July 14, 2017 by

APT10 Operation Cloud Hopper Targets MSPs

APT10, a cyber espionage group operating out of China, has been targeting Managed Service Providers (MSPs) for organization secrets and information since December 2009. The recent operation discovered by security experts from PwC UK and BAE Systems, known as Operation Cloud Hopper, is considered the largest sustained global cyber espionage campaign. Countries across the globe have fallen victim, including–Canada, United States, Brazil, South Africa, Switzerland, France, Norway, Sweden, United Kingdom, Finland, India, Thailand, South Korea, Japan, and Australia.

APT10, also known as MenuPass, Red Apollo, Stone Panda, POTASSIUM, and CVNX, targets low profile and high value systems gaining network persistence and access. To carry out the operation, APT10 installs malware on low profile systems which offer non-critical support to businesses, to avoid attention and detection. The goal is to compromise the Managed Service Providers in order to gain access to the real targets, the MSP’s clients. Once the MSP infrastructure is infiltrated, it is relatively easy to exploit and the APT10 moves laterally through a network of thousands of potential victims. In the past, the industries primarily targeted were government and U.S. defense industrial base organizations, but the targets have now expanded to include retail, energy, telecommunications, engineering, pharmaceuticals, government agencies, and industrial manufacturing.

PwC and BAE systems have been collaborating since late 2016 to study the threat of APT10, providing support to victims and circulating their research to inform the global community. Recent discoveries reveal that APT10 has two specific campaign targets: Japanese entities and MSP/clients. APT10 has deployed numerous malware, including several versions of remote access Trojans (RATs), PlugX, Poison IVY, ChChes, and Graftor. First using Poison Ivy, APT10 stopped deploying it after a report was released with detailed explanations about the functions and features of the malware. From 2014 to 2016, the primary malware employed was PlugX, releasing improved newer versions and standardizing command/control functions. Researchers have noticed that the APT10 has begun to shift towards using bespoke malware and open-source tolls, which have the capability to be customized. The group delivers the malware through spear phishing emails to target specific users, employing tools to steal user and administrative credentials. Windows services and utilities are used to keep the malware in the system, even if rebooted. Operation Cloud Hopper leverages the communication vector between MSPs and its customers as an attack vector.

As a precaution, organizations should assess and validate risks when using third party networks. Moving forward, a cloud service can also improve security for both MSPs and clients. All systems must be consistently updated and incident response measures should be implemented in order to be prepared for such attacks.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

The Growing Insider Threat

A security threat originating from within the organization which is targeted or attacked is an...

Read more arrow_forward

The Importance of Memory Forensics

Digital forensics experts who do not use memory forensics are leaving evidence behind. Memory...

Read more arrow_forward

The Rise of Polymorphic Malware

Anti-malware programs detect malware through the use of a signature. Most malware is made up of...

Read more arrow_forward