Operation Cloud Hopper: China-Based Threat Actor Targets IT Support and Managed Service Providers (MSPs)
As mentioned in an original article published by Stronghold Cyber Security on August 30, 2017 titled “China Turns Cyber Weapons on American Small Businesses via APT10“, China-based threat actors are focusing on American small businesses as targets for cyber espionage. One of these APT10 campaigns has been widely dubbed “Operation Cloud Hopper”, and focuses on specifically targeting IT support and managed service providers (MSPs) to get to their customers in order to obtain intellectual property as well as sensitive data.
An April 2017 report by researchers indicates that MSPs were likely targets as early as 2014 and almost certainly from 2016 onwards and allowed APT10 unprecedented access never before seen. MSPs are a prime target because they essentially hold “the keys to the kingdom”, with access to potentially hundreds of customers whose valuable data translates into intellectual property highly sought after by the Chinese government. Per the report:
APT10 has vastly increased the scale and scope of its targeting to include multiple sectors, which has likely been facilitated by its compromise of MSPs. Such providers are responsible for the remote management of customer IT and end-user systems, thus they generally have unfettered and direct access to their clients’ networks. They may also store significant quantities of customer data on their own internal infrastructure.
MSPs therefore represent a high-payoff target for espionage-focused threat actors such as APT10. Given the level of client network access MSPs have, once APT10 has gained access toa MSP, it is likely to be relatively straightforward to exploit this and move laterally onto the networks of potentially thousands of other victims. This, in turn, would provide access to a larger amount of intellectual property and sensitive data. APT10 has been observed to exfiltrate stolen intellectual property via the MSPs, hence evading local network defences.
FireEye also notes in an April 6, 2017 blog post that they have detected APT10 activity (aka Operation Cloud Hopper) of multiple compromised IT service providers that corroborates with the above report:
Leveraging its global footprint, FireEye has detected APT10 activity across six continents in 2016 and 2017. APT10 has targeted or compromised manufacturing companies in India, Japan and Northern Europe; a mining company in South America; and multiple IT service providers worldwide. We believe these companies are a mix of final targets and organizations that could provide a foothold in a final target.
China has specifically outlined what they are focusing on for their “Five-Year Plan”, which means that information pertaining to any of these industries would be particularly desirable:
While balancing the focus on their own customers’ security needs, MSPs need to be acutely aware of their own requirements and seek to improve their security processes as well. On August 17, 2017 Stronghold Cyber Security CEO Jason McNew gave a 45 minute educational presentation to ASCII Group members on the issues MSPs and their customers may face and what they can do to help improve their own security. Stronghold Cyber Security is offering anyone within the tech community a copy of the slides used in this presentation, please contact Jason McNew directly at firstname.lastname@example.org with the subject line Cyber Slides.
In the news:
The Hill: China-based cyber campaign targeting managed IT, cloud services
Computer Weekly: Chinese hacking group targeted firms through IT MSPs