APT10 Operation Cloud Hopper Targets MSPs

APT10, a cyber espionage group operating out of China, has been targeting Managed Service Providers (MSPs) for organization secrets and information since December 2009. The recent operation discovered by security experts from PwC UK and BAE Systems, known as Operation Cloud Hopper, is considered the largest sustained global cyber espionage campaign. Countries across the globe have fallen victim, including–Canada, United States, Brazil, South Africa, Switzerland, France, Norway, Sweden, United Kingdom, Finland, India, Thailand, South Korea, Japan, and Australia.

APT10, also known as MenuPass, Red Apollo, Stone Panda, POTASSIUM, and CVNX, targets low profile and high value systems gaining network persistence and access. To carry out the operation, APT10 installs malware on low profile systems which offer non-critical support to businesses, to avoid attention and detection. The goal is to compromise the Managed Service Providers in order to gain access to the real targets, the MSP’s clients. Once the MSP infrastructure is infiltrated, it is relatively easy to exploit and the APT10 moves laterally through a network of thousands of potential victims. In the past, the industries primarily targeted were government and U.S. defense industrial base organizations, but the targets have now expanded to include retail, energy, telecommunications, engineering, pharmaceuticals, government agencies, and industrial manufacturing.

PwC and BAE systems have been collaborating since late 2016 to study the threat of APT10, providing support to victims and circulating their research to inform the global community. Recent discoveries reveal that APT10 has two specific campaign targets: Japanese entities and MSP/clients. APT10 has deployed numerous malware, including several versions of remote access Trojans (RATs), PlugX, Poison IVY, ChChes, and Graftor. First using Poison Ivy, APT10 stopped deploying it after a report was released with detailed explanations about the functions and features of the malware. From 2014 to 2016, the primary malware employed was PlugX, releasing improved newer versions and standardizing command/control functions. Researchers have noticed that the APT10 has begun to shift towards using bespoke malware and open-source tolls, which have the capability to be customized. The group delivers the malware through spear phishing emails to target specific users, employing tools to steal user and administrative credentials. Windows services and utilities are used to keep the malware in the system, even if rebooted. Operation Cloud Hopper leverages the communication vector between MSPs and its customers as an attack vector.

As a precaution, organizations should assess and validate risks when using third party networks. Moving forward, a cloud service can also improve security for both MSPs and clients. All systems must be consistently updated and incident response measures should be implemented in order to be prepared for such attacks.