APT 10's Cloud Hopper campaign has been exposed

News by Robert Abel

The group behind the attacks, APT10, has targeted Canada, Brazil, France, Norway, Finland, Switzerland, South Africa, Australia, Japan, and India.

Security researchers at PwC UK and BAE Systems spotted a China-based cyber-espionage campaign, dubbed Cloud Hopper, targeting companies through their managed IT service providers (MSPs).

The group behind the attacks, APT10, has targeted Canada, Brazil, France, Norway, Finland, Switzerland, South Africa, Australia, Japan, and India for intellectual property and other sensitive information, according to a recent PricewaterhouseCooper's (PwC) UK and BAE Systems report.

The group targets both a low profile and high value systems to gain both network persistence and a high level of access, respectively, and has also been identifying and subsequently installing malware on low profile systems that provide non-critical support functions to the business, and are thus less likely to draw the attention of system administrators, the report said.

“Given the level of client network access MSPs have, once APT10 has gained access to an MSP, it is likely to be relatively straightforward to exploit this and move laterally onto the networks of potentially thousands of other victims,” researchers said in the report. “This, in turn, would provide access to a larger amount of intellectual property and sensitive data.”

Researchers said the group has been upscaling its tools and capabilities since early 2016 and primarily used PlugX malware between 2014 and 2016.

During this time, researchers linked the group to several other profile attacks including the US Office of Personnel Management (OPM) breach in 2015 which compromised the personal information of more than 20 million people as well as several attacks against healthcare firms including Anthem, Premera Blue Cross and CareFirst.

Recently, researchers said they've observed a recent shift towards the use of bespoke malware and customised open-source tools indicating an increase in sophistication, the report said.

The group had also been known for targeting government and US defence industrial base organisations and their earliest known attacks dating back to December 2009.

“This campaign serves to highlight the importance of organisations having a comprehensive view of their threat profile, including that of their supply chain's,” researchers said in the report. “More broadly, it should also encourage organisations to fully assess the risk posed by their third party relationships, and prompt them to take appropriate steps to assure and manage these.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike