lolloj - Fotolia

Chinese hacking group targeted firms through IT MSPs

Security researchers have uncovered a China-based cyber espionage campaign that targeted IT services firms and their customers, underlining the need for supply chain security

Security researchers have uncovered a cyber espionage operation that targeted companies through the managed service providers (MSPs).

PricewaterhouseCooper’s (PwC’s) cyber security practice has worked closely with BAE Systems and other members of the security community, along with the UK’s National Cyber Security Centre (NCSC), to uncover and disrupt what is thought to be one of the largest sustained global cyber espionage campaigns, dubbed Operation Cloud Hopper.

Since late 2016, PwC and BAE Systems have been collaborating to research the threat, brief the global security community and assist known victims. The threat actor behind the campaign is widely known in the security community as “APT10”, but referred to in PwC UK as “Red Apollo”.

According to the joint PwC/BAE report, APT10 has significantly increased its scale and capability since early 2016, including the addition of custom tools.

Researchers found that APT10 ceased its use of the Poison Ivy malware family after a 2013 FireEye report, which comprehensively detailed the malware’s functionality and features, and its use by several China-based threat actors, including APT10.

APT10 primarily used PlugX malware from 2014 to 2016, progressively improving and deploying newer versions, while simultaneously standardising their command and control function. However, researchers observed a shift towards the use of bespoke malware as well as open-source tools, which have been customised to improve their functionality, which is likely to indicate an increase in sophistication, the report said.

The espionage campaign has targeted managed MSPs, potentially allowing the APT10 group unprecedented access to the intellectual property and sensitive data of those MSPs and their clients around the world.

This campaign provides a useful reminder that an organisation’s entire supply chain needs to be managed and that organisations cannot outsource their risk, said the NCSC, adding that MSPs are particularly attractive to attackers because they often have highly privileged access to systems and data.

“As part of your procurement, you should have ensured that your service providers all manage their security to a level broadly equivalent to that you would expect from your internal functions. This incident provides a useful impetus to revisit those discussions,” the NCSC said.

According to the researchers, this indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage, underlining the importance of companies having a comprehensive view of all cyber threats, either directly or through their supply chain.

Read more about cyber espionage

  • A huge data breach at French naval defence contractor DCNS highlights the challenge of protecting intellectual property (IP), say security experts.
  • Russian state-sponsored hackers work office hours and target Western governments, according to F-Secure report.
  • A cyber espionage group has targeted high-profile technology, internet, commodities and pharmaceutical companies in the US, Europe and Canada.
  • Abuse of credentials and watering-hole attacks are the main tactics used by a cyber espionage group.

The researchers also uncovered a parallel campaign that targeted a number of Japanese organisations, with APT10 masquerading as legitimate Japanese government entities to gain access.

“This type of attack is not dissimilar from the Abta attack in March 2017 in that a supplier’s infrastructure was the target,” said Matt Walmsley, director at cyber security company Vectra Networks for Europe, Middle East and Africa.

“It highlights why companies need to support IT security professionals with technology that can help them spot the subtle nuances of a long game attack before valuable data is disrupted or walked out the door.

“A year from now, if these braches keep happening, companies in or working in the EU could also find themselves exposed to significant fines under GDPR [General Data Protection Regulation], as well as the long-term value destruction from loss of reputation and intellectual property,” he said.

Third parties ‘easier’ target

Donato Capitella, senior security consultant at MWR InfoSecurity, said targeting third parties offers the attackers an easier, lower resistance path into the IT systems belonging to their larger, critical targets.

“It is fundamental for organisations to come to terms with the fact that raising their own security posture is essential but not sufficient, especially if they are then willing to interweave their IT systems with third parties whose security posture is insufficient.

“Organisations have to mandate higher security standards if they do not want to see all of their security investment undermined by trivial security mistakes on behalf of their partners.

“At the same time, third parties that can demonstrably step up their security game will become preferred over time and will undoubtedly have a higher chance to win important contacts in the future,” he said.

NCSC encourages MSPs to join security communities

The NCSC has notified all members of the Managed Service Provider Information Exchange (MSPIE) and all MSPs that are members of the UK’s Cyber-security Information Sharing Partnership (CiSP).

The NSCS said any organisation whose MSP that is not a member of the MSPIE or CISP should encourage them to join to gain access to this information.

In the light of the fact that these attacks are specifically targeted against MSPs, organisations should ensure their MSP has deployed the indicators of compromise on their monitoring system, the NCSC in an advisory document.

Organisations are also advised to pay particular attention to any network connectivity with their MSPs, such as VPN termination, and review their independent audit logs to determine if any suspicious activity has taken place on company systems in the context of the MSP’s access.

“You should contact your MSP and discuss their response to these attacks, including whether and how you have been affected. You should ensure that your MSPs are doing everything necessary to investigate whether they have been compromised and what effect any such compromise has had on their customers. Do not accept assertions from your provider, but instead demand evidence,” the NCSC said.

The NCSC also issued the following advice:

  • If an MSP uses cloud services, customers should understand how that affects the security of their data and systems.
  • If an MSP has administrative rights over infrastructure or services that process personal data, customer should assess the security against the bulk personal data protection principles.
  • Understand what model your MSP uses to manage your infrastructure and services and use the NCSC system administration guidance to understand the various risks.
  • If your MSP uses one of the more risky models, you should demand that they fix this immediately and in this case it would be prudent to undertake a detailed investigation to look for compromise.
  • Understand your MSP’s personnel security policies, operational restrictions placed on the people who perform day-to-day activities in your MSP, how they store and manage access to your key credentials and how they monitor and manage audit for their customer system accesses.
  • Understand how your MSP ensures separation between their customers, ensuring that compromise of one does not allow compromise of all.
  • Ensure you have monitoring and audit that is independent of your MSP. This is critical for security monitoring and management, but also for contractual enforcement and investigations.

Read more about supply chain security

  • Business is increasingly recognising the importance of information security, but security in supply chains is still widely overlooked.
  • A comprehensive security strategy must include the supply chain.
  • The UK government will require IT suppliers to comply with the five security controls laid out in its Cyber Essential Scheme.
  • A new mobile trojan dubbed “DeathRing” is being pre-loaded on to smartphones somewhere in the supply chain, warn researchers.

Read more on Hackers and cybercrime prevention

Data Center
Data Management