A new report by PwC UK and BAE Systems has revealed a sophisticated cyber campaign “of unprecedented size and scale” targeting managed IT service providers (MSPs). The campaign, dubbed Operation Cloud Hopper, appears to have been motivated by espionage and information gathering, as evidenced by the attackers’ choice of high value and low profile targets.
The authors of the report were able to conclude that Operation Cloud Hopper is almost certainly the work of a previously known group called APT10. The APT10 group is already well known in the world of cybersecurity, and it is a widely held view that it is based in China.
Using forensic analysis of the group’s operational times and IP zones, the authors of the report were able to conclude with a high level of certainty the identity of the group, their location in China, and the extent of the campaign. Investigators were even able to sketch a portrait of an average workday at APT10, including “a two hour lunch break”.
“Operating alone, none of us would have joined the dots to uncover this new campaign of indirect attacks,” Richard Horne, cybersecurity partner at PwC, recently told the BBC.
APT10 appears to be a well-staffed, highly organized operation with extensive logistical resources. According to the report, the group uses a variety of customized open-source software, original bespoke malware, and spear phishing techniques to infiltrate their targets’ systems.
Their strategy of choosing MSPs as a primary target has given them “unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients.” The report explains that “given the level of client network access MSPs have… it is likely to be relatively straightforward to exploit this and move laterally onto the networks of potentially thousands of other victims.”
Luis Corrons, technical director of PandaLabs, points out that carefully selecting targets, and customizing attacks accordingly, becomes more common every day. “Aside from the myriads of common cyberattacks businesses regularly have to deal with, nowadays we are witnessing huge increases in the amount of attacks in which cybercriminals are actually inside their victim’s network, adapting to his defenses and carrying out strikes with surgical precision as they target specific assets,” wrote Mr. Corrons in an email.
The Cloud Hopper campaign comes at a time when geopolitical tensions are increasingly crossing over into the realm of cyberespionage and cyberwarfare. Though the report does not openly suggest that there was any involvement on the part of the Chinese government, it does point out that the targeting of diplomatic and political organizations, as well as certain companies, “is closely aligned with strategic Chinese interests.”
Adaptive Defense Lets You Rest Easy
Fortunately, targeted attacks, even sophisticated ones perpetrated by highly professional groups like APT10, are pieces of cake for Panda’s Adaptive Defense. As it sees absolutely everything happening on all computers, it can stop these kinds of attacks proactively. Adaptive Defense can also provide forensic information about threats by giving detailed traceability for everything that happens on a company’s IT infrastructure — threat timeline, information flow, the behavior of active processes, etc.
Adaptive Defense 360 is the first cybersecurity managed service that combines next-generation protection (NG EPP) and detection and remediation technologies (EDR), with the ability to classify 100% of running processes. With this innovative technology, it detects and blocks malware that other protection systems miss.