APT 10’s Cloud Hopper campaign exposed

Security researchers at PwC UK and BAE Systems spotted a China-based cyber espionage campaign, dubbed Cloud Hopper, targeting companies through their managed IT service providers (MSPs). The group behind the attacks, APT10, has targeted Canada, Brazil, France, Norway, Finland, Switzerland, South Africa, Australia, Japan, and India for intellectual property and other sensitive information, according to a recent PricewaterhouseCooper's (PwC) UK and BAE Systems report. The group targets both a low profile and high value systems to gain both network persistence and a high level of access, respectively, and has also been identifying and subsequently installing malware on low profile systems that provide non-critical support functions to the business, and are thus less likely to draw the attention of system administrators, the report said. “Given the level of client network access MSPs have, once APT10 has gained access to a MSP, it is likely to be relatively straightforward to exploit this and move laterally onto the networks of potentially thousands of other victims,” researchers said in the report. “This, in turn, would provide access to a larger amount of intellectual property and sensitive data.” Researchers said the group has been upscaling its tools and capabilities since early 2016 and primarily used PlugX malware between 2014 and 2016. During this time, researchers linked the group to several other profile attacks including the US Office of Personnel Management (OPM) breach in 2015 which compromised the personal information of more than 20 million people as well as several attacks against healthcare firms including Anthem, Premera Blue Cross and CareFirst. Recently, researchers said they've observed a recent shift towards the use of bespoke malware and customized open-source tools indicating an increase in sophistication, the report said. The group had also been known for targeting government and U.S. defense industrial base organizations and their earliest known attacks dating back to December 2009. “This campaign serves to highlight the importance of organisations having a comprehensive view of their threat profile, including that of their supply chain's,” researchers said in the report. “More broadly, it should also encourage organisations to fully assess the risk posed by their third party relationships, and prompt them to take appropriate steps to assure and manage these.”