A new report, called Cloud Hopper, has revealed that a (probably Chinese) hacking operation is systematically penetrating huge numbers of important targets around the world. According to the report, the hackers have stolen everything from individuals’ private data to large-scale corporate secrets and intellectual property, from around 15 countries.
In the report, the hacking operation is referred to as “one of the largest ever sustained global cyber espionage campaigns.” The news comes just weeks after the UK’s intelligence agency, GCHQ, admitted that in the first three months of 2017, UK businesses had suffered 188 high-level cyberattacks.
The new report, which was created cooperatively by GCHQ employees and the private sector, refers to the hacking gang as APT10 (a.k.a Red Apollo, CVNX, Stone Panda, MenuPass, and POTASSIUM). It is believed that the nefarious cyber gang uses custom malware to launch attacks delivered via spear phishing campaigns.
According to the document, the talented hackers target IT managed service providers (MSPs) in order to gain access to a vast array of secondary businesses. The attack vector is described in the report as affecting an “unprecedented web” of victims. In its blog about the report, PwC commented:
“This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organisation might be exposed to, either directly or through your supply chain.”
UK’s National Cyber Security Centre
The report is the result of work conducted with the new National Cyber Security Centre (NCSC) in London. That center was officially opened on 14 February by the Queen of England. Its aim is to bring the public and private sectors together to better deal with the cybersecurity issues being faced by UK infrastructure.
However, Operation Cloud Hopper refers to an immense (thought to be Chinese) espionage operation that affects 15 countries, including the US, the UK, Japan, and France. According to the report, NCSC has uncovered evidence of targeted attacks against Japanese commercial firms and public bodies. With that in mind, it would appear that the first concrete conclusions drawn by the cooperative work of NCSC and the private sector extend beyond just helping the UK’s infrastructure.
The creators of this important report include information security officers from the defense group BAE systems and from accountancy firm PwC. According to the findings, APT10 hackers have been using MSP systems to access vast amounts of data – including the third party systems of their customers – from as early as 2014.
Richard Horne, a security partner from PwC, has come forward to admit that the scope of the threat is not yet fully understood. However, according to Horne, it is clear that the malicious operations are widespread and that a coordinated response is vital:
“The reason we’ve gone public with this is because we can see so much and we have seen so much in several managed IT service providers (MSPs) and other companies compromised through it, but we don’t know how far this has gone.
“[We], together with the NCSC and BAE Systems are very keen to get this information out there so we can promote a mass response to this.”
APT10 – China Likely
Though the report admits that it isn’t definite, it says that the attacks are “highly likely” to be originating from within China. The reason for this belief is that the hackers have a work pattern that best fits China Standard Time (UTC+8). In addition, the attacks follow a pattern of victimizing commercial targets that (according to the report) best fit “strategic Chinese interests.”
However, it remains possible that the hackers aren’t Chinese, and the report does not definitely conclude that China (or the Chinese government) is the culprit. Talking about those targets, Horne commented:
“We’ve seen a number of different companies targeted for different reasons, but essentially it’s all around sensitive information they hold, whether that’s intellectual property, or personal information on people or a whole realm of other areas. It’s a very large-scale espionage operation.”
Dr Adrian Nish, head of threat intelligence at BAE, has also come forward to talk to the press. He reinforced the importance of targeting MSPs in the attack vector, explaining why the hackers are so dangerous:
“Organisations large and small rely on these providers for management of core systems and as such they can have deep access to sensitive data. It is impossible to say how many organisations might be impacted altogether at this point.”
A blog by BAE systems yesterday reinforced this point:
“For many businesses, the network now extends to suppliers who provide management of applications, cloud storage, helpdesk, and other functions. With the right integration and service levels, Managed Service Providers (MSPs) can become a key enabler for businesses by allowing them to focus on their core mission while suppliers take care of background tasks.
“However, the network connectivity which exists between MSPs and their customers also provides a vector for attackers to jump though. Successful global MSPs are even more attractive as they become a hub from which an intruder may access multiple end-victim networks.”
The Attack Vector
According to the joint report by BAE and PwC, the APT10 hackers use a number of payloads once they have successfully used phishing campaigns to gain entry into MSP systems. One form of malware that has been identified is ‘ChChes’ (already well known for its use in attacking Japanese commercial targets). However, the report also names two other forms of malware:
PlugX: a payload that is used by a number of high-level hacking groups from around the world.
RedLeaves: A much newer payload that has only been in use by APT10 for a few months.
APT10 hackers manage those payloads from Command and Control (C&C) servers with dynamic Domain Name System (DNS) domains, which are highly interconnected through shared Internet Protocol (IP) address hosting. In addition, the report explains that the attack infrastructure used by APT10 has vastly increased in recent times.
The report concludes that, because of the nature of MSPs and their connection to other businesses, great care must be taken to efficiently deal with cybersecurity. It recommends the following:
“Strong focus needs to be put on security architecture, network hardening, monitoring, detection and response. We would also suggest regular red-teaming or simulated targeted attack testing – performed by independent testers and leveraging intelligence from known attacks.
“Whilst these attackers have skill, persistence, some new tools and infrastructure – there is nothing about the techniques themselves that should make this hard to detect or mitigate. The lessons learned from these incidents should be used as an opportunity for security improvements for both MSPs and their customers.”
Opinions are the writer’s own
Title image credit: Blackboard/Shuttertock.com
Image credit: Azret Ayubov/Shutterstock.com
Image credit: Ahmad Faiza/Shutterstock.com