A Chinese hacking group is thought to be behind attacks on managed service providers as a way into their client companies, to facilitate the theft of intellectual property.
The hacking group, called APT10, used custom malware and spear-phishing attacks to gain access to victims' systems. Once inside, they used the company's credentials to attack their client companies.
The security of the supply chain has been a recognised weakness in security systems since at least 2013 when it was discovered that attackers had gained access to the Target retail chain in America through an HVAC service provider.
Now it appears that APT10 is using that approach on a large scale. The group was discovered by PwC's cyber-security practice and BAE Systems, working alongside the UK's National Cyber Security Centre (NCSC).
The scale of the espionage campaign only became apparent in late 2016, but the attack is thought to be the largest sustained global cyber-espionage campaign ever seen.
PwC and BAE Systems said APT10 conducted the espionage campaign by targeting providers of managed outsourced IT services as a way in to their customers' organisations around the world, gaining unprecedented access to intellectual property and sensitive data.
It is thought the group launched the campaign in 2014 and then significantly ramped it up in early 2016, adding new developers and intrusion operators to continually enhance capability.
The group is known to have exfiltrated a high volume of data from multiple victims and used compromised networks to stealthily move this data around the world.
A number of Japanese organisations have also been targeted directly in a separate, simultaneous campaign by the same group, with APT10 masquerading as legitimate Japanese government entities to gain access.
Forensic analysis of the timings of the attack, as well as tools and techniques used, led investigators to conclude that the group may be based in China, but apart from that, it is not known precisely who is behind APT10 or why it targets certain organisations.
Kris McConkey, partner for cyber-threat detection and response at PwC, said that the indirect approach of this attack highlights the need for organisations to have a comprehensive view of the threats they're exposed to – including those of their supply chain.
“This is a global campaign with the potential to affect a wide range of countries, so organisations around the world should work with their security teams and providers to check networks for the key warning signs of compromise and ensure they respond and protect themselves accordingly,” he said.
Richard Horne, cyber-security partner at PwC, added that “operating alone, none of us would have joined the dots to uncover this new campaign of indirect attacks.
“Together we've been working to brief the global security community, managed service providers and known end victims to help prevent, detect and respond to these attacks,” he added.
Ilia Kolochenko, CEO of High-Tech Bridge, told SC Media UK that until there is more detail on the attacks, it would not be possible to make a reliable conclusion as to who was behind the so-called APT10.
“Taking into consideration how careless and negligent some managed IT providers are, I wouldn't be surprised if all the attacks were conducted by a group of teenagers – something we have already seen in the past,” he said.
“IT services providers should better enumerate and assess their digital risks, and implement appropriate security controls to mitigate related threats and vulnerabilities. Security standards, like ISO 27001, can significantly help assure that the risks are continuously identified and are being duly addressed. For cyber-security service providers, accreditation by CREST is also an important factor to demonstrate the necessary standard of care around security, confidentiality and integrity for their own and client data,” he added.
“Companies looking to secure their supply-chain can oblige their suppliers to get certified by ISO 27001 for example, or to provide solid and unconditional insurance to cover any data breaches and data leaks, including direct and consequent damages."