Whistleblower Lawsuit Accuses IBM of Concealing APT10 Breaches
A newly unsealed False Claims Act lawsuit alleges that IBM concealed multiple intrusions by foreign government-linked hackers, including activity tied to Chinese state-linked group APT10, after its core network was reportedly breached between 2013 and 2016. Former IBM vice president of threat intelligence William Barlow claims IBM’s internal investigation identified more than 56,000 potential indicators of compromise, with nearly 400 accounts and almost 200 systems across 18 countries potentially affected, and that the company failed to notify customers, authorities, and U.S. government agencies despite its role as a major federal cybersecurity vendor.
The complaint also alleges that IBM and AT&T operated outdated, poorly segmented infrastructure with insufficient logging and monitoring, leaving investigators unable to determine the full scope, timing, or impact of the intrusions. Barlow said he repeatedly warned executives from 2017 to 2019 about missing logs, weak detection, and active exploitation, but was told to reduce or redact his findings; he further alleged undisclosed breaches at IBM subsidiaries Trusteer and Truven. IBM said the case was originally filed in 2020, that the U.S. Department of Justice declined to intervene, and that the company believes it acted lawfully, while AT&T did not publicly comment.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
IBM publicly denied wrongdoing after the allegations surfaced
In response to the newly public complaint, IBM said the case was years old, noted that the Justice Department declined to intervene, and stated that it believes it acted within the law.
Barlow lawsuit was unsealed and became public this week
The False Claims Act lawsuit accusing IBM and related infrastructure of concealing nation-state intrusions was unsealed this week, making the allegations public and leaving the case pending in Manhattan federal court.
U.S. government declined to intervene in Barlow's lawsuit
After reviewing the sealed False Claims Act case, the U.S. Department of Justice declined to intervene, allowing the matter to proceed toward public disclosure and continued litigation.
Barlow says he repeatedly warned IBM executives about security failures
From 2017 to 2019, former IBM vice president of threat intelligence William Barlow allegedly warned executives about missing logs, poor segmentation, inadequate monitoring, and active exploitation in IBM cloud environments tied to AT&T-managed infrastructure. He claims he was told to reduce or redact his findings.
APT10 allegedly breached IBM's core network over several years
According to the unsealed lawsuit, IBM internally concluded that Chinese state-linked APT10 breached its core network between 2013 and 2016, with more than 56,000 potential indicators of compromise affecting hundreds of accounts and systems across multiple countries.
William Barlow filed False Claims Act lawsuit against IBM in 2020
The complaint alleging IBM concealed multiple foreign government-linked breaches and failed to notify authorities was filed under seal in 2020 by former executive William Barlow.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Former IBM executive sues, alleging cover-up of foreign government hacks | brief | SC Media
scworld.com
Open sourceFormer cyber executive turned whistleblower accuses IBM of covering up several data breaches | TechCrunch
techcrunch.com
Open sourceEx-Threat Intel Exec Accuses IBM and AT&T of Hiding Hacks
govinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Chinese-Linked Zero-Day Attack on Williams & Connolly Law Firm
Williams & Connolly, a prominent U.S. law firm known for representing high-profile politicians and major media outlets, experienced a targeted cyberattack attributed to a Chinese-linked threat actor. The attackers exploited a zero-day vulnerability to compromise the email accounts of a small number of attorneys at the firm. The incident is part of a broader campaign by Chinese-nexus threat clusters, as reported by Google’s Mandiant and Threat Intelligence Group, which have been targeting U.S. law firms and technology companies to support espionage objectives. The law firm promptly notified its clients about the breach, emphasizing that there is no evidence of confidential client data being exfiltrated from central databases. Williams & Connolly stated that, following the attack, there is no indication of ongoing unauthorized activity within their network. The firm has engaged cybersecurity firm CrowdStrike to assist in the investigation and has taken steps to block the threat actor’s access. The FBI’s Washington Field Office is also investigating the incident, though it has not provided public comment. Analysts believe the Chinese threat actors aim for long-term access to sensitive targets, seeking to install backdoors and avoid detection for extended periods. The attack on Williams & Connolly is notable due to the firm’s involvement in sensitive legal matters, including First Amendment cases and representation of former U.S. presidents. The campaign against law firms is part of a larger pattern of Chinese cyber-espionage targeting sectors with access to valuable national security and international trade information. In the same timeframe, other U.S. law firms have reported breaches, but Williams & Connolly’s case is distinguished by the use of a zero-day exploit and the high-profile nature of its clientele. The firm has reassured clients that, based on current evidence, their confidential information remains secure. The incident underscores the persistent threat posed by nation-state actors to the legal sector, particularly those handling sensitive political and governmental matters. The breach highlights the importance of rapid detection, transparent communication with clients, and collaboration with both private cybersecurity firms and federal law enforcement. The attack has raised concerns about the broader vulnerability of the legal sector to sophisticated, state-sponsored cyber campaigns. Williams & Connolly’s response demonstrates a commitment to transparency and proactive risk mitigation in the face of advanced persistent threats. The ongoing investigation may yield further insights into the tactics, techniques, and procedures employed by the attackers. The incident serves as a warning to other law firms and organizations with sensitive data to bolster their defenses against similar nation-state campaigns.
Mar 21, 2026
US Treasury Breached via BeyondTrust Remote Support Platform
The U.S. Treasury Department disclosed a breach tied to a compromise of **BeyondTrust** remote support technology, with reports saying attackers used the third-party platform to gain access to Treasury systems in December. Coverage from BleepingComputer and SC Media said the intrusion affected the department through its remote support environment, raising concerns about supply-chain exposure and the security of privileged access tools used by federal agencies. TechCrunch reported that the operation was attributed to **Chinese government hackers** and that one of the apparent targets was the Treasury office responsible for administering U.S. economic sanctions. If confirmed, the targeting would indicate an espionage-focused effort aimed at sensitive policy and enforcement information, adding to scrutiny of vendor-connected access paths into high-value government networks.
May 25, 2026
IntelBroker Claims Apple Source Code Exposure Involving Internal SSO and Atlassian Plugins
Threat actor **IntelBroker** claimed to have breached Apple and posted code on BreachForums tied to three internal tools: `AppleConnect-SSO`, `Apple-HWE-Confluence-Advanced`, and `AppleMacroPlugin`. Reporting said the exposed material appeared related to Apple’s internal authentication and workflow environment, including integrations for Atlassian Jira and Confluence, raising concern that the leak could reveal sensitive implementation details useful for follow-on attacks. Apple had not confirmed a breach at the time of reporting, and major outlets had not independently verified the claim. Independent analysis cited in coverage said the leak did **not** appear to contain the full source code for the named internal tools, but rather proprietary plugins and configuration data used to connect Apple authentication systems to internal collaboration platforms. That assessment said the exposure could still create meaningful enterprise security risk by disclosing internal architecture and access-related details, while indicating that Apple customer products and services were not affected. The claim emerged shortly after IntelBroker also alleged a breach of AMD, and later reporting noted Cisco was also claimed as a victim by the same actor.
May 25, 2026