log tampering, and patient lateral movement across hybrid environments. The targeting of shared cloud and carrier infrastructure represents a high-leverage upstream vector that bypasses agency perimeter controls entirely.
What Organizations Should Do
- Treat managed cloud and telecom providers as potentially compromised upstream dependencies; assume zero trust beyond your own enforcement boundary and encrypt sensitive workloads with customer-managed keys.
- Demand contractual transparency on breach notification timelines and audit rights, and validate whether providers have disclosed material cybersecurity incidents within required windows.
- Independently log, monitor, and baseline behavior of provider-administered identities and service accounts that operate inside your tenant or network.
- Conduct threat hunts focused on long-dwell nation-state activity in environments that depend on IBM cloud services or AT&T managed network transit, prioritizing identity, egress, and configuration-change telemetry.
- Review False Claims Act exposure and CISA reporting obligations (CIRCIA) in your own contractor relationships to ensure your disclosure posture is defensible.
- Maintain offline, immutable forensic logging so that "we don't know what was taken" is never an acceptable answer in your own environment.